Problem: You are trying to configure mod_auth_kerb. When you access a page that requires Kerberos auth with IE, a popup asking for password appears. In Apache error log (after raising LogLevel to debug), you can see the following messages appearing:
[debug] src/mod_auth_kerb.c(1101): [client nnn.nnn.nnn.nnn] GSS-API major_status:000d0000, minor_status:96c73ae6
[error] [client nnn.nnn.nnn.nnn] gss_accept_sec_context() failed: Miscellaneous failure (, Unknown code)
Solution: Check that the kvno (key version number) stored in your keytab matches the kvno reported by the kvno command. You can view kvno from keytab using
klist -Kekt /path/to/keytab
Compare this against
kvno HTTP/your.server.com
The kvno command only works after a successful authentication with kinit.
You can recreate your keytab with the expected kvno (in the example below: 3) using ktutil:
add_entry -password -p HTTP/your.server.com@YOURDOMAIN.COM -k 3 -e RC4-HMAC
wkt /path/to/newkeytab
No comments:
Post a Comment