Apache not finding the kerberos principal in keytab file
5,797
Issuing klist purge
on the client windows computer resolved the kvno issue.
Related videos on Youtube
Author by
Morten Nilsen
Updated on September 18, 2022Comments
-
Morten Nilsen over 1 year
Virtual host has been configured with these options;
AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM KrbAuthoritative On KrbServiceName HTTP/[email protected] Krb5KeyTab /path/to/krb/site.keytab require valid-user
The site.keytab is readable by apache and contains a valid principal;
root@pa2# klist -k /path/to/krb/site.keytab Keytab name: FILE:/path/to/krb/site.keytab KVNO Principal ---- -------------------------------------------------------------------------- 13 HTTP/[email protected] (des-cbc-crc) 13 HTTP/[email protected] (des-cbc-md5) 13 HTTP/[email protected] (arcfour-hmac) 13 HTTP/[email protected] (aes256-cts-hmac-sha1-96) 13 HTTP/[email protected] (aes128-cts-hmac-sha1-96) root@pa2# kvno -k /path/to/krb/site.keytab HTTP/[email protected] HTTP/[email protected]: kvno = 13, keytab entry valid
But when I try to access the site, I get this error in the apache error log;
[Mon Mar 21 10:30:37.846616 2016] [auth_kerb:error] [pid 11217] [client ...:60195] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Cannot find key for HTTP/[email protected] kvno 5 in keytab)
The current kvno is indeed not 5.
-
Morten Nilsen about 8 yearsIt turns out I had the wrong IP for the vhost, but I still get an error, updating question with new log message.
-
Morten Nilsen about 8 yearsIf I create a new keytab with just a arcfour-hmac or a aes128-cts-hmac-sha1-96, I get "no key table entry found for HTTP/[email protected]", but if I create one with ALL, I get the kvno 5 in the log above.
-