Discussion in 'Server Operation' started by alex123, Apr 15, 2011.

  1. alex123

    alex123 New Member

    I am trying to set up Kerberos authentication for a website hosted on Apache 2 on Debian linux.

    I have installed the apache module libapache2-mod-auth-kerb but I am getting the following error in apache:

    [Thu Apr 14 16:53:49 2011] [error] [client] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Key table file '/etc/krb5.keytab' not found)

    How do I go about creating the keytab file it is looking for?

    What is it suppose to contain?

    From what I have read I am suppose to use the `ktpass` tool to create it but this command does not work on my server it says `command not found`.

  2. tusshar

    tusshar New Member

    Try This

    To begin setting up a KDC, ensure that your /etc/rc.conf file contains the correct settings to act as a KDC (you may need to adjust paths to reflect your own system):

    Next we will set up your Kerberos config file, /etc/krb5.conf:
    default_realm = EXAMPLE.ORG
    kdc =
    admin_server =
    [domain_realm] = EXAMPLE.ORG
    Note that this /etc/krb5.conf file implies that your KDC will have the fully-qualified hostname of You will need to add a CNAME (alias) entry to your zone file
    to accomplish this if your KDC has a different hostname.
    default_realm = EXAMPLE.ORG
    _kerberos._udp IN SRV 01 00 88
    _kerberos._tcp IN SRV 01 00 88
    _kpasswd._udp IN SRV 01 00 464
    _kerberos-adm._tcp IN SRV 01 00 749
    _kerberos IN TXT EXAMPLE.ORG

    After installing the /etc/krb5.conf file, you can use kadmin from the Kerberos server. The add --random-key command will let you add the server's host principal,
    and the ext command will allow you to extract the server's host principal to its own keytab.For example:
    # kadmin
    kadmin> add --random-key host/
    Max ticket life [unlimited]:
    Max renewable life [unlimited]:
    Attributes []:
    kadmin> ext host/
    kadmin> exit

    The rc.conf must also be modified to contain the following configuration:

Share This Page