modauthkerb-help Mailing List for Kerberos Module For Apache
Brought to you by:
kouril
Menu
▾
▴
modauthkerb-help — For help from project admins and other members of the list.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(6) |
Jul
(1) |
Aug
(3) |
Sep
(11) |
Oct
(6) |
Nov
(42) |
Dec
(6) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(3) |
Feb
(1) |
Mar
(3) |
Apr
|
May
(20) |
Jun
(18) |
Jul
(1) |
Aug
(13) |
Sep
(23) |
Oct
(29) |
Nov
(24) |
Dec
(89) |
| 2004 |
Jan
(31) |
Feb
(64) |
Mar
(15) |
Apr
(39) |
May
(28) |
Jun
(201) |
Jul
(50) |
Aug
(83) |
Sep
(28) |
Oct
(32) |
Nov
(29) |
Dec
(41) |
| 2005 |
Jan
(27) |
Feb
(43) |
Mar
(46) |
Apr
(24) |
May
(35) |
Jun
(1) |
Jul
(14) |
Aug
(24) |
Sep
(14) |
Oct
(26) |
Nov
(17) |
Dec
(5) |
| 2006 |
Jan
(7) |
Feb
(64) |
Mar
(50) |
Apr
(36) |
May
(64) |
Jun
(57) |
Jul
(27) |
Aug
(58) |
Sep
(22) |
Oct
(18) |
Nov
(79) |
Dec
(31) |
| 2007 |
Jan
(138) |
Feb
(32) |
Mar
(29) |
Apr
(10) |
May
(48) |
Jun
(7) |
Jul
(120) |
Aug
(48) |
Sep
(52) |
Oct
(69) |
Nov
(36) |
Dec
(45) |
| 2008 |
Jan
(26) |
Feb
(47) |
Mar
(43) |
Apr
(30) |
May
(28) |
Jun
(28) |
Jul
(41) |
Aug
(18) |
Sep
(15) |
Oct
(26) |
Nov
(9) |
Dec
(31) |
| 2009 |
Jan
(32) |
Feb
(20) |
Mar
(21) |
Apr
(7) |
May
(14) |
Jun
(11) |
Jul
(10) |
Aug
(2) |
Sep
|
Oct
(2) |
Nov
(20) |
Dec
(20) |
| 2010 |
Jan
(3) |
Feb
|
Mar
(14) |
Apr
(36) |
May
(4) |
Jun
(4) |
Jul
(3) |
Aug
(34) |
Sep
(57) |
Oct
|
Nov
(4) |
Dec
|
| 2011 |
Jan
|
Feb
(19) |
Mar
(1) |
Apr
|
May
(21) |
Jun
(23) |
Jul
(11) |
Aug
(30) |
Sep
(4) |
Oct
(1) |
Nov
(7) |
Dec
(4) |
| 2012 |
Jan
(20) |
Feb
(13) |
Mar
(29) |
Apr
(7) |
May
|
Jun
(7) |
Jul
|
Aug
(6) |
Sep
(13) |
Oct
(1) |
Nov
(2) |
Dec
|
| 2013 |
Jan
|
Feb
(3) |
Mar
(1) |
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(3) |
Oct
(6) |
Nov
(3) |
Dec
|
| 2014 |
Jan
(11) |
Feb
|
Mar
(2) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|
From: Karthik N. <nka...@gm...> - 2019-12-20 09:45:59
|
Hi All, Is any one having experience on how to build mod_auth_kerb.so for Apache 2.2/2.4 web server running on windows machine. regards, Karthik.N |
|
From: Helen T. <li...@ma...> - 2016-05-09 19:58:59
|
Hello! You have a new message, please read <http://members.monstapreneur.com/programming.php?d8j> Helen Tosch |
|
From: Martin Y. <yve...@el...> - 2015-07-24 11:33:09
|
Hello, If you can still kinit with keytab, the keytab encryption is not the issue - by the way I often create keytab with only one encryption included to be "sure". My opinion is that the issue comes from your browser, according to NTLM warnings you report. I invite you to check with both IE and Firefox browsers. If Firefox works well as far as it is configured to do spnego for your DNS domain name, you should try to enough your domain as "Local intranet" security zones. If possible, use krbtray to check for TGS SPN in workstation kerberos cache and Wireshark to collect HTTP traffic when accessing your application, it will decode Kerberos WWW-Authentication token if present. Regards -- Yves Martin On Mon, 2015-07-20 at 12:25 +0100, Andrew Wilkins wrote: > I think i have got to the bottom of the cause of my problem > > > A windows update > https://technet.microsoft.com/library/security/3057154 > > has disabled DES which was one of the cryptos i had enabled > > > It is very hard to tell what is actually going on > But i have found of the remaining woking cryptos i have RC4, AES256 > and AES128 > and they are in that order in the keytab, > RC4 seems to be troublesome for some windows users, and AES256 does > not seem to be supported by the GSSAPI (v 2.1.25 i think) > so my suspicion is that these users are getting a AES256 ticket and > windows is expecting it to work but i can't figure a way to confirm it > > > Windows has some user crypto options, but they don't actually seem to > do anything on my test server > > On 16 July 2015 at 23:16, Andrew Wilkins <and...@gm...> > wrote: > Hi > > > I have an ubuntu 12.04 box hosting a drupal intranet with sso > authentication using kerberos > > > It was working without any problems, for around 18 months > during which time the config has been left unchanged > > > We now have a login problem which started a couple of days > ago, a lot of users can't login with SSO so have to go to the > manual login page to gain access. > User access the site via a couple of different urls, the > domains are cnames of the actual server hostname, the users > which are affected seem to be able to login if connected to > the webserver directly via it's fqdn, > The apache debug logs do not give me anything helpful, they > show the error warning received token seems to be NTLM , which > seems to be what happened when kerberos fails, it falls back > and tries ntlm, this was the error we usually got in testing > until the config was exactly right. > > > I can still kinit with the keytab, and the KVNO still matches, > can anyone think of any further check i can be doing or think > of any reason it might have suddenly stopped working ? > > > I don't have admin access to the AD servers, but have setup my > own to test with and cannot recreate the problem. > |
|
From: Andrew W. <and...@gm...> - 2015-07-21 23:56:51
|
I think i have got to the bottom of the cause of my problem A windows update https://technet.microsoft.com/library/security/3057154 has disabled DES which was one of the cryptos i had enabled It is very hard to tell what is actually going on But i have found of the remaining woking cryptos i have RC4, AES256 and AES128 and they are in that order in the keytab, RC4 seems to be troublesome for some windows users, and AES256 does not seem to be supported by the GSSAPI (v 2.1.25 i think) so my suspicion is that these users are getting a AES256 ticket and windows is expecting it to work but i can't figure a way to confirm it Windows has some user crypto options, but they don't actually seem to do anything on my test server On 16 July 2015 at 23:16, Andrew Wilkins <and...@gm...> wrote: > Hi > > I have an ubuntu 12.04 box hosting a drupal intranet with sso > authentication using kerberos > > It was working without any problems, for around 18 months during which > time the config has been left unchanged > > We now have a login problem which started a couple of days ago, a lot of > users can't login with SSO so have to go to the manual login page to gain > access. > User access the site via a couple of different urls, the domains are > cnames of the actual server hostname, the users which are affected seem to > be able to login if connected to the webserver directly via it's fqdn, > The apache debug logs do not give me anything helpful, they show the error > warning received token seems to be NTLM , which seems to be what happened > when kerberos fails, it falls back and tries ntlm, this was the error we > usually got in testing until the config was exactly right. > > I can still kinit with the keytab, and the KVNO still matches, can anyone > think of any further check i can be doing or think of any reason it might > have suddenly stopped working ? > > I don't have admin access to the AD servers, but have setup my own to test > with and cannot recreate the problem. > > > > |
|
From: Patrick F. <fo...@ch...> - 2014-11-14 10:22:23
|
Hi!
I have in my Apache config.
<Location /auth>
SSLRequireSSL
AuthType Kerberos
AuthName "Log in with your cid"
KrbAuthRealm SOMEDOMAIN.COM
KrbVerifyKDC off
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbLocalUserMapping on
KrbSaveCredentials off
Krb5Keytab /www/krb5.keytab
KrbServiceName Any
AuthLDAPUrl ldap://ldap.somedomain.com/dc=somedomain,dc=com?uid?sub?(objectClass=account)
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
require valid-user
require ldap-group cn=admins, ou=groups, dc=somedomain, dc=com
satisfy all
</Location>
With this setup a user in the SOMEDOMAIN.COM domain belonging to the (LDAP) admins group can login either with a ticket or (if there is no ticket) by supplying username/password
The problem is that I would like to be able to fall back to username/password login if a user has a ticket for a principal that isn't in the admins group.
I.E
User som...@SO... isn't a member of the admins group
User oth...@SO... is a member of the admins group.
1) With a ticket for oth...@SO... login is successful
2) With a ticket for som...@SO... login fails
3) Without a ticket logging in as otheruser:otherpass works and someuser:somepass fails
In case (2) I would like for som...@SO... to be able to login as otheruser:otherpass instead of failing.
Is this possible?
I guess I could redirect failed logins from https://www.somedomain.com/auth to https://www.somedomain.com/pwauth and have "KrbMethodNegotiate off" for <Location /pwauth>, but I would like to be able
to keep the /auth URI.
Regards,
/Patrick
|
|
From: Martin S. <th...@ma...> - 2014-07-02 20:49:29
|
Hi all,
I'm trying to setup Kerberos authentication on Apache 2.2.15-30 (CentOs
6.5), and am facing an issue that I'm not able to debug or solve. Please
find my error_log below:
[Wed Jul 02 20:59:01 2014] [debug] src/mod_auth_kerb.c(1940): [client
192.168.218.1] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1940): [client
192.168.218.1] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1279): [client
192.168.218.1] Acquiring creds for HTTP/infa.domain.local
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1692): [client
192.168.218.1] Verifying client data using KRB5 GSS-API
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1708): [client
192.168.218.1] Client didn't delegate us their credential
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1727): [client
192.168.218.1] GSS-API token of length 941 bytes will be sent back
[Wed Jul 02 20:59:03 2014] [debug] src/mod_auth_kerb.c(1139): [client
192.168.218.1] GSS-API major_status:01020000, minor_status:00000000
[Wed Jul 02 20:59:03 2014] [error] [client 192.168.218.1]
gss_display_name() failed: A required input parameter could not be read: An
invalid name was supplied (, Unknown error)
Please find the http dump below:
GET http://infa.domain.local/server-status HTTP/1.1
Host: infa.domain.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
HTTP/1.1 401 Authorization Required
Date: Wed, 02 Jul 2014 19:32:39 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
Content-Length: 484
Connection: close
Content-Type: text/html; charset=iso-8859-1
Proxy-Support: Session-Based-Authentication
GET http://infa.domain.local/server-status HTTP/1.1
Host: infa.domain.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cache-Control: max-age=0
Authorization: Negotiate
YIID5QYGKwYBBQUCoIID2TCCA9WgCjAIBgYrBgEFAgWiggPFBIIDwWCCA70GBisGAQUCBQUBMBChDgQMRE9NQUlOLkxPQ0FMbIIDnTCCA5mhAwIBBaIDAgEMo4IDFzCCAxMwggIvoQMCAQGiggImBIICIm6CAh4wggIaoAMCAQ
WhAwIBDqIHAwUAAAAAAKOCAU9hggFLMIIBR6ADAgEFoQ4bDERPTUFJTi5MT0NBTKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRE9NQUlOLkxPQ0FMo4IBCzCCAQegAwIBEqEDAgEBooH6BIH3jDiOe80e8vCv7Tmsd+t0spncJWnD
v99vLDpi5PYc1Gj8vGH7xJxnz4dsr6WavFLmgYCRnvrF+Y+lU/QVF/AUNiqIG7ifGAJGD4IKHzcyYfNo9BLlNBGBckLdIhC3o2G8VfHWxv+Zo6DNfZUJsIVfoN2bls2C8K9K2pv/qd/FHR96+3JpCkRSb2tKqh2VQBA2mplvJML38nvHQkp5Y0rHQ
ecbc0bHns1ddh/RLIlPcwdy8r7xDx7m5QUWH3gI6nSEhrcd/sIKoRJ88ezcMfqumXq2UxvBdBJAH86q9r9r/t74jXpyDFlRgF/Z6OLMwMdus2AkBNrbiaSBsTCBrqADAgEXooGmBIGj4DUpIRQjvddUEpp7sft5UjlnOPOCia9BSyxYBszOihLHr2D
2B6mL6fmqx7IcAVfVzV66B/gqQ4roAh0z4YKensKtqIAG7au2RsXtYNAjEgUFgh7dEE7kACUFoVB2VUK2mtjuHabbwMZ4gprrRIgDeFqROIhxWasVgxhak6dXQAKGEyvVlGoeLTJTPER5s2tcDRkoVTLFO0hBJxarNI/GTk1e1jCB3aEEAgIAi
KKB1ASB0aCBzjCBy6EcMBqgBAIC/3ahEgQQSjwHqwdg2yuvh3nbGzDVuqKBqjCBp6ADAgEXooGfBIGccNThLwiDzyz8cJYPfI6hU505ydEQdRt6N036ZZ98Y49YfV+WWpCgXxhmL/8zhilAC2mQi5cvE5XOJOzGrWHnzl6AO1KfJQKjvogV
zrFhdoPMVssGnBkrD40fsIA2uPJ2e0OeKRC/tOizUg8tVIdhkoivnh69Q1BDAx3JFjx3txRtDoSZHz6x4mlBSs72xFIlIkA7yhXH+nmml4yfpHIwcKAHAwUAUIEAAKIOGwxET01BSU4uTE9DQUyjJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZh
LmRvbWFpbi5sb2NhbKURGA8yMDE0MDcwMzAyNTYxNlqnBgIEU7ReW6gUMBICARICARECARACARcCARkCARo=
HTTP/1.1 500 Internal Server Error
Date: Wed, 02 Jul 2014 19:32:42 GMT
Server: Apache/2.2.15 (CentOS)
WWW-Authenticate: Negotiate
oYIDqTCCA6WgAwoBAaEIBgYrBgEFAgWiggOSBIIDjgUBMBChDgQMRE9NQUlOLkxPQ0FMbYIDdjCCA3KgAwIBBaEDAgENooHVMIHSMIHPoQQCAgCIooHGBIHDoIHAMIG9oIG6MIG3oAMCAReiga8Egawhq77nnFYKOC2elIoQEMv
3HoPncmPLVp6/yr+HtLIuoyAsAUdbvyXars5ixGdPlg1IaceQQ3ThVvvsRthV86O4M2l55LfhlfIINZr7xQks3EKTAEA1OfsggBXdmShHV/29W2iLaQP60BvBlYCOGePMyMKp8jcgdNUQ6jLqq6No0Qk7Kro8IIjESMmVR3BAndbUfpDNYqO+IxY
am/pl96xCQgu4iNznoglrYBf7ow4bDERPTUFJTi5MT0NBTKQaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KlggFjYYIBXzCCAVugAwIBBaEOGwxET01BSU4uTE9DQUyiJDAioAMCAQOhGzAZGwRIVFRQGxFpbmZhLmRvbWFpbi5sb
2NhbKOCARwwggEYoAMCARehAwIBAaKCAQoEggEGyeo+gzn7hHLgwIGfZiT3kfiua+yD1d0EDhyoAmctFzukkw7xqdyMZn+gfDna6O0WI7TC6Yv2pQqg1Ph76SZ11ZQu4xXn4FBPu3G9LwbPUxN9+cohhCTPmAX6SLyNu7n9UAKLsccjb
kLq8HJjUgzfLus6AqUeerqjc3eSyr+r1onfQSL9JCNtpOUWtuxGIThTQfOXEYVlVyjMi37bnAFPMrxPERL/7m3vYm3x60HBu5KHy7xfbab8jftIsr33Z/2nnMxNi5LjqVBail4BpZiuRCMmko566KSLKWRSpvr6x/YUR5TPmhXjO3YGdi2VucDn6QW
t81q2dQSYvAQnbuHDL84IQUY126aB+jCB96ADAgEXooHvBIHsmFwxE55S5Gi5VkPG0cS11MHsQvllqJAIxGMkzakyyYCfMKCpHFfyIf/2bIGPvSyCCWOqFxnMOA1a/c2d3eUk6Yr+H5c8PDFePxVbKijvZRVRVJ1pAifpm9kUoKcGMo0SH
9m0H4yu94/ESE7QbEcx7pQac1Udq894rgF7OmnQXZZ6mX2VUrIb0xHxaaj9oR8+zC8vGWyyqVSZhtURxQ8Anr+MifqWKPP2QpWFohptl/zl8bYmMqs1nEH3TIe1wvtOgeqGh6KumbC4rc9IVCN8rx+3XCVr/2BM27nURT21MUzwU1tbpQM
LSqT0gFE=
Content-Length: 617
Connection: close
Content-Type: text/html; charset=iso-8859-1
Please find relevant configuration files below:
kdc.conf
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
DOMAIN.LOCAL = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
forwardable = true
proxiable = true
supported_enctypes = rc4-hmac:normal
}
auth_kerb.conf
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location /server-status>
#SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.LOCAL
Krb5KeyTab /etc/httpd/conf/http.keytab
KrbServiceName HTTP/infa.domain.local
require valid-user
</Location>
klist -e -k /etc/httpd/conf/http.keytab
Keytab name: FILE:/etc/httpd/conf/http.keytab
KVNO Principal
----
--------------------------------------------------------------------------
0 HTTP/infa.domain.local@DOMAIN.LOCAL (arcfour-hmac)
Does anyone have an idea of what the problem might be? I'd be very thankful
for any comments.
Thank you,
Martin
|
|
From: Andrew W. <and...@gm...> - 2014-05-29 23:20:59
|
Hi I have been working on getting single sign on working for an intranet We had it working up untill a couple of days ago, when we were planning to go from a development server to a production server after generating a new keytab for the production server using the same mapped user and same service principal name it stopped the original server from working so i created a new keytab for the original server with a different service principal name using the new keytab i am getting the following error GSS-API major_status:000d0000, minor_status:000186a5 I just cannot figure out how these status error codes work i found from various posts that minor_status:000186a4 seems to mean unable to access keytab, which helped me fix an error in the keytab path name, but this error minor_status:000186a5 i just cannot find out what it means, i've found some lists of codes here http://docs.oracle.com/cd/E23824_01/html/819-2145/kerberrs-2.html but they don't seem to match the format i've got can anyone tell me what this code means, or point me in the direction of how to find out? |
|
From: Andrew W. <and...@gm...> - 2014-04-17 18:33:31
|
Hi Thanks for your reply, sorry i've not responded sooner, I had been waiting till i was next on site to take another look at the logs I had a meeting conference with one of the webdevelopers and one of the windows domain admins so we could get it all worked out and we did manage to sort it we seemed to have had 2 problems, i'm not 100% on if it was one, the other or both which were fatal, but we got it to how it works and can repeat so it wasn't that worth going over it to try and find out other ways that we could have had it working when it involves several people working on it to get it done the first problem was we were not using the fqdn, just the hostname for the service principle so it was HTTP/ar...@my... instead of HTTP/ are...@my... another problem i found was that the machine's fqdn had the domain in lower case, everywhere in the AD setup it was upper case, so we changed that also On 30 March 2014 21:08, Jim Fisk <jim...@an...> wrote: > Hey Andrew, > > Please see my comments inline below: > > On Sat, Mar 29, 2014 at 5:42 PM, Andrew Wilkins < > and...@gm...> wrote: > >> Hi I am looking for some help with sso for drupal using kerbos with >> apache on an active directory domain, with windows 7 clients using IE10 >> >> I assume you are using the LDAP module: https://drupal.org/project/ldap? > > Single Sign On aside, are users able to authenticate to your Drupal site > with their Active Directory (AD) credentials? > > >> I have setup following this guide >> >> http://www.grolmsnet.de/kerbtut/ >> > > It's good that you're using this guide. The closer you can stick to it, > the better. It really helped me in the past. > >> >> i have used ktpass to generate the keytab, originally using rc4-hmac-nt >> as the crypto type, but read that it might not work with windows 7 by >> default now, so have tried it with crypto ALL >> >> I used "/crypto RC4-HMAC-NT" when creating a keytab for my Drupal SSO > setup and it worked with Windows 7. I can't guarantee it would always > work, but can confirm it worked for me. > > >> I am still receiving the following error in the logs. >> >> Warning: received token seems to be NTLM, which isn't supported by the >> Kerberos module. Check your IE configuration. >> > > Is this information coming from your Apache error logs? Is there any more > context? > >> >> I understand this error can be misleading, as you will sometimes get it >> when it's not a client config problem as when kerberos files it sends the >> NTLM ticket anyway >> >> should a keytab which has been generated with all the available crypto >> types just work sorting out the crypto type with the client , or do i need >> to do something to make it work? >> > > Unfortunately I don't know the answer to this. However, since you've > created a keytab a couple of times now with different encryption types, it > may be worth double checking that you don't have duplicate SPN's. Try > running the following in the command line on your Active Directory DC: "setspn > -q HTTP/arecord.yoursite.com <http://arecord.mysite.com/>" (obviously put > in your own fqdn) > >> >> > Also something i am a little unclear on is do i need to have any local >> tickets loaded for the keytab to work or does the module handle getting >> it's own tickets ? >> > > Try signing into your windows 7 workstation that you want to SSO. Open up > the command line and run "klist". This should show your Ticket Granting > Ticket (TGT) and possibly a few service tickets for other windows > authentication. Your windows 7 workstation will try to access your Drupal > site anonymously initially. So you won't see a ticket for that specific > service until you try to hit your site: > https://cname.yoursite.com/user/login/sso. Once you hit that URL, given > that your browser is configured properly, try running klist again and see > if you can see a ticket for that specific service. > >> >> the guide has me testing using >> kinit user@domain >> which successfully makes a ticket >> and later >> kinit -k -t /keytabfile PRINCPLE/fqdn >> again this successfully creates a ticket >> >> are they purely for testing, or would either of them need to be renewed >> when they expire ? >> > > The first command is getting you a TGT from the Key Distribution Center > (KDC) - i.e. your Active Directory. The second is checking if your keytab > file on your Drupal server is working. The fact that it completes without > error is a good sign. This is used for testing, so don't worry about > renewing these specific tickets. Each workstation will get its own TGT > through the Authentication Service (AS) during login and (hopefully) get a > valid ticket for your service from the Ticket Grant Service (TGS) when you > try to access your site. Don't worry about the AS and TGS. They are both > part of the KDC and should be set up automatically with Active Directory. > The steps you mentioned above are important to make sure that AD is > sending tickets for the correct service that can be validated correctly > against your keytab file. > > You can also make sure your Key Version Number (KVNO) for your ticket > matches the KVNO in your keytab: > > kvno HTTP/arecord.mysite.com > > > Then check it against your keytab KVNO: > > > klist -k > > > More importantly in your case, check that the encryption types match: > > klist -e > > Check this against your keytab: > > klist -e -k -t /path/to/your/keytab/krb5.keytab > > >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> > |
|
From: Jim F. <jim...@an...> - 2014-03-30 21:52:18
|
Hey Andrew, Please see my comments inline below: On Sat, Mar 29, 2014 at 5:42 PM, Andrew Wilkins <and...@gm...>wrote: > Hi I am looking for some help with sso for drupal using kerbos with apache > on an active directory domain, with windows 7 clients using IE10 > > I assume you are using the LDAP module: https://drupal.org/project/ldap? Single Sign On aside, are users able to authenticate to your Drupal site with their Active Directory (AD) credentials? > I have setup following this guide > > http://www.grolmsnet.de/kerbtut/ > It's good that you're using this guide. The closer you can stick to it, the better. It really helped me in the past. > > i have used ktpass to generate the keytab, originally using rc4-hmac-nt as > the crypto type, but read that it might not work with windows 7 by default > now, so have tried it with crypto ALL > > I used "/crypto RC4-HMAC-NT" when creating a keytab for my Drupal SSO setup and it worked with Windows 7. I can't guarantee it would always work, but can confirm it worked for me. > I am still receiving the following error in the logs. > > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos module. Check your IE configuration. > Is this information coming from your Apache error logs? Is there any more context? > > I understand this error can be misleading, as you will sometimes get it > when it's not a client config problem as when kerberos files it sends the > NTLM ticket anyway > > should a keytab which has been generated with all the available crypto > types just work sorting out the crypto type with the client , or do i need > to do something to make it work? > Unfortunately I don't know the answer to this. However, since you've created a keytab a couple of times now with different encryption types, it may be worth double checking that you don't have duplicate SPN's. Try running the following in the command line on your Active Directory DC: "setspn -q HTTP/arecord.yoursite.com <http://arecord.mysite.com/>" (obviously put in your own fqdn) > > Also something i am a little unclear on is do i need to have any local > tickets loaded for the keytab to work or does the module handle getting > it's own tickets ? > Try signing into your windows 7 workstation that you want to SSO. Open up the command line and run "klist". This should show your Ticket Granting Ticket (TGT) and possibly a few service tickets for other windows authentication. Your windows 7 workstation will try to access your Drupal site anonymously initially. So you won't see a ticket for that specific service until you try to hit your site: https://cname.yoursite.com/user/login/sso. Once you hit that URL, given that your browser is configured properly, try running klist again and see if you can see a ticket for that specific service. > > the guide has me testing using > kinit user@domain > which successfully makes a ticket > and later > kinit -k -t /keytabfile PRINCPLE/fqdn > again this successfully creates a ticket > > are they purely for testing, or would either of them need to be renewed > when they expire ? > The first command is getting you a TGT from the Key Distribution Center (KDC) - i.e. your Active Directory. The second is checking if your keytab file on your Drupal server is working. The fact that it completes without error is a good sign. This is used for testing, so don't worry about renewing these specific tickets. Each workstation will get its own TGT through the Authentication Service (AS) during login and (hopefully) get a valid ticket for your service from the Ticket Grant Service (TGS) when you try to access your site. Don't worry about the AS and TGS. They are both part of the KDC and should be set up automatically with Active Directory. The steps you mentioned above are important to make sure that AD is sending tickets for the correct service that can be validated correctly against your keytab file. You can also make sure your Key Version Number (KVNO) for your ticket matches the KVNO in your keytab: kvno HTTP/arecord.mysite.com Then check it against your keytab KVNO: klist -k More importantly in your case, check that the encryption types match: klist -e Check this against your keytab: klist -e -k -t /path/to/your/keytab/krb5.keytab > > ------------------------------------------------------------------------------ > > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > |
|
From: Andrew W. <and...@gm...> - 2014-03-29 21:42:09
|
Hi I am looking for some help with sso for drupal using kerbos with apache on an active directory domain, with windows 7 clients using IE10 I have setup following this guide http://www.grolmsnet.de/kerbtut/ i have used ktpass to generate the keytab, originally using rc4-hmac-nt as the crypto type, but read that it might not work with windows 7 by default now, so have tried it with crypto ALL I am still receiving the following error in the logs. Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration. I understand this error can be misleading, as you will sometimes get it when it's not a client config problem as when kerberos files it sends the NTLM ticket anyway should a keytab which has been generated with all the available crypto types just work sorting out the crypto type with the client , or do i need to do something to make it work? Also something i am a little unclear on is do i need to have any local tickets loaded for the keytab to work or does the module handle getting it's own tickets ? the guide has me testing using kinit user@domain which successfully makes a ticket and later kinit -k -t /keytabfile PRINCPLE/fqdn again this successfully creates a ticket are they purely for testing, or would either of them need to be renewed when they expire ? |
|
From: Russ A. <ea...@ey...> - 2014-01-21 19:30:49
|
"Steve van der Burg" <ste...@lh...> writes: > My own problems tackling this are detailed here: > http://stackoverflow.com/questions/21260141/apache2-working-with-mod-auth-kerb-to-enable-dont-require-logging-in-but-al The answer you received to that question is correct. There isn't any way to tell whether the browser is capable of Negotiate-Auth without challenging it, at which point the browser will throw up a dialog box if it can't auth. -- Russ Allbery (ea...@ey...) <http://www.eyrie.org/~eagle/> |
|
From: Steve v. d. B. <ste...@lh...> - 2014-01-21 15:10:00
|
Would it be possible to add and expose a fixup handler in this module? That way, the "allow negotiation and auth, but don't require it" issue that I see many times over the years in the mailing list archives here could possibly be solved without the complex and non-robust solutions that have been proposed in the past. As a long-time user of Apache::AuthCookie, I have used its fixup handler to accomplish this same goal. My own problems tackling this are detailed here: http://stackoverflow.com/questions/21260141/apache2-working-with-mod-auth-kerb-to-enable-dont-require-logging-in-but-al After I posted that, it was pointed out to me that I hadn't searched this mailing list. Once I did, I came across a number of requests similar to mine. ...Steve -------------------------------------------------------------------------------- This information is directed in confidence solely to the person named above and may contain confidential and/or privileged material. This information may not otherwise be distributed, copied or disclosed. If you have received this e-mail in error, please notify the sender immediately via a return e-mail and destroy original message. Thank you for your cooperation. |
|
From: Jakob O. <ja...@gm...> - 2014-01-15 08:17:37
|
Hello Douglas, so fare it looks like the problem is solved. And it works with two spn's. Thanks man... On Tue, Jan 14, 2014 at 10:40 PM, Douglas E. Engert <dee...@an...>wrote: > > > On 1/7/2014 2:22 PM, Jakob Olsen wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int <http://servername.domain.int> and >> one for http/servername.domain.ext >> >> Same server should be able to serve both "spn's". >> How will a do that? >> > > Sorry abont the late reply. > > But yes it could, if you combine the two keytab files. MIT's ktutil can do > that. > > You would also have to look closely at how the calls to > gss_accept_sec_context > handles the acceptor_cred_handle parameter. Its been a long time, but IIRC > it can > be null and the lower level kerberos may be able to use any keytab entry. > > >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...<mailto: >> dee...@an...>> wrote: >> >> >> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it >>> the right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >> >> If this is your first attempt at using AD as the KDC for a service, >> keep in mind that the MS docs talk about a "user" account >> but the user in not a real user but an account representing a >> service. Some people get confused. Your use of the >> -mapuser us...@do...f <mailto:us...@do...f> looks like this >> type of confusion. >> >> >> Real users don't normally have SPNs. >> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO...F <mailto:HTTP >>> /ser...@DO...F> -mapuser us...@do...f <mailto: >>> us...@do...f> -pass password -crypto RC4-HMAC-NT -ptype >>> >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] >>> [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. >>> Minor code may provide more information (, Key version >>> number for principal in key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >> >> Some thinks to keep in mind... >> >> An AD account has a single password used to generate keys on >> the fly. >> >> An AD account has a single key version number. >> >> A SPN added to an account shares the password and KVNO with the >> UPN for the account and all other SPNs on the account. >> >> On way to avoid this is to have separate service account with only >> one SPN, and one matching keytab entry. >> Pick a naming convention for these AD accounts, say <service>-<host> >> so in you example, http-servername >> >> >> You may also want to look at msktutil (Ubuntu has a packaged >> version), or Samba utilities that allow you to update keytabs and AD >> accounts >> rather the ktpass. >> >> >> >>> Normally i dont have klist, ktutil, kadmin etc installed on the >>> ubuntu server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >> >> You might just be seeing that the the user has cached tickets. You >> may want to kinit again. >> >> >> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Rapidly troubleshoot problems before they affect your business. Most >>> IT >>> organizations don't have a clear picture of how application >>> performance >>> affects their revenue. With AppDynamics, you get 100% visibility >>> into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >>> /4140/ostg.clktrk >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... <mailto:modauthkerb-help@ >>> lists.sourceforge.net> >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >> >> -- >> >> Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> >> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 <tel:%28630%29%20252-5444> >> >> >> >> ------------------------------------------------------------ >> ------------------ >> Rapidly troubleshoot problems before they affect your business. Most >> IT >> organizations don't have a clear picture of how application >> performance >> affects their revenue. With AppDynamics, you get 100% visibility into >> your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >> AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu= >> /4140/ostg.clktrk >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:modauthkerb-help@ >> lists.sourceforge.net> >> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-14 21:40:11
|
On 1/7/2014 2:22 PM, Jakob Olsen wrote: > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? Sorry abont the late reply. But yes it could, if you combine the two keytab files. MIT's ktutil can do that. You would also have to look closely at how the calls to gss_accept_sec_context handles the acceptor_cred_handle parameter. Its been a long time, but IIRC it can be null and the lower level kerberos may be able to use any keytab entry. > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. > > If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. Some people get confused. Your use of the > -mapuser us...@do...f <mailto:us...@do...f> looks like this type of confusion. > > Real users don't normally have SPNs. >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO...F <mailto:HTTP/ser...@DO...F> -mapuser us...@do...f <mailto:us...@do...f> -pass password -crypto RC4-HMAC-NT -ptype >> KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version >> number for principal in key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. >> But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. > > You might just be seeing that the the user has cached tickets. You may want to kinit again. > > >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- > > Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 -- Douglas E. Engert <DEE...@an...> <DEE...@gm...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jakob O. <ja...@gm...> - 2014-01-08 06:56:48
|
Thanks Douglas, i was "that" easy... :) Have seen the error message so many times: Key version number for principal in key table is incorrect And everytime i throught the keytab was the problem. When i removed the old ticket, the kerberos was working again. Thanks. On Tue, Jan 7, 2014 at 11:06 PM, Douglas E. Engert <dee...@an...> wrote: > > > On 1/7/2014 2:58 PM, Jakob Olsen wrote: > > Hello all, > > can this be the problem? > > > > http://support.microsoft.com/kb/870987 > > > > If i open adsiedit.msc and find the user, there is no: > msDS-KeyVersionNumber > > But then i created the keytab, i get this information: > > > > C:\>ktpass -princ HTTP/ser...@DO...D -mapuser > htt...@do...d -pass abc12345 -crypto RC4-HMAC-NT -ptype > KRB5 > > _NT_PRINCIPAL -out krb5.keytab > > Targeting domain controller: RKDC01.domain.tld > > Successfully mapped HTTP/servername.domain.tld to http-servername-tld. > > Password succesfully set! > > Key created. > > Output keytab to krb5.keytab: > > Keytab version: 0x502 > > keysize 76 HTTP/ser...@DO...D ptype 1 > (KRB5_NT_PRINCIPAL) > > vno 3 etype 0x17 (RC4-HMAC) keylength 16 > (0xea847b34167fd797cac465a00a2d88b3) > > > > Why is the vno 3 from start ? > > Not sure, but that is common with AD. I suspect: > 1 when created, > 2 when the account password was changed (It should be set to not expire) > 3 when you did the ktpass. > > > > > > > > On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm... <mailto: > ja...@gm...>> wrote: > > > > Sorry to spam the list... > > I just created a new user. > > Created a new keytab (using the ktpass-util) > > Copied keytab to apache and restarted the server. > > > > I still get this error in apache error.log: > > [Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] > [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 < > http://192.168.128.68:51686>] gss_accept_sec_context() failed: > Unspecified GSS > > failure. Minor code may provide more information (, Key version > number for principal in key table is incorrect) > > > > How can the kvno be wrong, when user is just created and same with > keytab? > > Did the client have cached tickets with an older kvno? > W7 has a klist tickets > command, but does not show the kvno, but does show the time the ticket was > obtained. > Make sure the time is after the time you ran the last ktpass for the SPN. > > > > > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...<mailto: > ja...@gm...>> wrote: > > > > Hello Douglas, thanks for your reply. > > If i create 2 accounts. > > > > One for http/servername.domain.int <http://servername.domain.int> > and one for http/servername.domain.ext > > Same server should be able to serve both "spn's". > > How will a do that? > > > > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert < > dee...@an... <mailto:dee...@an...>> wrote: > > > > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: > >> Hello, > >> this is my first post to the mailing-list, so i hope i'm > doing it the right way. > >> > >> We have the following setup: > >> > >> KDC = Windows 2003R2 > >> > >> Kerberos enabled server: Ubuntu - Apache 2.4 > >> > >> Clients: Windows 7 - IE 8 > >> > >> The solution has been up running, but today i needed to add > another spn to the AD user, used when the keytab was created. > > > > If this is your first attempt at using AD as the KDC for a > service, keep in mind that the MS docs talk about a "user" account > > but the user in not a real user but an account representing > a service. Some people get confused. Your use of the > > -mapuser us...@do...f <mailto:us...@do...f> looks > like this type of confusion. > > > > Real users don't normally have SPNs. > >> > >> I create my keytab with this windows command: > >> > >> ktpass -princ HTTP/ser...@DO...F<mailto: > HTTP/ser...@DO...F> -mapuser us...@do...f <mailto: > us...@do...f> -pass password -crypto RC4-HMAC-NT > >> -ptype KRB5_NT_PRINCIPAL -out krb5.keytab > >> > >> But after i added another SPN and created a new keytab, i > see this error in my apache error.log: > >> > >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid > 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API > major_status:000d0000, minor_status:96c73ae6 > >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid > 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key > >> version number for principal in key table is incorrect) > >> > >> So my question is: > >> > >> What do i do about this error? > >> How do i debug any further? > > > > Some thinks to keep in mind... > > > > An AD account has a single password used to generate > keys on the fly. > > > > An AD account has a single key version number. > > > > A SPN added to an account shares the password and KVNO > with the UPN for the account and all other SPNs on the account. > > > > On way to avoid this is to have separate service account > with only one SPN, and one matching keytab entry. > > Pick a naming convention for these AD accounts, say > <service>-<host> so in you example, http-servername > > > > > > You may also want to look at msktutil (Ubuntu has a packaged > version), or Samba utilities that allow you to update keytabs and AD > accounts > > rather the ktpass. > > > > > >> > >> Normally i dont have klist, ktutil, kadmin etc installed on > the ubuntu server. > >> But today i installed the krb-user package and when calling > kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is > writing when creating the keytab. > > > > You might just be seeing that the the user has cached > tickets. You may want to kinit again. > > > > > >> > >> Any help is appreciated. > >> > >> -- > >> Jakob Damgaard Olsen > >> Tlf: 24613112 > >> > >> > >> > ------------------------------------------------------------------------------ > >> Rapidly troubleshoot problems before they affect your > business. Most IT > >> organizations don't have a clear picture of how application > performance > >> affects their revenue. With AppDynamics, you get 100% > visibility into your > >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > >> > >> > >> _______________________________________________ > >> modauthkerb-help mailing list > >> mod...@li... <mailto: > mod...@li...> > >> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > > > Douglas E. Engert<DEE...@an...> <mailto: > DEE...@an...> > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 <tel:%28630%29%20252-5444> > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your > business. Most IT > > organizations don't have a clear picture of how application > performance > > affects their revenue. With AppDynamics, you get 100% > visibility into your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL > of AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... <mailto: > mod...@li...> > > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > > > > -- > > Jakob Damgaard Olsen > > Tlf: 24613112 > > > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@gm...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-07 22:06:10
|
On 1/7/2014 2:58 PM, Jakob Olsen wrote: > Hello all, > can this be the problem? > > http://support.microsoft.com/kb/870987 > > If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber > But then i created the keytab, i get this information: > > C:\>ktpass -princ HTTP/ser...@DO...D -mapuser htt...@do...d -pass abc12345 -crypto RC4-HMAC-NT -ptype KRB5 > _NT_PRINCIPAL -out krb5.keytab > Targeting domain controller: RKDC01.domain.tld > Successfully mapped HTTP/servername.domain.tld to http-servername-tld. > Password succesfully set! > Key created. > Output keytab to krb5.keytab: > Keytab version: 0x502 > keysize 76 HTTP/ser...@DO...D ptype 1 (KRB5_NT_PRINCIPAL) > vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3) > > Why is the vno 3 from start ? Not sure, but that is common with AD. I suspect: 1 when created, 2 when the account password was changed (It should be set to not expire) 3 when you did the ktpass. > > > On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm... <mailto:ja...@gm...>> wrote: > > Sorry to spam the list... > I just created a new user. > Created a new keytab (using the ktpass-util) > Copied keytab to apache and restarted the server. > > I still get this error in apache error.log: > [Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 <http://192.168.128.68:51686>] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) > > How can the kvno be wrong, when user is just created and same with keytab? Did the client have cached tickets with an older kvno? W7 has a klist tickets command, but does not show the kvno, but does show the time the ticket was obtained. Make sure the time is after the time you ran the last ktpass for the SPN. > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm... <mailto:ja...@gm...>> wrote: > > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. > > If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. Some people get confused. Your use of the > -mapuser us...@do...f <mailto:us...@do...f> looks like this type of confusion. > > Real users don't normally have SPNs. >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO...F <mailto:HTTP/ser...@DO...F> -mapuser us...@do...f <mailto:us...@do...f> -pass password -crypto RC4-HMAC-NT >> -ptype KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key >> version number for principal in key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. >> But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. > > You might just be seeing that the the user has cached tickets. You may want to kinit again. > > >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... <mailto:mod...@li...> >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- > > Douglas E. Engert<DEE...@an...> <mailto:DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > -- Douglas E. Engert <DEE...@an...> <DEE...@gm...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:58:27
|
Hello all, can this be the problem? http://support.microsoft.com/kb/870987 If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber But then i created the keytab, i get this information: C:\>ktpass -princ HTTP/ser...@DO...D -mapuser htt...@do...d -pass abc12345 -crypto RC4-HMAC-NT -ptype KRB5 _NT_PRINCIPAL -out krb5.keytab Targeting domain controller: RKDC01.domain.tld Successfully mapped HTTP/servername.domain.tld to http-servername-tld. Password succesfully set! Key created. Output keytab to krb5.keytab: Keytab version: 0x502 keysize 76 HTTP/ser...@DO...D ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3) Why is the vno 3 from start ? On Tue, Jan 7, 2014 at 9:36 PM, Jakob Olsen <ja...@gm...> wrote: > Sorry to spam the list... > I just created a new user. > Created a new keytab (using the ktpass-util) > Copied keytab to apache and restarted the server. > > I still get this error in apache error.log: > [Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client > 192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS > failure. Minor code may provide more information (, Key version number for > principal in key table is incorrect) > > How can the kvno be wrong, when user is just created and same with keytab? > > > On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...> wrote: > >> Hello Douglas, thanks for your reply. >> If i create 2 accounts. >> >> One for http/servername.domain.int and one for http/servername.domain.ext >> Same server should be able to serve both "spn's". >> How will a do that? >> >> >> On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...>wrote: >> >>> >>> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >>> >>> Hello, >>> this is my first post to the mailing-list, so i hope i'm doing it the >>> right way. >>> >>> We have the following setup: >>> >>> KDC = Windows 2003R2 >>> >>> Kerberos enabled server: Ubuntu - Apache 2.4 >>> >>> Clients: Windows 7 - IE 8 >>> >>> The solution has been up running, but today i needed to add another >>> spn to the AD user, used when the keytab was created. >>> >>> >>> If this is your first attempt at using AD as the KDC for a service, keep >>> in mind that the MS docs talk about a "user" account >>> but the user in not a real user but an account representing a service. >>> Some people get confused. Your use of the >>> -mapuser us...@do...f looks like this type of confusion. >>> >>> Real users don't normally have SPNs. >>> >>> >>> I create my keytab with this windows command: >>> >>> ktpass -princ HTTP/ser...@DO...F -mapuser >>> us...@do...f -pass password -crypto RC4-HMAC-NT -ptype >>> KRB5_NT_PRINCIPAL -out krb5.keytab >>> >>> But after i added another SPN and created a new keytab, i see this >>> error in my apache error.log: >>> >>> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >>> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >>> minor_status:96c73ae6 >>> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client >>> IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor >>> code may provide more information (, Key version number for principal in >>> key table is incorrect) >>> >>> So my question is: >>> >>> What do i do about this error? >>> How do i debug any further? >>> >>> >>> Some thinks to keep in mind... >>> >>> An AD account has a single password used to generate keys on the >>> fly. >>> >>> An AD account has a single key version number. >>> >>> A SPN added to an account shares the password and KVNO with the UPN >>> for the account and all other SPNs on the account. >>> >>> On way to avoid this is to have separate service account with only one >>> SPN, and one matching keytab entry. >>> Pick a naming convention for these AD accounts, say <service>-<host> so >>> in you example, http-servername >>> >>> >>> You may also want to look at msktutil (Ubuntu has a packaged version), >>> or Samba utilities that allow you to update keytabs and AD accounts >>> rather the ktpass. >>> >>> >>> >>> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu >>> server. >>> But today i installed the krb-user package and when calling kvno >>> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >>> when creating the keytab. >>> >>> >>> You might just be seeing that the the user has cached tickets. You may >>> want to kinit again. >>> >>> >>> >>> Any help is appreciated. >>> >>> -- >>> Jakob Damgaard Olsen >>> Tlf: 24613112 >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> >>> >>> >>> _______________________________________________ >>> modauthkerb-help mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >>> -- >>> >>> Douglas E. Engert <DEE...@an...> <DEE...@an...> >>> Argonne National Laboratory >>> 9700 South Cass Avenue >>> Argonne, Illinois 60439 >>> (630) 252-5444 >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most IT >>> organizations don't have a clear picture of how application performance >>> affects their revenue. With AppDynamics, you get 100% visibility into >>> your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics Pro! >>> >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> modauthkerb-help mailing list >>> mod...@li... >>> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >>> >>> >> >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> > > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:36:52
|
Sorry to spam the list... I just created a new user. Created a new keytab (using the ktpass-util) Copied keytab to apache and restarted the server. I still get this error in apache error.log: [Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) How can the kvno be wrong, when user is just created and same with keytab? On Tue, Jan 7, 2014 at 9:22 PM, Jakob Olsen <ja...@gm...> wrote: > Hello Douglas, thanks for your reply. > If i create 2 accounts. > > One for http/servername.domain.int and one for http/servername.domain.ext > Same server should be able to serve both "spn's". > How will a do that? > > > On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...>wrote: > >> >> On 1/7/2014 1:17 PM, Jakob Olsen wrote: >> >> Hello, >> this is my first post to the mailing-list, so i hope i'm doing it the >> right way. >> >> We have the following setup: >> >> KDC = Windows 2003R2 >> >> Kerberos enabled server: Ubuntu - Apache 2.4 >> >> Clients: Windows 7 - IE 8 >> >> The solution has been up running, but today i needed to add another spn >> to the AD user, used when the keytab was created. >> >> >> If this is your first attempt at using AD as the KDC for a service, keep >> in mind that the MS docs talk about a "user" account >> but the user in not a real user but an account representing a service. >> Some people get confused. Your use of the >> -mapuser us...@do...f looks like this type of confusion. >> >> Real users don't normally have SPNs. >> >> >> I create my keytab with this windows command: >> >> ktpass -princ HTTP/ser...@DO...F -mapuser >> us...@do...f -pass password -crypto RC4-HMAC-NT -ptype >> KRB5_NT_PRINCIPAL -out krb5.keytab >> >> But after i added another SPN and created a new keytab, i see this >> error in my apache error.log: >> >> [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] >> src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, >> minor_status:96c73ae6 >> [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client >> IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor >> code may provide more information (, Key version number for principal in >> key table is incorrect) >> >> So my question is: >> >> What do i do about this error? >> How do i debug any further? >> >> >> Some thinks to keep in mind... >> >> An AD account has a single password used to generate keys on the >> fly. >> >> An AD account has a single key version number. >> >> A SPN added to an account shares the password and KVNO with the UPN >> for the account and all other SPNs on the account. >> >> On way to avoid this is to have separate service account with only one >> SPN, and one matching keytab entry. >> Pick a naming convention for these AD accounts, say <service>-<host> so >> in you example, http-servername >> >> >> You may also want to look at msktutil (Ubuntu has a packaged version), or >> Samba utilities that allow you to update keytabs and AD accounts >> rather the ktpass. >> >> >> >> Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu >> server. >> But today i installed the krb-user package and when calling kvno >> HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing >> when creating the keytab. >> >> >> You might just be seeing that the the user has cached tickets. You may >> want to kinit again. >> >> >> >> Any help is appreciated. >> >> -- >> Jakob Damgaard Olsen >> Tlf: 24613112 >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> >> >> >> _______________________________________________ >> modauthkerb-help mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> >> -- >> >> Douglas E. Engert <DEE...@an...> <DEE...@an...> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 >> >> >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most IT >> organizations don't have a clear picture of how application performance >> affects their revenue. With AppDynamics, you get 100% visibility into your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics >> Pro! >> >> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk >> _______________________________________________ >> modauthkerb-help mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/modauthkerb-help >> >> > > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Jakob O. <ja...@gm...> - 2014-01-07 20:22:09
|
Hello Douglas, thanks for your reply. If i create 2 accounts. One for http/servername.domain.int and one for http/servername.domain.ext Same server should be able to serve both "spn's". How will a do that? On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <dee...@an...> wrote: > > On 1/7/2014 1:17 PM, Jakob Olsen wrote: > > Hello, > this is my first post to the mailing-list, so i hope i'm doing it the > right way. > > We have the following setup: > > KDC = Windows 2003R2 > > Kerberos enabled server: Ubuntu - Apache 2.4 > > Clients: Windows 7 - IE 8 > > The solution has been up running, but today i needed to add another spn > to the AD user, used when the keytab was created. > > > If this is your first attempt at using AD as the KDC for a service, keep > in mind that the MS docs talk about a "user" account > but the user in not a real user but an account representing a service. > Some people get confused. Your use of the > -mapuser us...@do...f looks like this type of confusion. > > Real users don't normally have SPNs. > > > I create my keytab with this windows command: > > ktpass -princ HTTP/ser...@DO...F -mapuser > us...@do...f -pass password -crypto RC4-HMAC-NT -ptype > KRB5_NT_PRINCIPAL -out krb5.keytab > > But after i added another SPN and created a new keytab, i see this error > in my apache error.log: > > [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] > src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, > minor_status:96c73ae6 > [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client > IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor > code may provide more information (, Key version number for principal in > key table is incorrect) > > So my question is: > > What do i do about this error? > How do i debug any further? > > > Some thinks to keep in mind... > > An AD account has a single password used to generate keys on the > fly. > > An AD account has a single key version number. > > A SPN added to an account shares the password and KVNO with the UPN > for the account and all other SPNs on the account. > > On way to avoid this is to have separate service account with only one > SPN, and one matching keytab entry. > Pick a naming convention for these AD accounts, say <service>-<host> so > in you example, http-servername > > > You may also want to look at msktutil (Ubuntu has a packaged version), or > Samba utilities that allow you to update keytabs and AD accounts > rather the ktpass. > > > > Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu > server. > But today i installed the krb-user package and when calling kvno > HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing > when creating the keytab. > > > You might just be seeing that the the user has cached tickets. You may > want to kinit again. > > > > Any help is appreciated. > > -- > Jakob Damgaard Olsen > Tlf: 24613112 > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > > > > _______________________________________________ > modauthkerb-help mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > -- > > Douglas E. Engert <DEE...@an...> <DEE...@an...> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2014-01-07 20:14:40
|
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 1/7/2014 1:17 PM, Jakob Olsen wrote:<br>
</div>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hello,
<div>this is my first post to the mailing-list, so i hope i'm
doing it the right way.</div>
<div><br>
</div>
<div>We have the following setup:</div>
<div><br>
</div>
<div>KDC = Windows 2003R2</div>
<div><br>
</div>
<div>Kerberos enabled server: Ubuntu - Apache 2.4</div>
<div><br>
</div>
<div>Clients: Windows 7 - IE 8</div>
<div><br>
</div>
<div>The solution has been up running, but today i needed to add
another spn to the AD user, used when the keytab was created.</div>
</div>
</blockquote>
<br>
If this is your first attempt at using AD as the KDC for a service,
keep in mind that the MS docs talk about a "user" account<br>
but the user in not a real user but an account representing a
service. Some people get confused. Your use of the <br>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...f">us...@do...f</a> looks like this type of confusion. <br>
<br>
Real users don't normally have SPNs. <br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I create my keytab with this windows command:</div>
<div><br>
</div>
<div>ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:HTTP/ser...@DO...F">HTTP/ser...@DO...F</a>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:us...@do...f">us...@do...f</a> -pass password -crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab<br>
</div>
<div><br>
</div>
<div>But after i added another SPN and created a new keytab, i
see this error in my apache error.log:</div>
<div><br>
</div>
<div>
<div>[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid
11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API
major_status:000d0000, minor_status:96c73ae6</div>
<div>[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid
11253] [client IP:PORT] gss_accept_sec_context() failed:
Unspecified GSS failure. Minor code may provide more
information (, Key version number for principal in key table
is incorrect)</div>
</div>
<div><br>
</div>
<div>So my question is:</div>
<div><br>
</div>
<div>What do i do about this error?</div>
<div>How do i debug any further?</div>
</div>
</blockquote>
<br>
Some thinks to keep in mind...<br>
<br>
An AD account has a single password used to generate keys on
the fly. <br>
<br>
An AD account has a single key version number.<br>
<br>
A SPN added to an account shares the password and KVNO with the
UPN for the account and all other SPNs on the account. <br>
<br>
On way to avoid this is to have separate service account with only
one SPN, and one matching keytab entry. <br>
Pick a naming convention for these AD accounts, say
<service>-<host> so in you example, http-servername <br>
<br>
<br>
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts <br>
rather the ktpass. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Normally i dont have klist, ktutil, kadmin etc installed on
the ubuntu server.</div>
<div>But today i installed the krb-user package and when calling
kvno HTTP/servername.domain.tld i see the same kvno, as the
ktpass is writing when creating the keytab.</div>
</div>
</blockquote>
<br>
You might just be seeing that the the user has cached tickets. You
may want to kinit again. <br>
<br>
<br>
<blockquote
cite="mid:CAM...@ma..."
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any help is appreciated.</div>
<div>
<div><br>
</div>
-- <br>
Jakob Damgaard Olsen<br>
Tlf: 24613112
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
modauthkerb-help mailing list
<a class="moz-txt-link-abbreviated" href="mailto:mod...@li...">mod...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/modauthkerb-help">https://lists.sourceforge.net/lists/listinfo/modauthkerb-help</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@an..."><DEE...@an...></a>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444</pre>
</body>
</html>
|
|
From: Jakob O. <ja...@gm...> - 2014-01-07 19:17:50
|
Hello, this is my first post to the mailing-list, so i hope i'm doing it the right way. We have the following setup: KDC = Windows 2003R2 Kerberos enabled server: Ubuntu - Apache 2.4 Clients: Windows 7 - IE 8 The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created. I create my keytab with this windows command: ktpass -princ HTTP/ser...@DO...F -mapuser us...@do...f-pass password -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out krb5.keytab But after i added another SPN and created a new keytab, i see this error in my apache error.log: [Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6 [Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) So my question is: What do i do about this error? How do i debug any further? Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server. But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab. Any help is appreciated. -- Jakob Damgaard Olsen Tlf: 24613112 |
|
From: Douglas E. E. <dee...@an...> - 2013-11-02 19:06:01
|
On 11/1/2013 10:56 AM, Martin Yves wrote: > Hello Douglas, > > Personally, the "service account" I created for SPN and keytab > generation is also used to authenticate LDAP queries... > As far as password does not expire and is correct, I discover no > troubles about it. > > To sum up for Jim, here are some tasks I think about: > > - if the "user account" holding the SPN and used to generate > keytab is not a specific service account, > it is worth to delete it and create it again... > > - create a dedicated "service account" (standard account but > dedicated to Kerberos SSO) in AD and create keytab > > - check and clean duplicates SPN > > - do not use default location /etc/krb5.keytab but (for instance) > /etc/apache2/http-arecord.keytab Yes. Check ownership, only readable by apache server. > > - validates SPN with kinit/kvno: > > $ kinit MeMyselfI > $ kvno HTTP/arecord.mysite.com > > $ kdestroy > $ kinit HTTP/arecord.mysite.com > => check password authentication with "service account" password > > $ kdestroy > $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com > => is equivalent to the previous one but password comes from keytab > > > If all that diagnostic steps pass, there is no reason Apache2 cannot > accept your token from your browser... Or else you have a big trouble > in Apache2/mod_auth_kerb. You should provide use with details about it. > > > For a reason I have not found yet, few months ago, with Debian Wheezy > mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set > "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" > to get my system to load keytab. It no longer "guess" expected SPN > probably because our network was in a migration from one domain to > another. I just checked and that trick is no longer required, defaults > works. > A few years ago, there was a problem with a version of ktpass. Make sure you have the latest. If you are running 2008R2 it could be the DC is generating a service ticket with with AES-256 key, but the key table does not have one. The AD attribute to look at is msDS-SupportedEncryptionTypes http://msdn.microsoft.com/en-us/library/cc223853.aspx http://blogs.msdn.com/b/openspecification/archive/2011/05/31/windows-configurations-for-kerberos-supported-encryption-type.aspx If you change the service account paassword, you must also change the keytab. You must also destroy any cached service tickets for the service. If the test client is Windows you will need to logoff an back on again. > > Hope this helps > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Jim F. <jim...@an...> - 2013-11-01 19:44:26
|
Hi all, Thanks so much for all the help on this issue, this is a great community of people and I appreciate your willingness to help! Special thanks to Yves and Douglas for taking the time go through this with me in great detail. It made a huge difference! This issue is finally resolved. Here are some of the things that worked in my particular case: I was finally able to removed the "GSS-API major_status:000d0000, minor_status:000186a4" Apache log error. It was exactly what we all thought it was: Apache not being able to read the keytab file. The way I corrected this was: 1) Editing the httpd.conf file and changing the "User" and "Group" lines to a new user and group. This is where you establish the owner of the Apache process. Before I was trying to do a chown on the httpd.pid file to change the Apache owner, but that didn't seem to work and those changes were actually being restored to their defaults when I restarted Apache anyway. Also remember to restart Apache when you've edited the httpd.conf file in order to ensure these changes to take effect (sudo service httpd restart). 2) I added another keytab file for Apache specifically. This was just an exact duplicate of the other file but in a different location. I changed this file to have the same user and group as I specified in the httpd.conf file above (sudo chown username:groupname /path/to/apache-specific/keytab/krb5.keytab). I also changed the permissions on this new keytab file so it is only readable by the Apache user (sudo chown 400 /path/to/apache-specific/keytab/krb5.keytab). After making the above changes, when hitting https://cname.mysite.com/user/login/sso and having Firefox configured (about:config > network.negotiate-auth.trusted-uris = .mysite.com), I was receiving the following in the Apache error log: [info] Subsequent (No.2) HTTPS request received for child 1 (server arecord.mysite.com:80) [debug] src/mod_auth_kerb.c(1628): [client <ip address>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug] src/mod_auth_kerb.c(1240): [client <ip address>] Acquiring creds for HTTP/are...@EX... [debug] src/mod_auth_kerb.c(1385): [client <ip address>] Verifying client data using KRB5 GSS-API [debug] src/mod_auth_kerb.c(1401): [client <ip address>] Client didn't delegate us their credential [debug] src/mod_auth_kerb.c(1420): [client <ip address>] GSS-API token of length 180 bytes will be sent back [debug] ssl_engine_kernel.c(1889): OpenSSL: Write: SSL negotiation finished successfully Which is exactly what should be logged during successful login according to this (near the bottom): http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ Another problem I had was that we are using HTTP authentication to protect the site using a Drupal module called shield<https://drupal.org/project/shield>. So when you would hit the URL, you would get prompted for HTTP auth credentials (before entering these credentials is when the successful Apache log message would be logged) and if the credentials were entered correctly, I would be sent to the 401 Authorization Required screen. Disabling shield seemed to do the trick. I was still having a problem after getting rid of the HTTP auth, but it ended up being Drupal specific. Hitting https://cname.mysite.com/user/login/sso would redirect me to our default login screen and display the following error message at the top of the page: "you have been successfully authenticated". This was odd because I was still not authorized to access content. Turns out to be something that is fixed in the newest version of the LDAP module (7.x-2.0-beta6 at the time of this posting) . If you're a Drupal user, see this issue for more details: https://drupal.org/node/1956224 Here is the final working setup of my httpd.conf file (In my case it was actually a site specific .conf file because we are hosting multiple sites on the same server using vhosts. The httpd.conf file used an "include" to reference this site specific file): LoadModule auth_kerb_module /path/to/modules/mod_auth_kerb.so <Location /user/login/sso> AuthType Kerberos KrbAuthRealms EXAMPLE.ORG KrbMethodNegotiate on KrbMethodK5Passwd off require valid-user KrbServiceName HTTP Krb5Keytab /path/to/apache-specific/keytab/krb5.keytab </Location> I hope this can help someone facing similar issues. Thanks again! -Jim On Fri, Nov 1, 2013 at 11:56 AM, Martin Yves <yve...@el...> wrote: > Hello Douglas, > > Personally, the "service account" I created for SPN and keytab > generation is also used to authenticate LDAP queries... > As far as password does not expire and is correct, I discover no > troubles about it. > > To sum up for Jim, here are some tasks I think about: > > - if the "user account" holding the SPN and used to generate > keytab is not a specific service account, > it is worth to delete it and create it again... > > - create a dedicated "service account" (standard account but > dedicated to Kerberos SSO) in AD and create keytab > > - check and clean duplicates SPN > > - do not use default location /etc/krb5.keytab but (for instance) > /etc/apache2/http-arecord.keytab > > - validates SPN with kinit/kvno: > > $ kinit MeMyselfI > $ kvno HTTP/arecord.mysite.com > > $ kdestroy > $ kinit HTTP/arecord.mysite.com > => check password authentication with "service account" password > > $ kdestroy > $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com > => is equivalent to the previous one but password comes from keytab > > > If all that diagnostic steps pass, there is no reason Apache2 cannot > accept your token from your browser... Or else you have a big trouble > in Apache2/mod_auth_kerb. You should provide use with details about it. > > > For a reason I have not found yet, few months ago, with Debian Wheezy > mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set > "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" > to get my system to load keytab. It no longer "guess" expected SPN > probably because our network was in a migration from one domain to > another. I just checked and that trick is no longer required, defaults > works. > > > Hope this helps > -- > Yves Martin > > |
|
From: Martin Y. <yve...@el...> - 2013-11-01 15:57:20
|
Hello Douglas, Personally, the "service account" I created for SPN and keytab generation is also used to authenticate LDAP queries... As far as password does not expire and is correct, I discover no troubles about it. To sum up for Jim, here are some tasks I think about: - if the "user account" holding the SPN and used to generate keytab is not a specific service account, it is worth to delete it and create it again... - create a dedicated "service account" (standard account but dedicated to Kerberos SSO) in AD and create keytab - check and clean duplicates SPN - do not use default location /etc/krb5.keytab but (for instance) /etc/apache2/http-arecord.keytab - validates SPN with kinit/kvno: $ kinit MeMyselfI $ kvno HTTP/arecord.mysite.com $ kdestroy $ kinit HTTP/arecord.mysite.com => check password authentication with "service account" password $ kdestroy $ kinit -k -t /etc/apache2/http-arecord.keytab HTTP/arecord.mysite.com => is equivalent to the previous one but password comes from keytab If all that diagnostic steps pass, there is no reason Apache2 cannot accept your token from your browser... Or else you have a big trouble in Apache2/mod_auth_kerb. You should provide use with details about it. For a reason I have not found yet, few months ago, with Debian Wheezy mod_auth_kerb 5.4-2 and DC AD 2008, I had to explicitly set "KrbServiceName HTTP/arecord.mysite.com" instead of default "HTTP" to get my system to load keytab. It no longer "guess" expected SPN probably because our network was in a migration from one domain to another. I just checked and that trick is no longer required, defaults works. Hope this helps -- Yves Martin |
|
From: Douglas E. E. <dee...@an...> - 2013-10-31 14:52:24
|
On 10/30/2013 10:58 PM, Jim Fisk wrote: > Hi Douglas, > > Thanks for looking at this issue as well! I've gone through and added responses below inline. > > > On Wed, Oct 30, 2013 at 10:22 AM, Douglas E. Engert <dee...@an... <mailto:dee...@an...>> wrote: > > > > On 10/29/2013 10:26 PM, Jim Fisk wrote: > > I have a setup with an Active Directory KDC, Windows 7 client workstations, and a Linux server (CentOS and Apache) outside the network with which I am trying to configure single sign on > functionality. > > I'm having trouble getting the handshake to work between the client workstation and the Apache webserver. When I go to https://cname.mysite.com/user/login/sso, I get a 500 internal server > error. I > > configured Firefox by going to "about:config" and adding "cname.mysite.com <http://cname.mysite.com> <http://cname.mysite.com>" to "network.negotiate-auth.trusted-uris" and > "network.negotiate-auth.delegation-uris". > > Minor point, usually network.negotiate-auth.delegation-uris is not set for a web server, > as it says it is OK to delegate credentials. > > Makes sense, thanks for letting me know. I noticed that the "network.negotiate-auth.delegation-uris" option wasn't doing much in terms of changing results. I'll leave it blank going forward. > > > > I figured > > I would have to configure the browser with the A Record instead of the CName, but when I do this I just get a 401 authorization required error and not much else happens (same as if I didn't > configure > > browser for kerberos at all). When the browser is configured with the CName, I get the 500 error and couple of interesting things happen: > > > > 1) If I'm on a workstation within the network, I get a ticket for the service that appears to be correct. A klist looks like this: > > > > Cached Ticket (#2 of 7) > > Client: act...@EX... <mailto:act...@EX...> <mailto:act...@EX... <mailto:act...@EX...>> > > Server: HTTP/are...@EX... <mailto:are...@EX...> <mailto:are...@EX... <mailto:are...@EX...>> > > KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) > > Ticket Flags 0x40a00000 -> forwardable renewable pre_authent > > Start Time: 10/24/2013 15:16:14 (local) > > End Time: 10/25/2013 0:11:33 (local) > > Renew Time: 10/31/2013 14:11:33 (local) > > Session Key Type: RSADSI RC4-HMAC(NT) > > > > 2) I see the following in the Apache error logs: > > > > "GSS-API major_status:000d0000, minor_status:000186a4" which I understand to simply mean that Apache can't read the keytab file. > > > > "gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, )" which could mean the keytab has the wrong key version #, or machine password. It could also be a > > problem with the ticket cache on the workstation. > > > > I've tried to make it so Apache can read the keytab file by changing its ownership to the user that owns the httpd Apache process (chown root) and making sure that it is readable by that user > (chmod > > 400). However when I do this, the command to test if the keytab works on the webserver (kinit -k -t /etc/krb5.keytab HTTP/arecord.mysite.com <http://arecord.mysite.com> > <http://arecord.mysite.com>) no longer finishes without > > error. Instead I receive "kinit: Generic preauthentication failure while getting initial credentials". > > > > <b>Here is some additional info about our setup:</b> > > > > If I do "kinit active_directory_user" from the webserver, I get prompted for a password and when entered correctly it completes without error. I can then use "klist" to view what appears to be a > > proper ticket granting ticket (service principal = krbtgt/EXA...@EX... <mailto:EXA...@EX...> <mailto:EXA...@EX... <mailto:EXA...@EX...>>). > > > > I can then do "kvno HTTP/arecord.mysite.com <http://arecord.mysite.com> <http://arecord.mysite.com>" and I receive "HTTP/are...@EX... <mailto:are...@EX...> > <mailto:are...@EX... <mailto:are...@EX...>>: kvno = 6". I then check this > > against the keytab via "klist -k" and the kvno and principal match exactly. This also caches a service ticket so "klist" reveals a second ticket with HTTP/are...@EX... > <mailto:are...@EX...> > > <mailto:are...@EX... <mailto:are...@EX...>> as the service principal. > > > > Finally I test if the keytab works on the server using: "kinit -k -t /etc/krb5.keytab HTTP/arecord.mysite.com <http://arecord.mysite.com> <http://arecord.mysite.com>" and it completes without > error (unless the keytab user is > > changed to root as mentioned above). > > > > Here is the configuration of our /etc/krb5.conf file (I recently stripped this down in hopes to fix the issue): > > > > [libdefaults] > > default_realm = EXAMPLE.ORG <http://EXAMPLE.ORG> <http://EXAMPLE.ORG> > > > > [domain_realm] > > arecord.mysite.com <http://arecord.mysite.com> <http://arecord.mysite.com> = EXAMPLE.ORG <http://EXAMPLE.ORG> <http://EXAMPLE.ORG> > > > > [realms] > > EXAMPLE.ORG <http://EXAMPLE.ORG> <http://EXAMPLE.ORG> = { > > admin_server = ip address of dc/kdc > > kdc = ip address of dc/kdc > > } > > > > Our webserver uses virtual hosts to host multiple websites. So the httpd.conf file uses "include" to reference to another site specific .conf file where I added this mod_auth_kerb logic: > > > > LoadModule auth_kerb_module /path/to/modules/mod_auth_kerb.so > > <Location /user/login/sso> > > AuthType Kerberos > > KrbAuthRealms EXAMPLE.ORG <http://EXAMPLE.ORG> <http://EXAMPLE.ORG> > > KrbMethodNegotiate on > > KrbMethodK5Passwd off > > KrbServiceName HTTP/are...@EX... <mailto:are...@EX...> <mailto:are...@EX... <mailto:are...@EX...>> > > The KrbServiceName is the "service" part of a principal, name, so would only be HTTP > not the full principal name. The default is HTTP and should work. > It could also be "Any" to allow the user of any entry in the keytab. > See: http://comments.gmane.org/gmane.comp.apache.mod-auth-kerb.general/2465 > (This is most likely your problem.) > > > Thanks for sending that post. When Henry says: "Also make sure that Apache has its own keytab file and isn't using the system default one." Does that just mean point to the keytab file exported from > Active Directory in the Apache .conf file? > > I've tried updating the .conf file as you describe: > When I change KrbServiceName to just HTTP: > > 1) Browser error is 500 Internal Server > > 2) Apache error logs: > > [info] Subsequent (No.2) HTTPS request received for child 1 (server arecord.mysite.com:80 <http://arecord.mysite.com:80>) > > [debug] src/mod_auth_kerb.c(1628): [client <ip address>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > > [debug] src/mod_auth_kerb.c(1240): [client <ip address>] Acquiring creds for HT...@ar... This is normal. GSS-API uses the term <service>@<instance>. When Kerberos is the underlying GSS mechanisum this is then translated into a Kerberos Principal: <service>/<instance>@<realm> where realm is determined by the Kkerberos library, and kerb5.conf. > > [debug] src/mod_auth_kerb.c(1101): [client <ip address>] GSS-API major_status:000d0000, minor_status:000186a4 Same error message, in Hex that is 10004 > > [error] [client <ip address>] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, ) > > [debug] ssl_engine_kernel.c(1889): OpenSSL: Write: SSL negotiation finished successfully > > The only difference I see between this and using "HTTP/arecord.mysite.com as the KrbServiceName in the .conf file is that it logs "Acquiring creds for > HT...@ar..." instead of "Acquiring creds for HTTP/arecord.mysite.com" - the difference being "@" vs "/" > > > When I change KrbServiceName to Any: > > 1) Browser error is 401 Authorization Required > > 2) Apache error logs: > > [info] Subsequent (No.2) HTTPS request received for child 0 (server arecord.mysite.com:80 <http://arecord.mysite.com:80>) > > [debug] src/mod_auth_kerb.c(1628): [client <ip address>] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos > > [debug] src/mod_auth_kerb.c(1385): [client <ip address>] Verifying client data using KRB5 GSS-API > [debug] src/mod_auth_kerb.c(1401): [client <ip address>] Client didn't delegate us their credential > > [debug] src/mod_auth_kerb.c(1420): [client <ip address>] GSS-API token of length 9 bytes will be sent back > > [debug] src/mod_auth_kerb.c(1101): [client <ip address>] GSS-API major_status:000d0000, minor_status:000186a1 Same error message, still can not access the keytab file. > > [error] [client <ip address>] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, ) > > > According to this: http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/, up until the part about the major_status / minor_status error, it > showed signs of a successful login. It seems strange that "Client didn't delegate us their credential" is part of a successful login process. That is not required. User's should be very careful about what servers they delegate credentials. The delegated credential is a full TGT for the user, in effect giving the server the user's identity and ability to authneticate ast the user to other servers. > > > Krb5Keytab /etc/krb5.keytab > > Usually you would have a separate keytab for the apache server, readable only by the apache server. > The above is used by the system, for the host/<fqdn>@<realm> keys. > (If the keytab is world readable, Kerberos will not use it.) > > I'm trying to understand the separate keytab for Apache. Should there have been a default keytab at /etc/krb5.keytab before I exported one from the KDC and uploaded it? Is the separate keytab for > apache just a duplicate of the exact same keytab but in a different location? The /etc/krb5.keytab has the host keys, used for Kerberos login at the console, or for ssh, telnet, ftp, rlogin... or any other "login" service where you use Kerberos authentication. See: pam_krb5 (PuTTY 6.1 and above is a Windows SSH client that can do GSS-API authentication to a SSHD on linux.) If the user logins to Windows using AD, PuTTY can use the underlying Kerberos, much like the browser does. The Windows SSPI is GSS_API compatible.) An /etc/krb5.keytab.apache would have the HTTP keys, to allow a user to authenticate to the web server. Thats a lot different then a user login to the OS. So yes they should be separate keytabs. With AD as the KDC, the /mapuser account used for the host principal *SHOULD* be different from the /mapuser account used for the HTTP principal. So they each have a different password, and thus different keys. > > This seems to support separate keytabs: http://www.microhowto.info/howto/add_a_host_or_service_principal_to_a_keytab_using_mit_kerberos.html, but I'm still trying to wrap my head around the concept. > Also good to know that world readable keytabs won't be used by Kerberos. > > > require valid-user > > </Location> > > > > I worked with the IT staff that maintains the Active Directory Domain Controller (the KDC in this case) to create a keytab file using ktpass: > > > > <code> > > ktpass /pass <password for account> /mapuser <username for account> /out c:\location\of\file\output\krb5.keytab /princ HTTP/are...@EX... > <mailto:are...@EX...> <mailto:are...@EX... <mailto:are...@EX...>> > > /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT /Target EXAMPLE.ORG <http://EXAMPLE.ORG> <http://EXAMPLE.ORG> > > </code> > > The /mapuser username is a "user" type account (but not an actual user) > which has a UPN, and SPNs. Even though it has multiple SPN, it has only one password that is used to generate > tickets on the fly. If you change the password, you will need to update the keytab. (I don't think this your problem.) > So there is usually a one-to-one between the /mapuser and a keytab. > > When creating the keytab, we referenced a username of an actual user from Active Directory. This is were most people get confused. The AD account is a "user" *TYPE* account, but not an actual user. The account represents the host or the web server. Windows machines are joined to AD and uses a machine account, and from a kerberos prospective they both a userPrincipalName, and multiple ServicePrincipalNames. For AD account as refered to by ktpass /mapuser come up with a naming convention, and location in AD. The names need to unique across the forest. something like simpleHostNname-service or in your case: arecord-host for the host entry that endup in /etc/krb5.keytab and arecord-HTTP that end up in the /etc/krb5.keytab.apache This user isn't used for anything besides this and for service account binding via LDAP. You could have a separate AD account for the service account binding via LDAP. The user's > password should not be changing. Should we not have created a keytab with the username of an actual AD user? Can you tell me more detail about what this user type account is and how to create one? This is from 1/2000, but is has the basics of Windows and uniux Kerberos interoperability: http://technet.microsoft.com/library/Bb742433 See section: "Support for Kerberos Services" > Also Google for msktutil > > > I was looking at this as an alternative to using ktpass to create the keytab. If it's decided that the keytab is malformed, I'm definitely trying this. I've read that transferring the keytab can > sometimes introduce problems, so a more direct method like this is a great idea. > > > > > > I also asked them to use "setspn -q HTTP/arecord.mysite.com <http://arecord.mysite.com> <http://arecord.mysite.com>" on the Active Directory DC to check for duplicate SPNs and it returns > "Existing SPN Found!" which I believe > > means that it is okay. There are two SPN's listed however: HTTP/are...@EX... <mailto:are...@EX...> <mailto:are...@EX... > <mailto:are...@EX...>> and HTTPS/are...@EX... <mailto:are...@EX...> > > <mailto:are...@EX... <mailto:are...@EX...>> because the first time we created the keytab, we didn't realize the host (HTTP in this case) referred to a > service class that encompasses both the HTTP and > > HTTPS protocols. > > > > > Things that are done: > > -synched clocks between AD server and Apache server via NTP (Luigi The Cat's post was helpful: > > http://community.spiceworks.com/topic/143891-possible-to-synchronize-ntp-on-a-linux-server-to-a-windows-domain-controller) > > -had our IP provider set up a PTR record that points the webserver's IP to the A Record for the site. > > > > Things I've tried: > > -moving the keytab record higher up in the directory structure > > -reinstalling mod_auth_kerb from source: http://sourceforge.net/projects/modauthkerb/files/ and according to instructions: http://modauthkerb.sourceforge.net/install.html > > -increasing the permissions for keytab file > > -disabling SElinux > > > > My setup closely resembles this Drupal issue (We're using Drupal as well): https://drupal.org/node/1777528#comment-form > > > > I have been following advice from these guides: > > http://www.grolmsnet.de/kerbtut/ > > http://acksyn.org/?p=460 > > > > These have been helpful for debugging errors: > > http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.itame.doc_6.0%2Fam60_problem95.htm > > http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/ > > > > Any advice is appreciated, please let me know if I need to provide additional information or test anything. Thanks so much! > > You appear to have obfuscated many of the names. So there may be some issues with REALM name != AD DOMAIN name. > > Yes most of the names have been changed, but I tried to be as consistent and descriptive as possible to show what these names were representing. I honestly thought the Realm and the AD Domain were > synonymous, so thanks for pointing this out. more or less. Kerberos principals are case sensitive AD is not. T Kerberos realm name is upper case. So use the AD domain name as the Kerberos realm, but use it as upper case.) I think I'm using the realm name correctly according to this: http://technet.microsoft.com/en-us/library/cc731342(v=ws.10).aspx. Is there way you'd like > me to check or verify this? > > Wireshark on the client would be helpful as it will show the unencrypted parts of the Kerberos protocols, > include kvno and principal names. > > I tried doing a tcpdump from the server and hitting https:cname.mysite.com/user/login/sso <http://cname.mysite.com/user/login/sso> while it was running. Then sending the tcpdump file it created to my > local machine via SCP and opening with Wireshark to analyze it. However, I wasn't really seeing the HTTP requests that I was looking for. This may be attributed to A) my lack of experience with > Wireshark B) dropped packets, but I did try 3+ exports C) could the requests be hitting errors before helpful info is being captured? > > This post had some helpful info about what to look for with Wireshark: http://comments.gmane.org/gmane.comp.apache.mod-auth-kerb.general/2642 > > Great beginners guide to tcpdump / opening in Wireshark: https://workaround.org/using-tcpdump-and-wireshark > > When I'm back onsite I will try downloading Wireshark onto a windows 7 workstation within the network to look at the live traffic between it and the webserver. > > Thanks so much for all your help Douglas! You've definitely gotten me thinking in new ways to try to solve this! > > > > > > > ------------------------------------------------------------------------------ > > Android is increasing in popularity, but the open development platform that > > developers love is also attractive to malware creators. Download this white > > paper to learn more about secure code signing practices that can help keep > > Android apps secure. > > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > > > > > > > > _______________________________________________ > > modauthkerb-help mailing list > > mod...@li... <mailto:mod...@li...> > > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > > > -- > > Douglas E. Engert <DEE...@an... <mailto:DEE...@an...>> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 <tel:%28630%29%20252-5444> > > ------------------------------------------------------------------------------ > Android is increasing in popularity, but the open development platform that > developers love is also attractive to malware creators. Download this white > paper to learn more about secure code signing practices that can help keep > Android apps secure. > http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk > _______________________________________________ > modauthkerb-help mailing list > mod...@li... <mailto:mod...@li...> > https://lists.sourceforge.net/lists/listinfo/modauthkerb-help > > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
190 messages has been excluded from this view by a project administrator.
