Hello, this is the same setup like in my previous post from this month,but this time I'm using heimdal-clients.I have removed all of the MIT packages that I have installed: krb5-user,krb5-clients.
I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; [Windows Server 2008 Settings] They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "zdravko1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SPN(service principal name mapping to it).It's called "http" and the same flags are used as in "zdravko1": -User cannot change password; -Password never expires; -This account supports AES 256 bit encryption; I continued with creating the keytab file: c:\>ktpass /princ HTTP/[email protected] <http://lab.com/> /mapuser [email protected] /pass Debian26 /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out http.keytab Keytab version: 0x502 keysize 78 HTTP/[email protected] <http://lab.com/> ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) keylength 32 (0x......) The keytab is successfully created and I have checked it with the following command:c:\>setspn -L http->I have the service principal name:HTTP/debian.lab.com registered to it. I copy the "http.keytab" file via pscp to the Debian box in /etc/apache2/keytab/ directory. [Debian 5.0 Settings] In /etc/hosts file in Debian I've deleted the "127.0.0.1" line and replaced it with:"192.168.100.103 debian.lab.com debian"; 192.168.100.103 is the linux box's IP. In /etc/resolf.conf file I have made the following changes: domain lab.com search lab.com nameserver 192.168.100.102 192.168.100.102 is the DNS's IP. The packages versions are the following: heimdal-clients:1.2.dfsg.1-2.1; libapache2-mod-auth-kerb:5.3-5; The following lines will be from /etc/krb5.conf : [libdefaults] default_realm = LAB.COM <http://lab.com/> default_tgs_enctypes = aes256-cts-hmac-sha1-96 default_tkt_enctypes = aes256-cts-hmac-sha1-96 permitted_enctypes = aes256-cts-hmac-sha1-96 [realms] LAB.COM <http://lab.com/> = { kdc = 192.168.100.102 admin_server = 192.168.100.102 } [domain_realm] .lab.com = LAB.COM <http://lab.com/> lab.com = LAB.COM <http://lab.com/> [login] krb4_convert = true krb4_get_tickets = false The following lines will be from /etc/apache2/sites-enabled/000-default <VirtualHost *:80> ServerAdmin webmas...@localhost DocumentRoot <Directory /var/www/> AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd off KrbAuthRealms LAB.COM <http://lab.com/> Krb5Keytab /etc/apache2/keytab/http.keytab KrbVerifyKDC on KrbServiceName Any AuthName "Kerberos Login" Require valid-user Options FollowSymLinks AllowOverride None </Directory> I did testing in Debian with the "kinit","klist -v" : *[debian:/]kinit zdravko1* [email protected]' S password:Debian26 *[debian:/]klist* Credentials cache: FILE:/tmp/krb5cc_0 Principal: [email protected] Issued Expires Principal Aug 27 11:53:02 Aug 27 21:53:01 krbtgt/LAB.COM <http://lab.com/>@LAB.COM<http://lab.com/> *[debian:/]klist -v* Credentials cashe: FILE:/tmp/krb5cc_0 Principal: [email protected] Cache version: 4 Server: krbtgt/LAB.COM <http://lab.com/>@LAB.COM <http://lab.com/> Client: [email protected] Ticket etype: aes256-cts-hmac-sha1-96, kvno 2(why is this 2,when upon creation with the "ktpass" command,the kvno was 3 ?!?) Ticket length: 977 Auth time: Aug 27 12:06:34 2010 End time: Aug 27 22:06:24 2010 Ticket flags: initial,pre-authenticated Addresses: addressless I'm logged in as root,the keytab file is readable by root,so is the apache process.After I log into my client machine(XP) with the "zdravko1" user,I setup the IExplorer using the Achim's tutorial http://www.grolmsnet.de/kerbtut/<http://www.grolmsnet.de/kerbtut/).The> The error that is occurring when I try to access http://debian.lab.com is Authorization Required(401). The kerbtray activated on my client shows that the tickets that are received from the server are encrypted with ArcFour(RC4) encryption and that the etype=0. Nothing matches with my setup.There is no trace of AES256-SHA1 encryption mechanism.The Apache /var/log/apache2/error.log writes the following lines: [debug]src/mod_auth_kerb.c(1579):[client 192.168.100.126] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug]mod_deflate.c(615):[client 192.168.100.126] Zlib: Compressed 594 to 399 : URL / [debug]src/mod_auth_kerb.c(1579): [client 192.168.100.126] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [debug]src/mod_auth_kerb.c(1407): [client 192.168.100.126] Verifying client data using KRB5 GSS-API [debug]src/mod_auth_kerb.c(1423): [client 192.168.100.126] Verification returned code 851968 [error] [client 192.168.100.126] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found) [debug]mod_deflate.c(615):[client 192.168.100.126] Zlib:Compressed 594 to 399 : URL / So...I have two questions: Why does the TGT have key version number(kvno) different from the keytab file that I created 2!=3....and Is this the reason for the above output from the error.log? Regards. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
