Hi, I've been trying to get our load balanced apache web servers to do kerberos authentication. I've got everything working in a single server environment with no load balancer, but when I duplicate the config in the load balanced environment (using one web server for simplicity), mod_auth_kerb comes back with the following:
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found) But I haven't been able to determine *which* key table entry it's looking for. I have LogLevel set to debug, and have run apache under strace, that didn't reveal anything useful. This is how we've set it up: * Load balancer IP address (VIP) fqdn: vip5.mydomain.com * Single host behind load balancer: host1.mydomain.com * Created an AD user account for the load balancer IP address (vip5) * Two SPNs associated with the account: HOST/[email protected] HTTP/[email protected] * Keytabs for these two SPNs exported to apache web server and appropriately installed: HTTP to mod_auth_kerb's keytab, HOST and HTTP to the system keytab. The most likely explanation (considering that the same mod_auth_kerb configuration works in a single-server setup) is that it's searching for: HTTP/[email protected] With this in mind, I reconfigured the OS so that 'hostname -f' returned the fqdn of the VIP (vip5.mydomain.com), but that didn't help. I'm about to get our AD team to start making keytabs for the individual web hosts, but I was wondering if there is any way to find out for certain what apache is searching for? Also, I'd appreciate any input if for any reason you think this approach is inadvisable. Many thanks, Simon. -- P.S. For completeness, my mod_auth_kerb directives look like this: AuthName "Kerberos Login" AuthType Kerberos Krb5Keytab /opt/apache/conf/vip5http.keytab KrbAuthRealms MYDOMAIN.COM KrbServiceName HTTP/[email protected] KrbMethodNegotiate on KrbMethodK5Passwd off KrbSaveCredentials on Require valid-user ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
