modauthkerb-help Mailing List for Kerberos Module For Apache
Brought to you by:
kouril
Menu
▾
▴
modauthkerb-help — For help from project admins and other members of the list.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(6) |
Jul
(1) |
Aug
(3) |
Sep
(11) |
Oct
(6) |
Nov
(42) |
Dec
(6) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(1) |
Mar
(3) |
Apr
|
May
(20) |
Jun
(18) |
Jul
(1) |
Aug
(13) |
Sep
(23) |
Oct
(29) |
Nov
(24) |
Dec
(89) |
| 2004 |
Jan
(31) |
Feb
(64) |
Mar
(15) |
Apr
(39) |
May
(28) |
Jun
(201) |
Jul
(50) |
Aug
(83) |
Sep
(28) |
Oct
(32) |
Nov
(29) |
Dec
(41) |
| 2005 |
Jan
(27) |
Feb
(43) |
Mar
(46) |
Apr
(24) |
May
(35) |
Jun
(1) |
Jul
(14) |
Aug
(24) |
Sep
(14) |
Oct
(26) |
Nov
(17) |
Dec
(5) |
| 2006 |
Jan
(7) |
Feb
(64) |
Mar
(50) |
Apr
(36) |
May
(64) |
Jun
(57) |
Jul
(27) |
Aug
(58) |
Sep
(22) |
Oct
(18) |
Nov
(79) |
Dec
(31) |
| 2007 |
Jan
(138) |
Feb
(32) |
Mar
(29) |
Apr
(10) |
May
(48) |
Jun
(7) |
Jul
(120) |
Aug
(48) |
Sep
(52) |
Oct
(69) |
Nov
(36) |
Dec
(45) |
| 2008 |
Jan
(26) |
Feb
(47) |
Mar
(43) |
Apr
(30) |
May
(28) |
Jun
(28) |
Jul
(41) |
Aug
(18) |
Sep
(15) |
Oct
(26) |
Nov
(9) |
Dec
(31) |
| 2009 |
Jan
(32) |
Feb
(20) |
Mar
(21) |
Apr
(7) |
May
(14) |
Jun
(11) |
Jul
(10) |
Aug
(2) |
Sep
|
Oct
(2) |
Nov
(20) |
Dec
(20) |
| 2010 |
Jan
(3) |
Feb
|
Mar
(14) |
Apr
(36) |
May
(4) |
Jun
(4) |
Jul
(3) |
Aug
(34) |
Sep
(57) |
Oct
|
Nov
(4) |
Dec
|
| 2011 |
Jan
|
Feb
(19) |
Mar
(1) |
Apr
|
May
(21) |
Jun
(23) |
Jul
(11) |
Aug
(30) |
Sep
(4) |
Oct
(1) |
Nov
(7) |
Dec
(4) |
| 2012 |
Jan
(20) |
Feb
(13) |
Mar
(29) |
Apr
(7) |
May
|
Jun
(7) |
Jul
|
Aug
(6) |
Sep
(13) |
Oct
(1) |
Nov
(2) |
Dec
|
| 2013 |
Jan
|
Feb
(3) |
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(3) |
Oct
(6) |
Nov
(3) |
Dec
|
| 2014 |
Jan
(11) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Chihab c. <pik...@gm...> - 2025-08-28 11:01:04
|
شهادة الأبوة في المغرب |
|
From: Karthik N. <nka...@gm...> - 2019-12-20 09:45:59
|
Hi All, Is any one having experience on how to build mod_auth_kerb.so for Apache 2.2/2.4 web server running on windows machine. regards, Karthik.N |
|
From: Helen T. <li...@ma...> - 2016-05-09 19:58:59
|
Hello! You have a new message, please read <http://members.monstapreneur.com/programming.php?d8j> Helen Tosch |
|
From: Martin Y. <yve...@el...> - 2015-07-24 11:33:09
|
Hello, If you can still kinit with keytab, the keytab encryption is not the issue - by the way I often create keytab with only one encryption included to be "sure". My opinion is that the issue comes from your browser, according to NTLM warnings you report. I invite you to check with both IE and Firefox browsers. If Firefox works well as far as it is configured to do spnego for your DNS domain name, you should try to enough your domain as "Local intranet" security zones. If possible, use krbtray to check for TGS SPN in workstation kerberos cache and Wireshark to collect HTTP traffic when accessing your application, it will decode Kerberos WWW-Authentication token if present. Regards -- Yves Martin On Mon, 2015-07-20 at 12:25 +0100, Andrew Wilkins wrote: > I think i have got to the bottom of the cause of my problem > > > A windows update > https://technet.microsoft.com/library/security/3057154 > > has disabled DES which was one of the cryptos i had enabled > > > It is very hard to tell what is actually going on > But i have found of the remaining woking cryptos i have RC4, AES256 > and AES128 > and they are in that order in the keytab, > RC4 seems to be troublesome for some windows users, and AES256 does > not seem to be supported by the GSSAPI (v 2.1.25 i think) > so my suspicion is that these users are getting a AES256 ticket and > windows is expecting it to work but i can't figure a way to confirm it > > > Windows has some user crypto options, but they don't actually seem to > do anything on my test server > > On 16 July 2015 at 23:16, Andrew Wilkins <and...@gm...> > wrote: > Hi > > > I have an ubuntu 12.04 box hosting a drupal intranet with sso > authentication using kerberos > > > It was working without any problems, for around 18 months > during which time the config has been left unchanged > > > We now have a login problem which started a couple of days > ago, a lot of users can't login with SSO so have to go to the > manual login page to gain access. > User access the site via a couple of different urls, the > domains are cnames of the actual server hostname, the users > which are affected seem to be able to login if connected to > the webserver directly via it's fqdn, > The apache debug logs do not give me anything helpful, they > show the error warning received token seems to be NTLM , which > seems to be what happened when kerberos fails, it falls back > and tries ntlm, this was the error we usually got in testing > until the config was exactly right. > > > I can still kinit with the keytab, and the KVNO still matches, > can anyone think of any further check i can be doing or think > of any reason it might have suddenly stopped working ? > > > I don't have admin access to the AD servers, but have setup my > own to test with and cannot recreate the problem. > |
|
From: Andrew W. <and...@gm...> - 2015-07-21 23:56:51
|
I think i have got to the bottom of the cause of my problem A windows update https://technet.microsoft.com/library/security/3057154 has disabled DES which was one of the cryptos i had enabled It is very hard to tell what is actually going on But i have found of the remaining woking cryptos i have RC4, AES256 and AES128 and they are in that order in the keytab, RC4 seems to be troublesome for some windows users, and AES256 does not seem to be supported by the GSSAPI (v 2.1.25 i think) so my suspicion is that these users are getting a AES256 ticket and windows is expecting it to work but i can't figure a way to confirm it Windows has some user crypto options, but they don't actually seem to do anything on my test server On 16 July 2015 at 23:16, Andrew Wilkins <and...@gm...> wrote: > Hi > > I have an ubuntu 12.04 box hosting a drupal intranet with sso > authentication using kerberos > > It was working without any problems, for around 18 months during which > time the config has been left unchanged > > We now have a login problem which started a couple of days ago, a lot of > users can't login with SSO so have to go to the manual login page to gain > access. > User access the site via a couple of different urls, the domains are > cnames of the actual server hostname, the users which are affected seem to > be able to login if connected to the webserver directly via it's fqdn, > The apache debug logs do not give me anything helpful, they show the error > warning received token seems to be NTLM , which seems to be what happened > when kerberos fails, it falls back and tries ntlm, this was the error we > usually got in testing until the config was exactly right. > > I can still kinit with the keytab, and the KVNO still matches, can anyone > think of any further check i can be doing or think of any reason it might > have suddenly stopped working ? > > I don't have admin access to the AD servers, but have setup my own to test > with and cannot recreate the problem. > > > > |
|
From: Patrick F. <fo...@ch...> - 2014-11-14 10:22:23
|
Hi!
I have in my Apache config.
<Location /auth>
SSLRequireSSL
AuthType Kerberos
AuthName "Log in with your cid"
KrbAuthRealm SOMEDOMAIN.COM
KrbVerifyKDC off
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbLocalUserMapping on
KrbSaveCredentials off
Krb5Keytab /www/krb5.keytab
KrbServiceName Any
AuthLDAPUrl ldap://ldap.somedomain.com/dc=somedomain,dc=com?uid?sub?(objectClass=account)
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require valid-user
require ldap-group cn=admins, ou=groups, dc=somedomain, dc=com
satisfy all
</Location>
With this setup a user in the SOMEDOMAIN.COM domain belonging to the (LDAP) admins group can login either with a ticket or (if there is no ticket) by supplying username/password
The problem is that I would like to be able to fall back to username/password login if a user has a ticket for a principal that isn't in the admins group.
I.E
User som...@SO... isn't a member of the admins group
User oth...@SO... is a member of the admins group.
1) With a ticket for oth...@SO... login is successful
2) With a ticket for som...@SO... login fails
3) Without a ticket logging in as otheruser:otherpass works and someuser:somepass fails
In case (2) I would like for som...@SO... to be able to login as otheruser:otherpass instead of failing.
Is this possible?
I guess I could redirect failed logins from https://www.somedomain.com/auth to https://www.somedomain.com/pwauth and have "KrbMethodNegotiate off" for <Location /pwauth>, but I would like to be able
to keep the /auth URI.
Regards,
/Patrick
|
|
From: Martin S. <th...@ma...> - 2014-07-02 20:49:29
|
Hi all, I'm trying to setup Kerberos authentication on Apache 2.2.15-30 (CentOs 6.5), and am facing an issue that I'm not able to debug or solve. Please find my error_log below: [Wed Jul 02 20:59:01 2014] [debug] src/mod_auth_kerb.c(1940): [client 192.168.218.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1940): [client 192.168.218.1] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1279): [client 192.168.218.1] Acquiring creds for HTTP/infa.domain.local [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1692): [client 192.168.218.1] Verifying client data using KRB5 GSS-API [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1708): [client 192.168.218.1] Client didn't delegate us their credential [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1727): [client 192.168.218.1] GSS-API token of length 941 bytes will be sent back [Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1139): [client 192.168.218.1] GSS-API major_status:01020000, minor_status:00000000 [Wed Jul 02 20:59:03 2014] [error] [client 192.168.218.1] gss_display_name() failed: A required input parameter could not be read: An invalid name was supplied (, Unknown error) Please find the http dump below: GET http://infa.domain.local/server-status HTTP/1.1 Host: infa.domain.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0 HTTP/1.1 401 Authorization Required Date: Wed, 02 Jul 2014 19:32:39 GMT Server: Apache/2.2.15 (CentOS) WWW-Authenticate: Negotiate Content-Length: 484 Connection: close Content-Type: text/html; charset=iso-8859-1 Proxy-Support: Session-Based-Authentication GET http://infa.domain.local/server-status HTTP/1.1 Host: infa.domain.local User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0 Authorization: Negotiate YIID5QYGKwYBBQUCoIID2TCCA9WgCjAIBgYrBgEFAgWiggPFBIIDwWCCA70GBisGAQUCBQUBMBChDgQMRE9NQUlOLkxPQ0FMbIIDnTCCA5mhAwIBBaIDAgEMo4IDFzCCAxMwggIvoQMCAQGiggImBIICIm6CAh4wggIaoAMCAQ WhAwIBDqIHAwUAAAAAAKOCAU9hggFLMIIBR6ADAgEFoQ4bDERPTUFJTi5MT0NBTKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRE9NQUlOLkxPQ0FMo4IBCzCCAQegAwIBEqEDAgEBooH6BIH3jDiOe80e8vCv7Tmsd+t0spncJWnD v99vLDpi5PYc1Gj8vGH7xJxnz4dsr6WavFLmgYCRnvrF+Y+lU/QVF/AUNiqIG7ifGAJGD4IKHzcyYfNo9BLlNBGBckLdIhC3o2G8VfHWxv+Zo6DNfZUJsIVfoN2bls2C8K9K2pv/qd/FHR96+3JpCkRSb2tKqh2VQBA2mplvJML38nvHQkp5Y0rHQ ecbc0bHns1ddh/RLIlPcwdy8r7xDx7m5QUWH3gI6nSEhrcd/sIKoRJ88ezcMfqumXq2UxvBdBJAH86q9r9r/t74jXpyDFlRgF/Z6OLMwMdus2AkBNrbiaSBsTCBrqADAgEXooGmBIGj4DUpIRQjvddUEpp7sft5UjlnOPOCia9BSyxYBszOihLHr2D 2B6mL6fmqx7IcAVfVzV66B/gqQ4roAh0z4YKensKtqIAG7au2RsXtYNAjEgUFgh7dEE7kACUFoVB2VUK2mtjuHabbwMZ4gprrRIgDeFqROIhxWasVgxhak6dXQAKGEyvVlGoeLTJTPER5s2tcDRkoVTLFO0hBJxarNI/GTk1e1jCB3aEEAgIAi KKB1ASB0aCBzjCBy6EcMBqgBAIC/3ahEgQQSjwHqwdg2yuvh3nbGzDVuqKBqjCBp6ADAgEXooGfBIGccNThLwiDzyz8cJYPfI6hU505ydEQdRt6N036ZZ98Y49YfV+WWpCgXxhmL/8zhilAC2mQi5cvE5XOJOzGrWHnzl6AO1KfJQKjvogV zrFhdoPMVssGnBkrD40fsIA2uPJ2e0OeKRC/tOizUg8tVIdhkoivnh69Q1BDAx3JFjx3txRtDoSZHz6x4mlBSs72xFIlIkA7yhXH+nmml4yfpHIwcKAHAwUAUIEAAKIOGwxET01BSU4uTE9DQUyjJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZh LmRvbWFpbi5sb2NhbKURGA8yMDE0MDcwMzAyNTYxNlqnBgIEU7ReW6gUMBICARICARECARACARcCARkCARo= HTTP/1.1 500 Internal Server Error Date: Wed, 02 Jul 2014 19:32:42 GMT Server: Apache/2.2.15 (CentOS) WWW-Authenticate: Negotiate oYIDqTCCA6WgAwoBAaEIBgYrBgEFAgWiggOSBIIDjgUBMBChDgQMRE9NQUlOLkxPQ0FMbYIDdjCCA3KgAwIBBaEDAgENooHVMIHSMIHPoQQCAgCIooHGBIHDoIHAMIG9oIG6MIG3oAMCAReiga8Egawhq77nnFYKOC2elIoQEMv 3HoPncmPLVp6/yr+HtLIuoyAsAUdbvyXars5ixGdPlg1IaceQQ3ThVvvsRthV86O4M2l55LfhlfIINZr7xQks3EKTAEA1OfsggBXdmShHV/29W2iLaQP60BvBlYCOGePMyMKp8jcgdNUQ6jLqq6No0Qk7Kro8IIjESMmVR3BAndbUfpDNYqO+IxY am/pl96xCQgu4iNznoglrYBf7ow4bDERPTUFJTi5MT0NBTKQaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KlggFjYYIBXzCCAVugAwIBBaEOGwxET01BSU4uTE9DQUyiJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZhLmRvbWFpbi5sb 2NhbKOCARwwggEYoAMCARehAwIBAaKCAQoEggEGyeo+gzn7hHLgwIGfZiT3kfiua+yD1d0EDhyoAmctFzukkw7xqdyMZn+gfDna6O0WI7TC6Yv2pQqg1Ph76SZ11ZQu4xXn4FBPu3G9LwbPUxN9+cohhCTPmAX6SLyNu7n9UAKLsccjb kLq8HJjUgzfLus6AqUeerqjc3eSyr+r1onfQSL9JCNtpOUWtuxGIThTQfOXEYVlVyjMi37bnAFPMrxPERL/7m3vYm3x60HBu5KHy7xfbab8jftIsr33Z/2nnMxNi5LjqVBail4BpZiuRCMmko566KSLKWRSpvr6x/YUR5TPmhXjO3YGdi2VucDn6QW t81q2dQSYvAQnbuHDL84IQUY126aB+jCB96ADAgEXooHvBIHsmFwxE55S5Gi5VkPG0cS11MHsQvllqJAIxGMkzakyyYCfMKCpHFfyIf/2bIGPvSyCCWOqFxnMOA1a/c2d3eUk6Yr+H5c8PDFePxVbKijvZRVRVJ1pAifpm9kUoKcGMo0SH 9m0H4yu94/ESE7QbEcx7pQac1Udq894rgF7OmnQXZZ6mX2VUrIb0xHxaaj9oR8+zC8vGWyyqVSZhtURxQ8Anr+MifqWKPP2QpWFohptl/zl8bYmMqs1nEH3TIe1wvtOgeqGh6KumbC4rc9IVCN8rx+3XCVr/2BM27nURT21MUzwU1tbpQM LSqT0gFE= Content-Length: 617 Connection: close Content-Type: text/html; charset=iso-8859-1 Please find relevant configuration files below: kdc.conf [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] DOMAIN.LOCAL = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab forwardable = true proxiable = true supported_enctypes = rc4-hmac:normal } auth_kerb.conf LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /server-status> #SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms DOMAIN.LOCAL Krb5KeyTab /etc/httpd/conf/http.keytab KrbServiceName HTTP/infa.domain.local require valid-user </Location> klist -e -k /etc/httpd/conf/http.keytab Keytab name: FILE:/etc/httpd/conf/http.keytab KVNO Principal ---- -------------------------------------------------------------------------- 0 HTTP/inf...@DO... (arcfour-hmac) Does anyone have an idea of what the problem might be? I'd be very thankful for any comments. Thank you, Martin |
|
From: Andrew W. <and...@gm...> - 2014-05-29 23:20:59
|
Hi I have been working on getting single sign on working for an intranet We had it working up untill a couple of days ago, when we were planning to go from a development server to a production server after generating a new keytab for the production server using the same mapped user and same service principal name it stopped the original server from working so i created a new keytab for the original server with a different service principal name using the new keytab i am getting the following error GSS-API major_status:000d0000, minor_status:000186a5 I just cannot figure out how these status error codes work i found from various posts that minor_status:000186a4 seems to mean unable to access keytab, which helped me fix an error in the keytab path name, but this error minor_status:000186a5 i just cannot find out what it means, i've found some lists of codes here http://docs.oracle.com/cd/E23824_01/html/819-2145/kerberrs-2.html but they don't seem to match the format i've got can anyone tell me what this code means, or point me in the direction of how to find out? |
|
From: Andrew W. <and...@gm...> - 2014-04-17 18:33:31
|
Hi Thanks for your reply, sorry i've not responded sooner, I had been waiting till i was next on site to take another look at the logs I had a meeting conference with one of the webdevelopers and one of the windows domain admins so we could get it all worked out and we did manage to sort it we seemed to have had 2 problems, i'm not 100% on if it was one, the other or both which were fatal, but we got it to how it works and can repeat so it wasn't that worth going over it to try and find out other ways that we could have had it working when it involves several people working on it to get it done the first problem was we were not using the fqdn, just the hostname for the service principle so it was HTTP/ar...@my... instead of HTTP/ are...@my... another problem i found was that the machine's fqdn had the domain in lower case, everywhere in the AD setup it was upper case, so we changed that also On 30 March 2014 21:08, Jim Fisk <jim...@an...> wrote: > Hey Andrew, > > Please see my comments inline below: > > On Sat, Mar 29, 2014 at 5:42 PM, Andrew Wilkins < > and...@gm...> wrote: > >> Hi I am looking for some help with sso for drupal using kerbos with >> apache on an active directory domain, with windows 7 clients using IE10 >> >> I assume you are using the LDAP module: https://drupal.org/project/ldap? > > Single Sign On aside, are users able to authenticate to your Drupal site > with their Active Directory (AD) credentials? > > >> I have setup following this guide >> >> http://www.grolmsnet.de/kerbtut/ >> > > It's good that you're using this guide. The closer you can stick to it, > the better. It really helped me in the past. > >> >> i have used ktpass to generate the keytab, originally using rc4-hmac-nt >> as the crypto type, but read that it might not work with windows 7 by >> default now, so have tried it with crypto ALL >> >> I used "/crypto RC4-HMAC-NT" when creating a keytab for my Drupal SSO > setup and it worked with Windows 7. I can't guarantee it would always > work, but can confirm it worked for me. > > >> I am still receiving the following error in the logs. >> >> Warning: received token seems to be NTLM, which isn't supported by the >> Kerberos module. Check your IE configuration. >> > > Is this information coming from your Apache error logs? Is there any more > context? > >> >> I understand this error can be misleading, as you will sometimes get it >> when it's not a client config problem as when kerberos files it sends the >> NTLM ticket anyway >> >> should a keytab which has been generated with all the available crypto >> types just work sorting out the crypto type with the client , or do i need >> to do something to make it work? >> > > Unfortunately I don't know the answer to this. However, since you've > created a keytab a couple of times now with different encryption types, it > may be worth double checking that you don't have duplicate SPN's. Try > running the following in the command line on your Active Directory DC: "setspn > -q HTTP/arecord.yoursite.com <http://arecord.mysite.com/>" (obviously put > in your own fqdn) > >> >> > Also something i am a little unclear on is do i need to have any local >> tickets loaded for the keytab to work or does the module handle getting >> it's own tickets ? >> > > Try signing into your windows 7 workstation that you want to SSO. Open up > the command line and run "klist". This should show your Ticket Granting > Ticket (TGT) and possibly a few service tickets for other windows > authentication. Your windows 7 workstation will try to access your Drupal > site anonymously initially. So you won't see a ticket for that specific > service until you try to hit your site: > https://cname.yoursite.com/user/login/sso. Once you hit that URL, given > that your browser is configured properly, try running klist again and see > if you can see a ticket for that specific service. > >> >> the guide has me testing using >> kinit user@domain >> which successfully makes a ticket >> and later >> kinit -k -t /keytabfile PRINCPLE/fqdn >> again this successfully creates a ticket >> >> are they purely for testing, or would either of them need to be renewed >> when they expire ? >> > > The first command is getting you a TGT from the Key Distribution Center > (KDC) - i.e. your Active Directory. The second is checking if your keytab > file on your Drupal server is working. The fact that it completes without > error is a good sign. This is used for testing, so don't worry about > renewing these specific tickets. Each workstation will get its own TGT > through the Authentication Service (AS) during login and (hopefully) get a > valid ticket for your service from the Ticket Grant Service (TGS) when you > try to access your site. Don't worry about the AS and TGS. They are both > part of the KDC and should be set up automatically with Active Directory. > The steps you mentioned above are important to make sure that AD is > sending tickets for the correct service that can be validated correctly > against your keytab file. > > You can also make sure your Key Version Number (KVNO) for your ticket > matches the KVNO in your keytab: > > kvno HTTP/arecord.mysite.com > > > Then check it against your keytab KVNO: > > > klist -k > > > More importantly in your case, check that the encryption types match: > > klist -e > > Check this against your keytab: > > klist -e -k -t /path/to/your/keytab/krb5.keytab > > >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> > |
|
From: Jim F. <jim...@an...> - 2014-03-30 21:52:18
|
Hey Andrew, Please see my comments inline below: On Sat, Mar 29, 2014 at 5:42 PM, Andrew Wilkins <and...@gm...>wrote: > Hi I am looking for some help with sso for drupal using kerbos with apache > on an active directory domain, with windows 7 clients using IE10 > > I assume you are using the LDAP module: https://drupal.org/project/ldap? Single Sign On aside, are users able to authenticate to your Drupal site with their Active Directory (AD) credentials? > I have setup following this guide > > http://www.grolmsnet.de/kerbtut/ > It's good that you're using this guide. The closer you can stick to it, the better. It really helped me in the past. > > i have used ktpass to generate the keytab, originally using rc4-hmac-nt as > the crypto type, but read that it might not work with windows 7 by default > now, so have tried it with crypto ALL > > I used "/crypto RC4-HMAC-NT" when creating a keytab for my Drupal SSO setup and it worked with Windows 7. I can't guarantee it would always work, but can confirm it worked for me. > I am still receiving the following error in the logs. > > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos module. Check your IE configuration. > Is this information coming from your Apache error logs? Is there any more context? > > I understand this error can be misleading, as you will sometimes get it > when it's not a client config problem as when kerberos files it sends the > NTLM ticket anyway > > should a keytab which has been generated with all the available crypto > types just work sorting out the crypto type with the client , or do i need > to do something to make it work? > Unfortunately I don't know the answer to this. However, since you've created a keytab a couple of times now with different encryption types, it may be worth double checking that you don't have duplicate SPN's. Try running the following in the command line on your Active Directory DC: "setspn -q HTTP/arecord.yoursite.com <http://arecord.mysite.com/>" (obviously put in your own fqdn) > > Also something i am a little unclear on is do i need to have any local > tickets loaded for the keytab to work or does the module handle getting > it's own tickets ? > Try signing into your windows 7 workstation that you want to SSO. Open up the command line and run "klist". This should show your Ticket Granting Ticket (TGT) and possibly a few service tickets for other windows authentication. Your windows 7 workstation will try to access your Drupal site anonymously initially. So you won't see a ticket for that specific service until you try to hit your site: https://cname.yoursite.com/user/login/sso. Once you hit that URL, given that your browser is configured properly, try running klist again and see if you can see a ticket for that specific service. > > the guide has me testing using > kinit user@domain > which successfully makes a ticket > and later > kinit -k -t /keytabfile PRINCPLE/fqdn > again this successfully creates a ticket > > are they purely for testing, or would either of them need to be renewed > when they expire ? > The first command is getting you a TGT from the Key Distribution Center (KDC) - i.e. your Active Directory. The second is checking if your keytab file on your Drupal server is working. The fact that it completes without error is a good sign. This is used for testing, so don't worry about renewing these specific tickets. Each workstation will get its own TGT through the Authentication Service (AS) during login and (hopefully) get a valid ticket for your service from the Ticket Grant Service (TGS) when you try to access your site. Don't worry about the AS and TGS. They are both part of the KDC and should be set up automatically with Active Directory. The steps you mentioned above are important to make sure that AD is sending tickets for the correct service that can be validated correctly against your keytab file. You can also make sure your Key Version Number (KVNO) for your ticket matches the KVNO in your keytab: kvno HTTP/arecord.mysite.com Then check it against your keytab KVNO: klist -k More importantly in your case, check that the encryption types match: klist -e Check this against your keytab: klist -e -k -t /path/to/your/keytab/krb5.keytab > > ------------------------------------------------------------------------------ > > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > |
|
From: Andrew W. <and...@gm...> - 2014-03-29 21:42:09
|
Hi I am looking for some help with sso for drupal using kerbos with apache on an active directory domain, with windows 7 clients using IE10 I have setup following this guide http://www.grolmsnet.de/kerbtut/ i have used ktpass to generate the keytab, originally using rc4-hmac-nt as the crypto type, but read that it might not work with windows 7 by default now, so have tried it with crypto ALL I am still receiving the following error in the logs. Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. I understand this error can be misleading, as you will sometimes get it when it's not a client config problem as when kerberos files it sends the NTLM ticket anyway should a keytab which has been generated with all the available crypto types just work sorting out the crypto type with the client , or do i need to do something to make it work? Also something i am a little unclear on is do i need to have any local tickets loaded for the keytab to work or does the module handle getting it's own tickets ? the guide has me testing using kinit user@domain which successfully makes a ticket and later kinit -k -t /keytabfile PRINCPLE/fqdn again this successfully creates a ticket are they purely for testing, or would either of them need to be renewed when they expire ? |
|
From: Russ A. <ea...@ey...> - 2014-01-21 19:30:49
|
"Steve van der Burg" <ste...@lh...> writes: > My own problems tackling this are detailed here: > http://stackoverflow.com/questions/21260141/apache2-working-with-mod-auth-kerb-to-enable-dont-require-logging-in-but-al The answer you received to that question is correct. There isn't any way to tell whether the browser is capable of Negotiate-Auth without challenging it, at which point the browser will throw up a dialog box if it can't auth. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
|
From: Steve v. d. B. <ste...@lh...> - 2014-01-21 15:10:00
|
Would it be possible to add and expose a fixup handler in this module? That way, the "allow negotiation and auth, but don't require it" issue that I see many times over the years in the mailing list archives here could possibly be solved without the complex and non-robust solutions that have been proposed in the past. As a long-time user of Apache::AuthCookie, I have used its fixup handler to accomplish this same goal. My own problems tackling this are detailed here: http://stackoverflow.com/questions/21260141/apache2-working-with-mod-auth-kerb-to-enable-dont-require-logging-in-but-al After I posted that, it was pointed out to me that I hadn't searched this mailing list. Once I did, I came across a number of requests similar to mine. ...Steve -------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation. |
|
From: Jakob O. <ja...@gm...> - 2014-01-15 08:17:37
|
Hello Douglas, so fare it looks like the problem is solved. And it works with two spn's. Thanks man... On Tue, Jan 14, 2014 at 10:40 PM, Douglas E. Engert <dee...@an...>wrote: > > > On 1/7/2014 2:22 PM, Jakob Olsen wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int <http://servername.domain.int> and >> one for http/servername.domain.ext >> >> Same server should be able to serve both "spn's". >> How will a do that? >> > > Sorry abont the late reply. > > But yes it could, if you combine the two keytab files. MIT's ktutil can do > that. > > You would also have to look closely at how the calls to > gss_accept_sec_context > handles the acceptor_cred_handle parameter. Its been a long time, but IIRC > it can > be null and the lower level kerberos may be able to use any keytab entry. > > >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...<mailto: >> dee...@an...>> wrote: >> >> >> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it >>> the right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >> >> If this is your first attempt at using AD as the KDC for a service, >> keep in mind that the MS docs talk about a "user" account >> but the user in not a real user but an account representing a >> service. Some people get confused. Your use of the >> -mapuser us...@do... <mailto:us...@do...> looks like this >> type of confusion. >> >> >> Real users don't normally have SPNs. >> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO... <mailto:HTTP >>> /ser...@DO...> -mapuser us...@do... <mailto: >>> us...@do...> -pass password -crypto RC4-HMAC-NT -ptype >>> >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] >>> [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. >>> Minor code may provide more information (, Key version >>> number for principal in key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >> >> Some thinks to keep in mind... >> >> An AD account has a single password used to generate keys on >> the fly. >> >> An AD account has a single key version number. >> >> A SPN added to an account shares the password and KVNO with the >> UPN for the account and all other SPNs on the account. >> >> On way to avoid this is to have separate service account with only >> one SPN, and one matching keytab entry. >> Pick a naming convention for these AD accounts, say <service>-<host> >> so in you example, http-servername >> >> >> You may also want to look at msktutil (Ubuntu has a packaged >> version), or Samba utilities that allow you to update keytabs and AD >> accounts >> rather the ktpass. >> >> >> >>> Normally i dont have klist, ktutil, kadmin etc installed on the >>> ubuntu server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >> >> You might just be seeing that the the user has cached tickets. You >> may want to kinit again. >> >> >> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Rapidly troubleshoot problems before they affect your business. Most >>> IT >>> organizations don't have a clear picture of how application >>> performance >>> affects their revenue. With AppDynamics, you get 100% visibility >>> into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >>> /4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... <mailto:modauthkerb-help@ >>> lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >> >> -- >> >> Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> >> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 <tel:%28630%29%20252-5444> >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Rapidly troubleshoot problems before they affect your business. Most >> IT >> organizations don't have a clear picture of how application >> performance >> affects their revenue. With AppDynamics, you get 100% visibility into >> your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >> AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >> /4140/ostg.clktrk >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:modauthkerb-help@ >> lists.sourceforge.net> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-14 21:40:11
|
On 1/7/2014 2:22 PM, Jakob Olsen wrote: > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? Sorry abont the late reply. But yes it could, if you combine the two keytab files. MIT's ktutil can do that. You would also have to look closely at how the calls to gss_accept_sec_context handles the acceptor_cred_handle parameter. Its been a long time, but IIRC it can be null and the lower level kerberos may be able to use any keytab entry. > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. > > If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. Some people get confused. Your use of the > -mapuser us...@do... <mailto:us...@do...> looks like this type of confusion. > > Real users don't normally have SPNs. >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO... <mailto:HTTP/ser...@DO...> -mapuser us...@do... <mailto:us...@do...> -pass password -crypto RC4-HMAC-NT -ptype >> KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version >> number for principal in key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. >> But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. > > You might just be seeing that the the user has cached tickets. You may want to kinit again. > > >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- > > Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 -- Douglas E. Engert <DEE...@an...> <DEE...@gm...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jakob O. <ja...@gm...> - 2014-01-08 06:56:48
|
Thanks Douglas, i was "that" easy... :) Have seen the error message so many times: Key version number for principal in key table is incorrect And everytime i throught the keytab was the problem. When i removed the old ticket, the kerberos was working again. Thanks. On Tue, Jan 7, 2014 at 11:06 PM, Douglas E. Engert <dee...@an...> wrote: > > > On 1/7/2014 2:58 PM, Jakob Olsen wrote: > > Hello all, > > can this be the problem? > > > > http://support.microsoft.com/kb/870987 > > > > If i open adsiedit.msc and find the user, there is no: > msDS-KeyVersionNumber > > But then i created the keytab, i get this information: > > > > C:\>ktpass -princ HTTP/ser...@DO... -mapuser > htt...@do... -pass abc12345 -crypto RC4-HMAC-NT -ptype > KRB5 > > _NT_PRINCIPAL -out krb5.keytab > > Targeting domain controller: RKDC01.domain.tld > > Successfully mapped HTTP/servername.domain.tld to http-servername-tld. > > Password succesfully set! > > Key created. > > Output keytab to krb5.keytab: > > Keytab version: 0x502 > > keysize 76 HTTP/ser...@DO... ptype 1 > (KRB5_NT_PRINCIPAL) > > vno 3 etype 0x17 (RC4-HMAC) keylength 16 > (0xea847b34167fd797cac465a00a2d88b3) > > > > Why is the vno 3 from start ? > > Not sure, but that is common with AD. I suspect: > 1 when created, > 2 when the account password was changed (It should be set to not expire) > 3 when you did the ktpass. > > > > > > > > On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm... <mailto: > ja...@gm...>> wrote: > > > > Sorry to spam the list... > > I just created a new user. > > Created a new keytab (using the ktpass-util) > > Copied keytab to apache and restarted the server. > > > > I still get this error in apache error.log: > > [Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] > [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 < > http://192.168.128.68:51686>] gss_accept_sec_context() failed: > Unspecified GSS > > failure. Minor code may provide more information (, Key version > number for principal in key table is incorrect) > > > > How can the kvno be wrong, when user is just created and same with > keytab? > > Did the client have cached tickets with an older kvno? > W7 has a klist tickets > command, but does not show the kvno, but does show the time the ticket was > obtained. > Make sure the time is after the time you ran the last ktpass for the SPN. > > > > > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...<mailto: > ja...@gm...>> wrote: > > > > Hello Douglas, thanks for your reply. > > If i create 2 accounts. > > > > One for http/servername.domain.int <http://servername.domain.int> > and one for http/servername.domain.ext > > Same server should be able to serve both "spn's". > > How will a do that? > > > > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert < > dee...@an... <mailto:dee...@an...>> wrote: > > > > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: > >> Hello, > >> this is my first post to the mailing-list, so i hope i'm > doing it the right way. > >> > >> We have the following setup: > >> > >> KDC = Windows 2003R2 > >> > >> Kerberos enabled server: Ubuntu - Apache 2.4 > >> > >> Clients: Windows 7 - IE 8 > >> > >> The solution has been up running, but today i needed to add > another spn to the AD user, used when the keytab was created. > > > > If this is your first attempt at using AD as the KDC for a > service, keep in mind that the MS docs talk about a "user" account > > but the user in not a real user but an account representing > a service. Some people get confused. Your use of the > > -mapuser us...@do... <mailto:us...@do...> looks > like this type of confusion. > > > > Real users don't normally have SPNs. > >> > >> I create my keytab with this windows command: > >> > >> ktpass -princ HTTP/ser...@DO...<mailto: > HTTP/ser...@DO...> -mapuser us...@do... <mailto: > us...@do...> -pass password -crypto RC4-HMAC-NT > >> -ptype KRB5_NT_PRINCIPAL -out krb5.keytab > >> > >> But after i added another SPN and created a new keytab, i > see this error in my apache error.log: > >> > >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid > 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API > major_status:000d0000, minor_status:96c73ae6 > >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid > 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key > >> version number for principal in key table is incorrect) > >> > >> So my question is: > >> > >> What do i do about this error? > >> How do i debug any further? > > > > Some thinks to keep in mind... > > > > An AD account has a single password used to generate > keys on the fly. > > > > An AD account has a single key version number. > > > > A SPN added to an account shares the password and KVNO > with the UPN for the account and all other SPNs on the account. > > > > On way to avoid this is to have separate service account > with only one SPN, and one matching keytab entry. > > Pick a naming convention for these AD accounts, say > <service>-<host> so in you example, http-servername > > > > > > You may also want to look at msktutil (Ubuntu has a packaged > version), or Samba utilities that allow you to update keytabs and AD > accounts > > rather the ktpass. > > > > > >> > >> Normally i dont have klist, ktutil, kadmin etc installed on > the ubuntu server. > >> But today i installed the krb-user package and when calling > kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is > writing when creating the keytab. > > > > You might just be seeing that the the user has cached > tickets. You may want to kinit again. > > > > > >> > >> Any help is appreciated. > >> > >> -- > >> Jakob Damgaard Olsen > >> Tlf: 24613112 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Rapidly troubleshoot problems before they affect your > business. Most IT > >> organizations don't have a clear picture of how application > performance > >> affects their revenue. With AppDynamics, you get 100% > visibility into your > >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > >> > >> > >> _______________________________________________ > >> modauthkerb-help mailing list > >> mod...@li... <mailto: > mod...@li...> > >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > > > Douglas E. Engert<DEE...@an...> <mailto: > DEE...@an...> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 <tel:%28630%29%20252-5444> > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your > business. Most IT > > organizations don't have a clear picture of how application > performance > > affects their revenue. With AppDynamics, you get 100% > visibility into your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... <mailto: > mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-07 22:06:10
|
On 1/7/2014 2:58 PM, Jakob Olsen wrote: > Hello all, > can this be the problem? > > http://support.microsoft.com/kb/870987 > > If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber > But then i created the keytab, i get this information: > > C:\>ktpass -princ HTTP/ser...@DO... -mapuser htt...@do... -pass abc12345 -crypto RC4-HMAC-NT -ptype KRB5 > _NT_PRINCIPAL -out krb5.keytab > Targeting domain controller: RKDC01.domain.tld > Successfully mapped HTTP/servername.domain.tld to http-servername-tld. > Password succesfully set! > Key created. > Output keytab to krb5.keytab: > Keytab version: 0x502 > keysize 76 HTTP/ser...@DO... ptype 1 (KRB5_NT_PRINCIPAL) > vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3) > > Why is the vno 3 from start ? Not sure, but that is common with AD. I suspect: 1 when created, 2 when the account password was changed (It should be set to not expire) 3 when you did the ktpass. > > > On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm... <mailto:ja...@gm...>> wrote: > > Sorry to spam the list... > I just created a new user. > Created a new keytab (using the ktpass-util) > Copied keytab to apache and restarted the server. > > I still get this error in apache error.log: > [Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 <http://192.168.128.68:51686>] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) > > How can the kvno be wrong, when user is just created and same with keytab? Did the client have cached tickets with an older kvno? W7 has a klist tickets command, but does not show the kvno, but does show the time the ticket was obtained. Make sure the time is after the time you ran the last ktpass for the SPN. > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm... <mailto:ja...@gm...>> wrote: > > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. > > If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. Some people get confused. Your use of the > -mapuser us...@do... <mailto:us...@do...> looks like this type of confusion. > > Real users don't normally have SPNs. >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO... <mailto:HTTP/ser...@DO...> -mapuser us...@do... <mailto:us...@do...> -pass password -crypto RC4-HMAC-NT >> -ptype KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key >> version number for principal in key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. >> But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. > > You might just be seeing that the the user has cached tickets. You may want to kinit again. > > >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- > > Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > -- Douglas E. Engert <DEE...@an...> <DEE...@gm...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:58:27
|
Hello all, can this be the problem? http://support.microsoft.com/kb/870987 If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber But then i created the keytab, i get this information: C:\>ktpass -princ HTTP/ser...@DO... -mapuser htt...@do... -pass abc12345 -crypto RC4-HMAC-NT -ptype KRB5 _NT_PRINCIPAL -out krb5.keytab Targeting domain controller: RKDC01.domain.tld Successfully mapped HTTP/servername.domain.tld to http-servername-tld. Password succesfully set! Key created. Output keytab to krb5.keytab: Keytab version: 0x502 keysize 76 HTTP/ser...@DO... ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3) Why is the vno 3 from start ? On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm...> wrote: > Sorry to spam the list... > I just created a new user. > Created a new keytab (using the ktpass-util) > Copied keytab to apache and restarted the server. > > I still get this error in apache error.log: > [Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client > 192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key version number for > principal in key table is incorrect) > > How can the kvno be wrong, when user is just created and same with keytab? > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...> wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int and one for http/servername.domain.ext >> Same server should be able to serve both "spn's". >> How will a do that? >> >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...>wrote: >> >>> >>> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >>> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it the >>> right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >>> >>> If this is your first attempt at using AD as the KDC for a service, keep >>> in mind that the MS docs talk about a "user" account >>> but the user in not a real user but an account representing a service. >>> Some people get confused. Your use of the >>> -mapuser us...@do... looks like this type of confusion. >>> >>> Real users don't normally have SPNs. >>> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO... -mapuser >>> us...@do... -pass password -crypto RC4-HMAC-NT -ptype >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client >>> IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor >>> code may provide more information (, Key version number for principal in >>> key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >>> >>> Some thinks to keep in mind... >>> >>> An AD account has a single password used to generate keys on the >>> fly. >>> >>> An AD account has a single key version number. >>> >>> A SPN added to an account shares the password and KVNO with the UPN >>> for the account and all other SPNs on the account. >>> >>> On way to avoid this is to have separate service account with only one >>> SPN, and one matching keytab entry. >>> Pick a naming convention for these AD accounts, say <service>-<host> so >>> in you example, http-servername >>> >>> >>> You may also want to look at msktutil (Ubuntu has a packaged version), >>> or Samba utilities that allow you to update keytabs and AD accounts >>> rather the ktpass. >>> >>> >>> >>> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu >>> server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >>> >>> You might just be seeing that the the user has cached tickets. You may >>> want to kinit again. >>> >>> >>> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing lis...@li...://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >>> -- >>> >>> Douglas E. Engert <DEE...@an...> <DEE...@an...> >>> Argonne National Laboratory >>> 9700 South Cass Avenue >>> Argonne, Illinois 60439 >>> (630) 252-5444 >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into >>> your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:36:52
|
Sorry to spam the list... I just created a new user. Created a new keytab (using the ktpass-util) Copied keytab to apache and restarted the server. I still get this error in apache error.log: [Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) How can the kvno be wrong, when user is just created and same with keytab? On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...> wrote: > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...>wrote: > >> >> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the >> right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn >> to the AD user, used when the keytab was created. >> >> >> If this is your first attempt at using AD as the KDC for a service, keep >> in mind that the MS docs talk about a "user" account >> but the user in not a real user but an account representing a service. >> Some people get confused. Your use of the >> -mapuser us...@do... looks like this type of confusion. >> >> Real users don't normally have SPNs. >> >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO... -mapuser >> us...@do... -pass password -crypto RC4-HMAC-NT -ptype >> KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this >> error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >> minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client >> IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor >> code may provide more information (, Key version number for principal in >> key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? >> >> >> Some thinks to keep in mind... >> >> An AD account has a single password used to generate keys on the >> fly. >> >> An AD account has a single key version number. >> >> A SPN added to an account shares the password and KVNO with the UPN >> for the account and all other SPNs on the account. >> >> On way to avoid this is to have separate service account with only one >> SPN, and one matching keytab entry. >> Pick a naming convention for these AD accounts, say <service>-<host> so >> in you example, http-servername >> >> >> You may also want to look at msktutil (Ubuntu has a packaged version), or >> Samba utilities that allow you to update keytabs and AD accounts >> rather the ktpass. >> >> >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu >> server. >> But today i installed the krb-user package and when calling kvno >> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >> when creating the keytab. >> >> >> You might just be seeing that the the user has cached tickets. You may >> want to kinit again. >> >> >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> >> _______________________________________________ >> modauthkerb-help mailing lis...@li...://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> -- >> >> Douglas E. Engert <DEE...@an...> <DEE...@an...> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics >> Pro! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:22:09
|
Hello Douglas, thanks for your reply. If i create 2 accounts. One for http/servername.domain.int and one for http/servername.domain.ext Same server should be able to serve both "spn's". How will a do that? On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...> wrote: > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: > > Hello, > this is my first post to the mailing-list, so i hope i'm doing it the > right way. > > We have the following setup: > > KDC = Windows 2003R2 > > Kerberos enabled server: Ubuntu - Apache 2.4 > > Clients: Windows 7 - IE 8 > > The solution has been up running, but today i needed to add another spn > to the AD user, used when the keytab was created. > > > If this is your first attempt at using AD as the KDC for a service, keep > in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. > Some people get confused. Your use of the > -mapuser us...@do... looks like this type of confusion. > > Real users don't normally have SPNs. > > > I create my keytab with this windows command: > > ktpass -princ HTTP/ser...@DO... -mapuser > us...@do... -pass password -crypto RC4-HMAC-NT -ptype > KRB5_NT_PRINCIPAL -out krb5.keytab > > But after i added another SPN and created a new keytab, i see this error > in my apache error.log: > > [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] > src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, > minor_status:96c73ae6 > [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client > IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information (, Key version number for principal in > key table is incorrect) > > So my question is: > > What do i do about this error? > How do i debug any further? > > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the > fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN > for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one > SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so > in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or > Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > > > Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu > server. > But today i installed the krb-user package and when calling kvno > HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing > when creating the keytab. > > > You might just be seeing that the the user has cached tickets. You may > want to kinit again. > > > > Any help is appreciated. > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > modauthkerb-help mailing lis...@li...://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-07 20:14:40
|
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 1/7/2014 1:17 PM, Jakob Olsen wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hello,
<div>this is my first post to the mailing-list, so i hope i'm
doing it the right way.</div>
<div><br>
</div>
<div>We have the following setup:</div>
<div><br>
</div>
<div>KDC = Windows 2003R2</div>
<div><br>
</div>
<div>Kerberos enabled server: Ubuntu - Apache 2.4</div>
<div><br>
</div>
<div>Clients: Windows 7 - IE 8</div>
<div><br>
</div>
<div>The solution has been up running, but today i needed to add
another spn to the AD user, used when the keytab was created.</div>
</div>
</blockquote>
<br>
If this is your first attempt at using AD as the KDC for a service,
keep in mind that the MS docs talk about a "user" account<br>
but the user in not a real user but an account representing a
service. Some people get confused. Your use of the <br>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...">us...@do...</a> looks like this type of confusion. <br>
<br>
Real users don't normally have SPNs. <br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I create my keytab with this windows command:</div>
<div><br>
</div>
<div>ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ser...@DO...">HTTP/ser...@DO...</a>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...">us...@do...</a> -pass password -crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab<br>
</div>
<div><br>
</div>
<div>But after i added another SPN and created a new keytab, i
see this error in my apache error.log:</div>
<div><br>
</div>
<div>
<div>[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid
11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API
major_status:000d0000, minor_status:96c73ae6</div>
<div>[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid
11253] [client IP:PORT] gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more
information (, Key version number for principal in key table
is incorrect)</div>
</div>
<div><br>
</div>
<div>So my question is:</div>
<div><br>
</div>
<div>What do i do about this error?</div>
<div>How do i debug any further?</div>
</div>
</blockquote>
<br>
Some thinks to keep in mind...<br>
<br>
An AD account has a single password used to generate keys on
the fly. <br>
<br>
An AD account has a single key version number.<br>
<br>
A SPN added to an account shares the password and KVNO with the
UPN for the account and all other SPNs on the account. <br>
<br>
On way to avoid this is to have separate service account with only
one SPN, and one matching keytab entry. <br>
Pick a naming convention for these AD accounts, say
<service>-<host> so in you example, http-servername <br>
<br>
<br>
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts <br>
rather the ktpass. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Normally i dont have klist, ktutil, kadmin etc installed on
the ubuntu server.</div>
<div>But today i installed the krb-user package and when calling
kvno HTTP/servername.domain.tld i see the same kvno, as the
ktpass is writing when creating the keytab.</div>
</div>
</blockquote>
<br>
You might just be seeing that the the user has cached tickets. You
may want to kinit again. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any help is appreciated.</div>
<div>
<div><br>
</div>
-- <br>
Jakob Damgaard Olsen<br>
Tlf: 24613112
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
modauthkerb-help mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/modauthkerb-help">https://lists.sourceforge.net/lists/listinfo/modauthkerb-help</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@an..."><DEE...@an...></a>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444</pre>
</body>
</html>
|
|
From: Jakob O. <ja...@gm...> - 2014-01-07 19:17:50
|
Hello, this is my first post to the mailing-list, so i hope i'm doing it the right way. We have the following setup: KDC = Windows 2003R2 Kerberos enabled server: Ubuntu - Apache 2.4 Clients: Windows 7 - IE 8 The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. I create my keytab with this windows command: ktpass -princ HTTP/ser...@DO... -mapuser us...@do...-pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out krb5.keytab But after i added another SPN and created a new keytab, i see this error in my apache error.log: [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) So my question is: What do i do about this error? How do i debug any further? Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. Any help is appreciated. -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2013-11-02 19:06:01
|
On 11/1/2013 10:56 AM, Martin Yves wrote: > Hello Douglas, > > Personally, the "service account" I created for SPN and keytab > generation is also used to authenticate LDAP queries... > As far as password does not expire and is correct, I discover no > troubles about it. > > To sum up for Jim, here are some tasks I think about: > > - if the "user account" holding the SPN and used to generate > keytab is not a specific service account, > it is worth to delete it and create it again... > > - create a dedicated "service account" (standard account but > dedicated to Kerberos SSO) in AD and create keytab > > - check and clean duplicates SPN > > - do not use default location /etc/krb5.keytab but (for instance) > /etc/apache2/http-arecord.keytab Yes. Check ownership, only readable by apache server. > > - validates SPN with kinit/kvno: > > $ kinit MeMyselfI > $ kvno HTTP/arecord.mysite.com > > $ kdestroy > $ kinit HTTP/arecord.mysite.com > => check password authentication with "service account" password > > $ kdestroy > $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com > => is equivalent to the previous one but password comes from keytab > > > If all that diagnostic steps pass, there is no reason Apache2 cannot > accept your token from your browser... Or else you have a big trouble > in Apache2/mod_auth_kerb. You should provide use with details about it. > > > For a reason I have not found yet, few months ago, with Debian Wheezy > mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set > "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" > to get my system to load keytab. It no longer "guess" expected SPN > probably because our network was in a migration from one domain to > another. I just checked and that trick is no longer required, defaults > works. > A few years ago, there was a problem with a version of ktpass. Make sure you have the latest. If you are running 2008R2 it could be the DC is generating a service ticket with with AES-256 key, but the key table does not have one. The AD attribute to look at is msDS-SupportedEncryptionTypes http://msdn.microsoft.com/en-us/library/cc223853.aspx http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx If you change the service account paassword, you must also change the keytab. You must also destroy any cached service tickets for the service. If the test client is Windows you will need to logoff an back on again. > > Hope this helps > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jim F. <jim...@an...> - 2013-11-01 19:44:26
|
Hi all, Thanks so much for all the help on this issue, this is a great community of people and I appreciate your willingness to help! Special thanks to Yves and Douglas for taking the time go through this with me in great detail. It made a huge difference! This issue is finally resolved. Here are some of the things that worked in my particular case: I was finally able to removed the "GSS-API major_status:000d0000, minor_status:000186a4" Apache log error. It was exactly what we all thought it was: Apache not being able to read the keytab file. The way I corrected this was: 1) Editing the httpd.conf file and changing the "User" and "Group" lines to a new user and group. This is where you establish the owner of the Apache process. Before I was trying to do a chown on the httpd.pid file to change the Apache owner, but that didn't seem to work and those changes were actually being restored to their defaults when I restarted Apache anyway. Also remember to restart Apache when you've edited the httpd.conf file in order to ensure these changes to take effect (sudo service httpd restart). 2) I added another keytab file for Apache specifically. This was just an exact duplicate of the other file but in a different location. I changed this file to have the same user and group as I specified in the httpd.conf file above (sudo chown username:groupname /path/to/apache-specific/keytab/krb5.keytab). I also changed the permissions on this new keytab file so it is only readable by the Apache user (sudo chown 400 /path/to/apache-specific/keytab/krb5.keytab). After making the above changes, when hitting https://cname.mysite.com/user/login/sso and having Firefox configured (about:config > network.negotiate-auth.trusted-uris = .mysite.com), I was receiving the following in the Apache error log: [info] Subsequent (No.2) HTTPS request received for child 1 (server arecord.mysite.com:80) [debug] src/mod_auth_kerb.c(1628): [client <ip address>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug] src/mod_auth_kerb.c(1240): [client <ip address>] Acquiring creds for HTTP/are...@EX... [debug] src/mod_auth_kerb.c(1385): [client <ip address>] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1401): [client <ip address>] Client didn't delegate us their credential [debug] src/mod_auth_kerb.c(1420): [client <ip address>] GSS-API token of length 180 bytes will be sent back [debug] ssl_engine_kernel.c(1889): OpenSSL: Write: SSL negotiation finished successfully Which is exactly what should be logged during successful login according to this (near the bottom): http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ Another problem I had was that we are using HTTP authentication to protect the site using a Drupal module called shield<https://drupal.org/project/shield>. So when you would hit the URL, you would get prompted for HTTP auth credentials (before entering these credentials is when the successful Apache log message would be logged) and if the credentials were entered correctly, I would be sent to the 401 Authorization Required screen. Disabling shield seemed to do the trick. I was still having a problem after getting rid of the HTTP auth, but it ended up being Drupal specific. Hitting https://cname.mysite.com/user/login/sso would redirect me to our default login screen and display the following error message at the top of the page: "you have been successfully authenticated". This was odd because I was still not authorized to access content. Turns out to be something that is fixed in the newest version of the LDAP module (7.x-2.0-beta6 at the time of this posting) . If you're a Drupal user, see this issue for more details: https://drupal.org/node/1956224 Here is the final working setup of my httpd.conf file (In my case it was actually a site specific .conf file because we are hosting multiple sites on the same server using vhosts. The httpd.conf file used an "include" to reference this site specific file): LoadModule auth_kerb_module /path/to/modules/mod_auth_kerb.so <Location /user/login/sso> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbMethodNegotiate on KrbMethodK5Passwd off require valid-user KrbServiceName HTTP Krb5Keytab /path/to/apache-specific/keytab/krb5.keytab </Location> I hope this can help someone facing similar issues. Thanks again! -Jim On Fri, Nov 1, 2013 at 11:56 AM, Martin Yves <yve...@el...> wrote: > Hello Douglas, > > Personally, the "service account" I created for SPN and keytab > generation is also used to authenticate LDAP queries... > As far as password does not expire and is correct, I discover no > troubles about it. > > To sum up for Jim, here are some tasks I think about: > > - if the "user account" holding the SPN and used to generate > keytab is not a specific service account, > it is worth to delete it and create it again... > > - create a dedicated "service account" (standard account but > dedicated to Kerberos SSO) in AD and create keytab > > - check and clean duplicates SPN > > - do not use default location /etc/krb5.keytab but (for instance) > /etc/apache2/http-arecord.keytab > > - validates SPN with kinit/kvno: > > $ kinit MeMyselfI > $ kvno HTTP/arecord.mysite.com > > $ kdestroy > $ kinit HTTP/arecord.mysite.com > => check password authentication with "service account" password > > $ kdestroy > $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com > => is equivalent to the previous one but password comes from keytab > > > If all that diagnostic steps pass, there is no reason Apache2 cannot > accept your token from your browser... Or else you have a big trouble > in Apache2/mod_auth_kerb. You should provide use with details about it. > > > For a reason I have not found yet, few months ago, with Debian Wheezy > mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set > "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" > to get my system to load keytab. It no longer "guess" expected SPN > probably because our network was in a migration from one domain to > another. I just checked and that trick is no longer required, defaults > works. > > > Hope this helps > -- > Yves Martin > > |
|
From: Martin Y. <yve...@el...> - 2013-11-01 15:57:20
|
Hello Douglas, Personally, the "service account" I created for SPN and keytab generation is also used to authenticate LDAP queries... As far as password does not expire and is correct, I discover no troubles about it. To sum up for Jim, here are some tasks I think about: - if the "user account" holding the SPN and used to generate keytab is not a specific service account, it is worth to delete it and create it again... - create a dedicated "service account" (standard account but dedicated to Kerberos SSO) in AD and create keytab - check and clean duplicates SPN - do not use default location /etc/krb5.keytab but (for instance) /etc/apache2/http-arecord.keytab - validates SPN with kinit/kvno: $ kinit MeMyselfI $ kvno HTTP/arecord.mysite.com $ kdestroy $ kinit HTTP/arecord.mysite.com => check password authentication with "service account" password $ kdestroy $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com => is equivalent to the previous one but password comes from keytab If all that diagnostic steps pass, there is no reason Apache2 cannot accept your token from your browser... Or else you have a big trouble in Apache2/mod_auth_kerb. You should provide use with details about it. For a reason I have not found yet, few months ago, with Debian Wheezy mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" to get my system to load keytab. It no longer "guess" expected SPN probably because our network was in a migration from one domain to another. I just checked and that trick is no longer required, defaults works. Hope this helps -- Yves Martin |
190 messages has been excluded from this view by a project administrator.
