On 17 February 2011 04:34, Dream Soul <[email protected]> wrote: > 192.168.53.143] Trying to verify authenticity of KDC using principal > HTTP/[email protected] > [Mon Feb 14 14:18:38 2011] [debug] src/mod_auth_kerb.c(652): [client > 192.168.53.143] krb5_rd_req() failed when verifying KDC > [Mon Feb 14 14:18:38 2011] [error] [client 192.168.53.143] failed to > verify krb5 credentials: Bad encryption type > [Mon Feb 14 14:18:38 2011] [debug] src/mod_auth_kerb.c(1073): [client > 192.168.53.143] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) > authtype=(NULL) > [Mon Feb 14 14:18:38 2011] [debug] mod_deflate.c(615): [client > 192.168.53.143] Zlib: Compressed 484 to 327 : URL /index.php > > > I know that is encryption problem but where to fix ???
Bad encryption type in my experience can mean various things : from incorrect password, incorrect kvno, incorrect entry etc... First I'd check that the kvno of the principals stored on the KDC match the one you put in the keytab used by apache. Also check your DNS entries to make sure both forward and reverse entry point to the same machine With mod_auth_kerb and depending on the web browser the client used, the principal used may also vary, especially if using virtual host , or if the name of the web service is different to the name of the machine. For example I have a machine called server4.domain.com ; it runs a web service intranet.domain.com I found that depending on the web browser ; sometimes it would use HTTP/intranet.domain.com and sometimes HTTP/server4.domain.com ; so I had to have both in the keytab as well as on the kdc. Hope that helps JY ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
