SSO with Apache and Kerberos issues
If I'm interpreting the error right, I think it means that you have an old version of a key in /etc/apache2/httpd.keytab. Every time the key is changed for a Kerberos principal via kadmin, the version number is incremented and older versions of that key are invalidated.
The kinit
command/login only shows that the host key inside of /etc/krb5.keytab is intact. This does not necessarily mean that the kvno inside of httpd.keytab is valid and you will need to check it against the KDC.
Start a kadmin session against your KDC and invoke getprinc <principalname>
. Look for "Key: vno", this tells you what the KDC considers to be the version number. If the KDC has a more recent version of the key, you need to re-export this key to the host in question. I would go ahead and check the validity of all the keys in /etc/krb5.keytab while you're at it just to make sure there aren't any other time bombs lurking around.
Hopefully this helps!
Related videos on Youtube
tbh1
Updated on September 18, 2022Comments
-
tbh1 over 1 year
I am trying to set up SSO on my Apache web server using Kerberos so that users logged into the local domain are recognised and logged in immediately.
I have followed this guide to the letter but I cannot get rid of the user/password prompt once everything is set up.
I am using Ubuntu 8.04, have installed mod_auth_kerb 5.4 for Apache.
My /etc/krb5.conf:
[libdefaults] default_realm = COMPANY.LOCAL [domain_realm] .company.local = COMPANY.LOCAL company.local = COMPANY.LOCAL [realms] COMPANY.LOCAL = { default_domain = company.local kdc = DC01.COMPANY.LOCAL:88 admin_server = DC01.COMPANY.LOCAL }
My Apache configuration:
<Location /> AuthType Kerberos AuthName "server login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms COMPANY.LOCAL KrbServiceName HTTP Krb5KeyTab /etc/apache2/httpd.keytab KrbVerifyKDC off KrbLocalUserMapping on require valid-user </Location>
Keytab was generated by our admin using
ktpass -princ HTTP/[email protected] -mapuser hostname -crypto rc4-hmac-nt -ptype KRB5_NT_SRV_HST -pass CHOOSEPASSWORD -out httpd.keytab
I have issued the relevant chmod/chown commands. On the server, I successfully issued
kinit HTTP/[email protected]
and logged in.kvno
/klist
output:# kvno HTTP/[email protected] HTTP/[email protected]: kvno = 8 # klist -ke httpd.keytab Keytab name: FILE:httpd.keytab KVNO Principal ---- -------------------------------------------------------------------------- 8 HTTP/[email protected] (ArcFour with HMAC/md5)
I have configured my browser (tried both ff and ie on windows7) to pass the credentials along to hopefully get rid of the prompt but it is not working.
The Apache error logs are saying:
[error] [client 10.0.0.1] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect) [error] [client 10.0.0.1] gss_accept_sec_context() failed: Invalid token was supplied (, No error)
Has anyone got any suggestions as to what I need to get this working?
-
Andrew B over 11 yearsI mentioned the wrong keytab in the original version of this post. Please review the newest revision if you haven't already.
-
tbh1 over 11 yearsThanks for that. I came into work today to find it working as i would expect. Not sure what changed.
-
Andrew B over 11 yearsCheck the timestamp on httpd.keytab. If it's been modified, a coworker might've beaten you to it. :)