Re: acquiring creds for different principal ??

Fri, 30 Sep 2005 15:59:40 -0700 

In your krb5 config you use
       sx86qa2.hyd.de.com = DE.COM
but the server wants deshaw.com not de.com !
   HTTP/[EMAIL PROTECTED]

You need an entry for hyd.deshaw.com in your config file or change your 
hostname to hyd.de.com. Also which key is in your keytab ?
Can you do a kinit -k -t keytab_file HTTP/[EMAIL PROTECTED] 
or kinit -k -t keytab_file HTTP/[EMAIL PROTECTED] ?

Regards
Markus

<[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> Hi
>
> I am running Apache(2.0.52) on Sol-10 (x86). and am using mod_auth_kerb
> for kerberos authentication..
>
> I have correctly generated the keytab file for the host following the
> details at http://www.grolmsnet.de/kerbtut/.
> but at seeing the logs, it shows me that Apache/mod_auth_kerb is
> getting creds for differnet principal instead of mentioned in the
> /etc/krb5/krb5.conf..
> What could be wrong here ..
>
> my /etc/krb5/krb5.conf
> ===========
> [EMAIL PROTECTED]:/etc/apache2> cat /etc/krb5/krb5.conf
> #
> # Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
> # Use is subject to license terms.
> #
> # ident "@(#)krb5.conf  1.3     04/03/25 SMI"
> #
>
> # krb5.conf template
> # In order to complete this configuration file
> # you will need to replace the __<name>__ placeholders
> # with appropriate values for your network.
> #
> [libdefaults]
>        default_realm = DE.COM
>
> [realms]
>        DESHAW.COM = {
>                kdc = dchyd1.hyd.de.com
>                admin_server = dchyd1.hyd.de.com
>        }
>
> [domain_realm]
>        sx86qa2.hyd.de.com = DE.COM
>
> [logging]
>        default = FILE:/var/krb5/kdc.log
>        kdc = FILE:/var/krb5/kdc.log
>
>
> =========================
> Logs in the apache at /
>
> [EMAIL PROTECTED]:/etc/apache2> sudo tail -f /var/apache2/logs/error_log
> [Fri Sep 30 13:03:04 2005] [debug] src/mod_auth_kerb.c(1322): [client
> 149.77.165.65] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Fri Sep 30 13:03:04 2005] [debug] src/mod_auth_kerb.c(1023): [client
> 149.77.165.65] Acquiring creds for
> HTTP/[EMAIL PROTECTED]
> [Fri Sep 30 13:03:04 2005] [error] [client 149.77.165.65]
> gss_acquire_cred() failed: Miscellaneous failure (No principal in
> keytab matches desired name)
>
>
> Instead of DE.COM, it is going for HYD.DE.COM..it is confusing me..
> can someone please throw light on this and possibly direct me to the
> correct answer ?
>
> Regards,
> Nikhil
>
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to