On 04 Feb 2015, at 21:25, Devine, Steve <s...@msu.edu> wrote: > I have been struggling to upgrade our cosign server to cosign-3.2.0. No > matter what I do I can't get a ticket in /ticket - is that a function of the > cosignd daemon? I've tried to follow README.weblogin closely. I've checked my > certs and keytabs. > When I purposely put in a bad password it errors out (differently) so I'm > pretty sure I'm getting authenticated,when I put in a good password I get > this in my apache logs: > > [Wed Feb 04 21:11:43 2015] [error] [client 108.217.194.23] ticket verify > error for user XXX, keytab principal cosign/weblogin-1.acns.msu....@msu.edu, > referer:https://weblogin-1.acns.msu.edu/cosign-bin/?cosign-local&https://weblogin-1.acns.msu.edu/services
This error is generated by the CGI, not the daemon. Using Kerberos to verify a password is a two step process. In the first step, the CGI obtains a TGT from the KDC. In the second step (which is the step that's failing, here), the TGT is used to get a service ticket for a service that we have a keytab for: cosign/weblogin-1.acns.msu....@msu.edu, in this case. So, do you have a keytab installed on weblogin-1.acns.msu.edu? Is it permitted read by the ID that the CGI runs as? If those are correct, you might want to verify that you can use the keytab to authenticate to the KDC via kinit or the like. :wes ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Cosign-discuss mailing list Cosign-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/cosign-discuss
