Apache not finding the kerberos principal in keytab file

active-directory apache-2.4 kerberos mod-auth-kerb

5,797

Issuing klist purge on the client windows computer resolved the kvno issue.

5,797

Morten Nilsen

Updated on September 18, 2022

Comments

Morten Nilsen over 1 year

Virtual host has been configured with these options;

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbAuthoritative On
KrbServiceName HTTP/[email protected]
Krb5KeyTab /path/to/krb/site.keytab
require valid-user

The site.keytab is readable by apache and contains a valid principal;

root@pa2# klist -k /path/to/krb/site.keytab
Keytab name: FILE:/path/to/krb/site.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  13 HTTP/[email protected] (des-cbc-crc)
  13 HTTP/[email protected] (des-cbc-md5)
  13 HTTP/[email protected] (arcfour-hmac)
  13 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
  13 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
root@pa2# kvno -k /path/to/krb/site.keytab HTTP/[email protected]
HTTP/[email protected]: kvno = 13, keytab entry valid

But when I try to access the site, I get this error in the apache error log;

[Mon Mar 21 10:30:37.846616 2016] [auth_kerb:error] [pid 11217] [client ...:60195]
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information
(, Cannot find key for HTTP/[email protected] kvno 5 in keytab)

The current kvno is indeed not 5.

Morten Nilsen about 8 years

It turns out I had the wrong IP for the vhost, but I still get an error, updating question with new log message.
Morten Nilsen about 8 years

If I create a new keytab with just a arcfour-hmac or a aes128-cts-hmac-sha1-96, I get "no key table entry found for HTTP/[email protected]", but if I create one with ALL, I get the kvno 5 in the log above.