Hi,
We are trying to setup an apache server on Solaris 8 using AD authentication
through SPNEGO. For this, we are both trying to use mod_auth_kerb compiled over
version 1.3.6 of MIT Kerberos libraries, and mod_spnego compiled over Krb5-1.4.
Both the setup returns a "Decrypt integrity failure".
Having read maximum of documentation we tried to reset the password, reset the
account many times with no success, every time with "DES only" option set up.
One of the point we found weird is that when handling the spnego packet and
before returning the error, no module connects to the KDC to check anything. Is
it that the failure reading the keytab or the transmitted ticket stops the
process ?
Using the client tools (kinit, klist, etc) almost everything seems fine. We can
connect as the AD user "httpserver" smoothly. On the other side, when trying to
use the keytab (kinit -k -t /etc/krb5.keytab HTTP/httpserver.domain.com), it
fails returning "Kinit(v5): Key table entry not found while getting initital
credentials".
Sniffing the networks shows that the KDC answers a "preauthentication failed"
with the following ethereal values:
Type : PA-ENCTYPE-INFO (11)
Value: xxxxxx rc4-hmac des-cbc-md5 des-cbc-crc
Encryption type : rc4-hmac
Salt : <missing>
Encryption type: des-cbc-md5
Salt: <yyyy>
Encryption type : des-cbc-crc
Salt : <yyy>
Type : PA-ENC-TIMESTAMP (2)
Value : missing
Type PA-PK-AS-REP (15)
Value: missing
Do you have any beginning of a hint on this matter ? I don't understand where
the process fails in preauthentication.
TIA for your help
Best regards,
J�r�me Walter
--------------------------------------------------------
Ce message et toutes les pi�ces jointes peuvent �tre confidentiels, et, de
plus, peuvent �tre couverts par un privil�ge ou une protection l�gale. Il est
�tabli � l'intention exclusive de ses destinataires. Toute utilisation de ce
message non conforme � sa destination, toute diffusion ou toute publication,
totale ou partielle, est interdite, sauf autorisation expresse pr�alable.
Toutes opinions exprim�es dans ce message, sont personnelles � leur auteur et
ne sauraient n�cessairement refl�ter celle de IXIS CIB / IXIS Corporate &
Investment Bank, de ses filiales ou de sa maison m�re. Elles sont aussi
susceptibles de modification sans notification pr�alable. Tous droits
r�serv�s. Si vous recevez ce message par erreur, merci de le d�truire et d'en
avertir imm�diatement l'exp�diteur. Toute communication avec IXIS CIB / IXIS
Corporate & Investment Bank peut �tre contr�l�e, enregistr�e et conserv�e. IXIS
CIB / IXIS Corporate & Investment Bank d�cline toute responsabilit� au titre d!
e ce message s'il a �t� alt�r�, d�form� ou falsifi�. Les communications sur
Internet n'�tant pas s�curis�es, IXIS CIB / IXIS Corporate & Investment Bank
informe qu'il ne peut accepter aucune responsabilit� quant au contenu de ce
message.
This email and any attachment may be confidential and may also be legally
privileged or otherwise protected from disclosure. It is intended only for the
stated addressee(s) and access to it by any other person(s) is unauthorised.
Any use, dissemination or disclosure not in accordance with its purpose, either
in whole or in part, is prohibited without our prior formal approval. Any
opinion expressed in this message may be personal to the author and may not
necessarily reflect the opinion of IXIS CIB / IXIS Corporate & Investment Bank
, its affiliates or parent company. It may also be subject to change without
prior notice. Copyright reserved. If you are not an addressee, you must not
disclose, copy, circulate or in any other way use or rely on the information
contained in this email. If you have received it in error, please inform us
immediately and delete all copies. Any communication made with IXIS CIB / IXIS
Corporate & Investment Bank (whether personal or business) may b!
e monitored and a record kept. Neither IXIS CIB nor IXIS Corporate &
Investment Bank shall be liable for the message if altered, changed or
falsified. As communication on the Internet is not secure, IXIS CIB / IXIS
Corporate & Investment Bank does not accept responsibility for the content of
this message.
--------------------------------------------------------
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
