gss_acquire_cred() failed
Nicolas Jaunet
I installed mod_auth_kerb on my debian server and create a keytab to
authenticate thanks to kerberos on a web site with apache tomcat.
I created a user in my kdc.
To check I did that :
debian-server# klist -k krb5.keytab
Keytab name: FILE:krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 HTTP/doma...@DOMAIN.FR
And the file /etc/apache2/kerberos.conf :
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbVerifyKDC off
KrbMethodK5Passwd off
KrbAuthRealms DOMAIN.FR
Krb5KeyTab /etc/apache2/krb5.keytab
require valid-user
When I try to connect my web site with http://domain.fr
I have a 500 Internal Server Error and the error.log file show me this error
:
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide
more information (No principal in keytab matches desired name)
Someone can help me ?
Thanks.
Vlad
The reason you are getting this message is because the mod_auth_kerb
could not find the entry that matches your server name in the keytab,
you have to set it using KrbServiceName directive like this:
KrbServiceName HTTP/domain..@DOMAIN.FR
Vlad
On Jun 14, 5:04 am, Nicolas Jaunet <nicolas.jau...@gmail.com> wrote:
> Hi !
>
> I installed mod_auth_kerb on my debian server and create a keytab to
> authenticate thanks to kerberos on a web site with apache tomcat.
> I created a user in my kdc.
> To check I did that :
>
> debian-server# klist -k krb5.keytab
> Keytab name: FILE:krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 3 HTTP/domain...@DOMAIN.FR
>
> And the file /etc/apache2/kerberos.conf :
>
> AuthType Kerberos
> AuthName "Kerberos Login"
> KrbMethodNegotiate on
> KrbVerifyKDC off
> KrbMethodK5Passwd off
> KrbAuthRealms DOMAIN.FR
> Krb5KeyTab /etc/apache2/krb5.keytab
> require valid-user
>
> When I try to connect my web site withhttp://domain.fr
Richard E. Silverman
Vlad> Nicolas, The reason you are getting this message is because the
Vlad> mod_auth_kerb could not find the entry that matches your server
Vlad> name in the keytab, you have to set it using KrbServiceName
Vlad> directive like this:
Vlad> KrbServiceName HTTP/domain..@DOMAIN.FR
Or you can use "KrbServiceName Any", but this will only help if name
services are configured such that clients will get matching tickets to
begin with.
Vlad> Vlad
Vlad> On Jun 14, 5:04 am, Nicolas Jaunet <nicolas.jau...@gmail.com> wrote:
>> Hi !
>>
>> I installed mod_auth_kerb on my debian server and create a keytab
>> to authenticate thanks to kerberos on a web site with apache
>> tomcat. I created a user in my kdc. To check I did that :
>>
>> debian-server# klist -k krb5.keytab Keytab name: FILE:krb5.keytab
>> KVNO Principal ----
>> --------------------------------------------------------------------------
>> 3 HTTP/domain...@DOMAIN.FR
>>
>> And the file /etc/apache2/kerberos.conf :
>>
>> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on
>> KrbVerifyKDC off KrbMethodK5Passwd off KrbAuthRealms DOMAIN.FR
>> Krb5KeyTab /etc/apache2/krb5.keytab require valid-user
>>
>> When I try to connect my web site withhttp://domain.fr I have a 500
>> Internal Server Error and the error.log file show me this error :
>>
>> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may
>> provide more information (No principal in keytab matches desired
>> name)
>>
>> Someone can help me ? Thanks.
--
Richard Silverman
r...@qoxp.net
Nicolas Jaunet
I follow your instructions but now, I have a new error in logs :
gss_accept_sec_context() failed: Invalid token was supplied (No error)
And my site returns a 401 error AUTHORIZATION REQUIRED.
What is missing ?
Thanks again.
Nicolas.
2010/6/14 Richard E. Silverman <r...@qoxp.net>
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>