Hi, The user did not run kinit because when user access the website it will prompt user to input kerberos username/password. In the web server, kinit works well.
Do you have any idea? Thanks. On Tue, Jun 25, 2013 at 2:29 AM, Benjamin Kaduk <[email protected]> wrote: > On Mon, 24 Jun 2013, Lee Eric wrote: > >> Hi, >> >> I use mod_auth_kerb in Apache for SSO. Here's auth_kerb.conf contents. >> >> LoadModule auth_kerb_module modules/mod_auth_kerb.so >> >> <Location /opendcim> >> SSLRequireSSL >> AuthType Kerberos >> AuthName "Kerberos Login" >> KrbMethodNegotiate On >> KrbMethodK5Passwd On >> KrbAuthRealms FOOBAR.COM >> KrbVerifyKDC On >> Krb5KeyTab /etc/httpd/HTTP-ibm-x3250m3-2.foobar.com.keytab >> require valid-user >> </Location> >> >> And here's /etc/krb5.conf: >> >> [logging] >> default = FILE:/var/log/krb5libs.log >> kdc = FILE:/var/log/krb5kdc.log >> admin_server = FILE:/var/log/kadmind.log >> >> [libdefaults] >> default_realm = FOOBAR.COM >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> FOOBAR.COM = { >> kdc = kerberos.foobar.com:88 >> admin_server = kerberos.foobar.com:749 >> } >> >> [domain_realm] >> foobar.com = FOOBAR.COM >> .foobar.com = FOOBAR.COM >> [appdefaults] >> pam = { >> debug = false >> ticket_lifetime = 36000 >> renew_lifetime = 36000 >> forwardable = true >> krb4_convert = false >> } >> >> foobar.com is a pseudo domain name in my testing env. When the user >> access the foobar.com/opendcim it will prompt username and passoword >> window. However, after user's input it will prompt that window again. >> I checked the log in ssl_error_log I found following details. >> >> [Mon Jun 24 12:29:24 2013] [error] [client 192.168.122.6] >> krb5_get_init_creds_password() failed: Cannot contact any KDC for >> requested realm >> >> But user can get his principal in the server by kinit w/o any issue. > > > Is the user running kinit on the machine hosting foobar.com/opendcim, or > some other machine? If they are different machines, the kinit success does > not say very much; it is the webserver machine which is failing to contact > the KDC. > > -Ben Kaduk ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
