HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Server Operation (http://www.howtoforge.com/forums/forumdisplay.php?f=5)
-   -   Single sign on between apache2 , kerberos and AD 2003 (http://www.howtoforge.com/forums/showthread.php?t=55612)

bdesmet 3rd January 2012 10:23

Single sign on between apache2 , kerberos and AD 2003
 
I'm trying to get a Single Sign On system working, but I keep on hitting the same error. Here is a part of the logs:

Code:

[Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1277): [client 10.29.0.153] Acquiring creds for HTTP/cognos.predika.be@PREDIKA.BE
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1424): [client 10.29.0.153] Verifying client data using KRB5 GSS-API
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1440): [client 10.29.0.153] Client didn't delegate us their credential
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1468): [client 10.29.0.153] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
    [Tue Dec 27 14:34:23 2011] [debug] src/mod_auth_kerb.c(1138): [client 10.29.0.153] GSS-API major_status:00090000, minor_status:00000000
    [Tue Dec 27 14:34:23 2011] [error] [client 10.29.0.153] gss_accept_sec_context() failed: Invalid token was supplied (, No error)

login via basic auth

Code:

[Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1025): [client 10.29.0.153] Using HTTP/cognos.predika.be@PREDIKA.BE as server principal for password verification
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(714): [client 10.29.0.153] Trying to get TGT for user cognos03@PREDIKA.BE
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1110): [client 10.29.0.153] kerb_authenticate_user_krb5pwd ret=0 user=cognos03@PREDIKA.BE authtype=Basic
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1667): [client 10.29.0.153] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Tue Dec 27 14:34:31 2011] [debug] src/mod_auth_kerb.c(1605): [client 10.29.0.153] matched previous auth request

my krdb5 config file:
Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = PREDIKA.BE
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 PREDIKA.BE = {
  kdc = PREDIKA.BE
 }

[domain_realm]
 .predika.be = PREDIKA.BE
 predika.be = PREDIKA.BE

[logging]
        kdc = FILE:/var/log/kerberos/krb5kdc.log
        admin_server = FILE:/var/log/kerberos/kadmin.log
        default = FILE:/var/log/kerberos/krb5lib.log

the apache config:
Code:

<IfModule mod_auth_kerb.c>
            AuthType Kerberos
            AuthName "Kerberos Login"

            KrbMethodNegotiate    on
            KrbVerifyKDC          off
            KrbSaveCredentials    off
            KrbMethodK5Passwd    on

            KrbServiceName        HTTP/cognos.predika.be@PREDIKA.BE
            KrbAuthRealms        PREDIKA.BE
            Krb5Keytab            /etc/krb5.keytab
           
            require  valid-user
        </IfModule>

I'm totally confused. Maybe someone has seen the problem before, or can see an error in my configuration?


All times are GMT +2. The time now is 19:02.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.