Problems with Service Key

Thu, 24 Mar 2005 13:03:31 -0800 

Hi All.... Here's a hopefully easy one to be fielded.

So I have a KDC... lets call him kdc.fqdn-example.com for a realm suitably named realm.non-fqdn-example.com
And lets say i have a box called smellybox.fqdn-example.com.

Now I generated principals for smellybox on the kdc.... as follows.

host/[EMAIL PROTECTED]
HTTP/[EMAIL PROTECTED]

so I kinit... these guys work... swell....

hop into ktutil...

rkt /etc/example.keytab
list  (looks good to me)
wkt /home/user/shiptosmellybox.keytab

then i scp that keytab to smellybox....

hop onto smellybox...

ktutil
rkt /home/user/shiptosmellybox.keytab
list (still there yay!)
wkt /etc/example.keytab

Sweet.

kinit... works... pimp.

Try to auth to mod_auth_kerb... and....

/var/log/krb5kdc.log reports

Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): DISPATCH: repeated (retransmitted?) request from 10.0.0.234 port 88, resending previous response
Mar 24 15:36:26 kdc.fqdn-example.com krb5kdc[2367](info): TGS_REQ (3 etypes {16 3 1}) 10.0.0.234(88): ISSUE: authtime 1111696586, etypes {rep=1 tkt=1 ses=1}, [EMAIL PROTECTED] for HTTP/[EMAIL PROTECTED]

Looks good ...But...

/var/log/httpd/error.log-smellybox.fqdn-example.com

reads....

[Thu Mar 24 15:51:36 2005] [error] [client 10.0.0.107] gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)

* This is probably SPNEGO related Bunk.

[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify krb5 credentials: Key version number for principal in key table is incorrect
[Thu Mar 24 15:51:42 2005] [error] [client 10.0.0.107] failed to verify krb5 credentials: Key version number for principal in key table is incorrect

Now someone want to tell me how something in this setup managed to fail to verify a key version?
Anyone at all.... I am thinking I made a stupid mistake... I am just not seeing it. 

-Matt Joyce
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to