RE: Server not found in Kerberos database - Apache

Hi there,

I'll write the reply inline.

But first:

Check that kerberos is properly configured on the box where Apache is running!

Just IM mail me personally, I am willing to help since I set that up a week
ago here and it was pretty tough too.

Le Mercredi 8 Février 2006 14:58, Henrique Craveiro a écrit :
> Hi again,
>
> Until now I have been testing using a Internet Explorer 5.5 right in the
> Windows 2000 Server. I created a user account in the EFTESTE.COM domain,
> logged in a PC with that account, using IE 6.0 and the result was
> different:
>
> [Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.35] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:52:52 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.35] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:52:52 2006] [error] [client 192.168.42.35] gss_import_name()
> failed: An invalid name was supplied (Configuration file does not specify
> default realm)

Well, this is clear enough, is your apache kerberos module configured
properly?

<Location /test>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms EFTESTE.COM <<<------ this is what's missing
Krb5KeyTab /etc/httpd/conf/keytab
require valid-user
</Location>


> -----Original Message-----
> From: Henrique Craveiro [mailto:henrique.craveiro@ef.pt]
> Sent: quarta-feira, 8 de Fevereiro de 2006 14:54
> To: 'modauthkerb-help@lists.sourceforge.net'
> Subject: Re: [modauthkerb] Server not found in Kerberos database
>
> Hi,
>
> Thanks for the replies.
>
> I did (also) follow the steps in http://www.grolmsnet.de/kerbtut/ . I think
> that I found out what the error was. It was related to the Kerberos
> database being somewhat corrupt. I destroyed and created it again and now
> the error I mentioned before is gone. Now I have this error (it still asks
> for username and password):
>
>
> [Wed Feb 08 14:13:32 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
> krb5_get_init_creds_password() failed: Cannot resolve network address for
> KDC in requested realm
> [Wed Feb 08 14:13:38 2006] [debug] src/mod_auth_kerb.c(1322): [client
> 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Feb 08 14:13:38 2006] [error] [client 192.168.42.32]
> krb5_get_init_creds_password() failed: Cannot resolve network address for
> KDC in requested realm

This is pretty clear too, the apache box cannot fin dthe kerberos KDC.

You do not need the KDC to be resolvable, you need to configure you krb5.conf
(/etc/krb5.conf on a Unix machine) to map a kdc to a realm like this:

[realms]
EFTESTE.COM = {
default_domain = efteste.com
kdc = yourkdc.efteste.com:88
}

>
>
> I tried to search for the error but couldn't find out why it is happening.
> I know it is supposed to be related to DNS problems but the 2 machines can
> reach each other (Windows 2000 Server and Solaris). One thing that got me
> thinking is when I do the "klist -e" after doing kvno. It gives me:
>

Where did you do klist -e ?

Try to do kinit youusername on the Apache box, if it works then kerberos is
properly configured on that box. If it doesn't, you need to configure it
properly first (mostly only the /etc/krb5.conf file.

> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: solerokrb@EFTESTE.COM
>
> Valid starting Expires Service principal
> 02/08/06 14:12:07 02/09/06 00:12:07 krbtgt/EFTESTE.COM@EFTESTE.COM
> renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 02/08/06 14:12:16 02/09/06 00:12:07 xptest@EFTESTE.COM
> renew until 02/09/06 14:12:07, Etype (skey, tkt): ArcFour with
> HMAC/md5, ArcFour with HMAC/md5
> 02/08/06 14:12:25 02/09/06 00:12:07 solerokrb@EFTESTE.COM
> renew until 02/09/06 14:12:07, Etype (skey, tkt): DES cbc mode with
> CRC-32, DES cbc mode with CRC-32
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>
>
>
> solerokrb seems ok, because of the -cryto option in ktpass, but what about
> the other ones? I don't know if the results are ok, I'm getting a little
> desperate here, seeing patterns everywhere
>
> Can anybody help me?

Relax, it's not that hard...

>
> PS - Where can I get an Apache that doesn't give segmentation faults?
>

What are you talking about?

>
> Regards,
>
> Henrique Craveiro
>
> -----Original Message-----
> From: Yannick [mailto:yannick@smellyfrog.com]
> Sent: quarta-feira, 8 de Fevereiro de 2006 8:50
> To: Henrique Craveiro
> Subject: Re: [modauthkerb] Server not found in Kerberos database
>
> Hi Henrique,
>
> I'm not a specialist, but I walked the same road not so long ago. Check
> this thread out:
> http://groups.google.ie/group/comp.p...thread/thread/
>d
> ea39f5b55a82523/5a895b1308eb8d75?lnk=st&q=smellyfrog+kerberos&rnum=1&hl=en#
>5 a895b1308eb8d75
>
> The one important thing is the way you generate the keytab. You really
> have to follow verbatim the way Achim describes it in his paper:
> http://www.grolmsnet.de/kerbtut/
> The key solution for me was to make sure the keytab was generated for
> servername.domain and not just servername.
>
> So in your case (Replacing solerokrb-password with the actual password):
>
> C:\>ktpass -princ HTTP//tarzan.efteste.com/@/EFTESTE.COM/
> -mapuser solerokrb
> -crypto DES-CBC-MD5
> -ptype KRB5_NT_PRINCIPAL
> -mapop set +desonly
> -pass longlong solerokrb-password -out c:\temp\solerokeytab
>
> Make sure you have done this exactly that way.
>
> A sure way to make sure your keytab is correct is by checking that an
> http service kerberos ticket is created for the client machine when you
> request a connection to apache. You can do this by installing the MIT
> network identity manager or Microsoft kerbtray.exe.
>
> Regards
> Yannick
>
> Henrique Craveiro wrote:
> > Hi all,
> >
> > I have a Windows 2000 Server running as a KDC and an Apache Server
> > (2.0.55) in a Solaris 2.9. I installed the mod_auth_kerb module in
> > Apache and followed the steps in http://modauthkerb.sourceforgenet/
> > <http://modauthkerb.sourceforge.net/> I searched a lot the web and
> > these archives but didn't find the answer to my problem.
> >
> > My krb5.conf:
> >
> > /[logging]/
> >
> > / default = FILE:/var/krb5/kdc.log/
> >
> > / kdc = FILE:/var/krb5/kdc.log/
> >
> > / admin_server = FILE:/var/log/kadmin.log/
> >
> > / /
> >
> > /[libdefaults]/
> >
> > / default_realm = EFTESTE.COM/
> >
> > / ticket_lifetime = 24000/
> >
> > / /
> >
> > /[realms]/
> >
> > / EFTESTE.COM = {/
> >
> > / kdc = tarzan.efteste.com:88/
> >
> > / //admin_server = tarzan.efteste.com:749/
> >
> > / default_domain = tarzan.efteste.com/
> >
> > / }/
> >
> > / /
> >
> > /[domain_realm]/
> >
> > / efteste.com = EFTESTE.COM/
> >
> > / efteste.com = EFTESTE.COM/
> >
> > The Windows 2000 Server is tarzan.efteste.com and the Apache Server is
> > in solero.intranet.company.pt. I can't have the Win 2000 Server and
> > solero in the same domain, so I had to put in /etc/hosts the binding
> > to solero.efteste.com and so I did it in Win 2000 Server to be able to
> > reach solero.intranet.company.pt.
> >
> > Part of my httpd.conf:
> >
> > /<Directory "/usr/local/apache2/htdocs">/
> >
> > / Options Indexes FollowSymLinks/
> >
> > / AllowOverride All/
> >
> > / Order allow,deny/
> >
> > / Allow from all/
> >
> > / /
> >
> > / AuthType Kerberos/
> >
> > / AuthName solero/
> >
> > / KrbAuthRealms EFTESTE.COM/
> >
> > / KrbServiceName HTTP/
> >
> > / Krb5Keytab /etc/krb5/solero.keytab/
> >
> > / KrbMethodNegotiate on/
> >
> > / KrbMethodK5Passwd on/
> >
> > / require valid-user/
> >
> > /</Directory>/
> >
> > The account I use in the AD of Win 2000 Server is solerokrb, so if I
> > do a kinit solerokrb it works and I can see:
> >
> > /bash-2.05# klist -e/
> >
> > /Ticket cache: FILE:/tmp/krb5cc_0/
> >
> > /Default principal: solerokrb@EFTESTE.COM/
> >
> > / /
> >
> > /Valid starting Expires Service principal/
> >
> > /02/07/06 18:10:13 02/08/06 00:50:13 krbtgt/EFTESTE.COM@EFTESTE.COM/
> >
> > / Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5/
> >
> > / /
> >
> > / /
> >
> > /Kerberos 4 ticket cache: /tmp/tkt0/
> >
> > /klist: You have no tickets cached/
> >
> > When I try to access http://solero.efteste.com
> > <http://solero.efteste.com/> from IE in the Windows 2000 Server it
> > asks for username and password although I configured the browser in
> > every aspect that it was supposed to be done. I don't know exactly
> > what I should write in the username and password, is it the account
> > 'solerokrb'? Anyway, when it asks for username and password the log in
> > the Apache is:
> >
> > [Tue Feb 07 18:18:33 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:39 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to
> > verify krb5 credentials: Server not found in Kerberos database
> >
> > [Tue Feb 07 18:18:40 2006] [debug] src/mod_auth_kerb.c(1322): [client
> > 192.168.42.32] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> >
> > [Tue Feb 07 18:18:40 2006] [error] [client 192.168.42.32] failed to
> > verify krb5 credentials: Server not found in Kerberos database
> >
> > [Tue Feb 07 18:18:40 2006] [notice] child pid 17024 exit signal
> > Segmentation fault (11)
> >
> > [Tue Feb 07 18:18:40 2006] [notice] child pid 17023 exit signal
> > Segmentation fault (11)
> >
> > Anybody have a clue of what the problem is?
> >
> > Thanks,
> >
> > Henrique Craveiro
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...dauthkerb-help

--
Stephane Konstantaropoulos <skonstant@sgul.ac.uk>
St George's University of London

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBD6hNKsZFoeToEeG4RAiYKAJ9+u8cnuCbt7CdwoMHXRrmuOWl4TACbBjsl
I9eTwZQIChsmN4WPCvAu1Pk=
=ZwV3
-----END PGP SIGNATURE-----

Has anyone had a problem with mod_auth_kerb giving the incorrect
error message to the browser when it gets a bad password. We have a
problem when the institutional kerberos password changes, our server
gives a bad error message to the browser which means the browser then
doesn't prompt for a different password... since most people have
their browsers remember passwords this can be a big problem.

I did some monkeying with mod_auth_kerb to get it to run on OS X...
and I might have inadvertantly caused this. So my first question is
if anyone else has seen this problem... and my second is it anyone
has a solution

- Nathan


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642

Hi,

What's the message sent by the server?

Kerberos is a solution to client caching passwords, why use kerberos
authentication in apache if you don't use kerberos fully?

If the server asks for authentication then denies it, the browser should promt
for a new password even if it was cached previously. The error is somewhere
else.

Can you be more descriptive about
1 your kerberos setup on the server box (does it work at all)
2 the configuration of apache mod_authkerb you are using
3 any logs that appear when authentication is denied.

Cheers

Le Mercredi 8 Février 2006 16:36, Nathan Strange a écrit :
> Has anyone had a problem with mod_auth_kerb giving the incorrect
> error message to the browser when it gets a bad password. We have a
> problem when the institutional kerberos password changes, our server
> gives a bad error message to the browser which means the browser then
> doesn't prompt for a different password... since most people have
> their browsers remember passwords this can be a big problem.
>
> I did some monkeying with mod_auth_kerb to get it to run on OS X...
> and I might have inadvertantly caused this. So my first question is
> if anyone else has seen this problem... and my second is it anyone
> has a solution
>
> - Nathan
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log
> files for problems? Stop! Download the new AJAX search engine that makes
> searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
> http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642
> _______________________________________________
> modauthkerb-help mailing list
> modauthkerb-help@lists.sourceforge.net
> https://lists.sourceforge.net/lists/...dauthkerb-help

--
Stephane Konstantaropoulos <skonstant@sgul.ac.uk>
St George's University of London

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBD6iHYsZFoeToEeG4RAq7tAJ4k4Y5b9+di1wYOaRcqwkPLEgfemwCfZvB/
k3aKTcTQG+rQ4uyeXWiXCcY=
=TJRI
-----END PGP SIGNATURE-----

On Feb 8, 2006, at 8:52 AM, Stéphane Konstantaropoulos wrote:

> Hi,
>
> What's the message sent by the server?

Actually the server just appears to drop the connection without
sending an error message at all. In firefox, if I enter the wrong
password, nothing happens at all... when it should prompt again for
the password. In Safari I get: Safari can’t open the page “https://
navwiki.jpl.nasa.gov/bin/view/GNC/WebHome”. The error was: “lost
network connection” (NSURLErrorDomain:-1005)


>
> Kerberos is a solution to client caching passwords, why use kerberos
> authentication in apache if you don't use kerberos fully?

Not all web browsers support spnego... and setting it up isn't an
easy thing for users.

We use kerberos because there is an institutional password that is
can be authenticated with kerberos. By using this password, our
users don't have to remember yet another password to access our web
server... and we don't have to manage user accounts on the server.
We are running a wiki, and people are often afraid of wikis... and
anything that makes our site hard to use will mean it just won't be
used.


> If the server asks for authentication then denies it, the browser
> should promt
> for a new password even if it was cached previously. The error is
> somewhere
> else.

The browser only asks for a new password if it gets a 401:
Unauthorized error. Since this problem is common across all web
browsers, I'm assuming that the 401 error is not being sent. And the
logs (see below) make me think nothing at all is being sent.

I'd check the servers raw response with telnet... but I don't know
how to do https via telnet

>
> Can you be more descriptive about
> 1 your kerberos setup on the server box (does it work at all)

works as long as the password is correct

> 2 the configuration of apache mod_authkerb you are using

running on OS X... had to monkey with the source to get it to
compile. Can provide the details, after I dig them up.

> 3 any logs that appear when authentication is denied.
>

---
[Thu Feb 9 14:44:46 2006] [error] [client 137.78.78.184]
krb5_get_init_creds_password() failed: Decrypt integrity check failed
[Thu Feb 9 14:44:46 2006] [error] [client 137.78.78.184] Cannot get
krb4 ticket: krb_get_pw_in_tkt() failed: Can't send request
(send_to_kdc)
[Thu Feb 9 14:44:46 2006] [error] [client 137.78.78.184] Verifying
krb4 password failed
dyld: lazy symbol binding failed: Symbol not found: _tf_close
Referenced from: /usr/libexec/httpd/mod_auth_kerb.so
Expected in: flat namespace

dyld: Symbol not found: _tf_close
Referenced from: /usr/libexec/httpd/mod_auth_kerb.so
Expected in: flat namespace

[Thu Feb 9 14:44:46 2006] [notice] child pid 26342 exit signal Trace/
BPT trap (5)
---


So... I'm curious if anyone else has seen this... if not, it means
that I probably have an OS X specific issue.

Thanks,

-Nathan



> Cheers
>
> Le Mercredi 8 Février 2006 16:36, Nathan Strange a écrit :
>> Has anyone had a problem with mod_auth_kerb giving the incorrect
>> error message to the browser when it gets a bad password. We have a
>> problem when the institutional kerberos password changes, our server
>> gives a bad error message to the browser which means the browser then
>> doesn't prompt for a different password... since most people have
>> their browsers remember passwords this can be a big problem.
>>
>> I did some monkeying with mod_auth_kerb to get it to run on OS X...
>> and I might have inadvertantly caused this. So my first question is
>> if anyone else has seen this problem... and my second is it anyone
>> has a solution
>>
>> - Nathan
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through
>> log
>> files for problems? Stop! Download the new AJAX search engine
>> that makes
>> searching your log files as easy as surfing the web. DOWNLOAD
>> SPLUNK!
>> http://sel.as-us.falkag.net/sel?
>> cmd=lnk&kid=103432&bid=230486&dat=121642
>> _______________________________________________
>> modauthkerb-help mailing list
>> modauthkerb-help@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/...dauthkerb-help
>
> --
> Stephane Konstantaropoulos <skonstant@sgul.ac.uk>
> St George's University of London



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=...#0486&dat1642

On Thursday 09 February 2006 23:53, Nathan Strange wrote:

> I'd check the servers raw response with telnet... but I don't know
> how to do https via telnet

Do

openssl s_client -connect hostort

Achim



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642

On Feb 8, 2006, at 8:36 AM, Nathan Strange wrote:

> Has anyone had a problem with mod_auth_kerb giving the incorrect
> error message to the browser when it gets a bad password. We have
> a problem when the institutional kerberos password changes, our
> server gives a bad error message to the browser which means the
> browser then doesn't prompt for a different password... since most
> people have their browsers remember passwords this can be a big
> problem.
>
> I did some monkeying with mod_auth_kerb to get it to run on OS X...
> and I might have inadvertantly caused this. So my first question
> is if anyone else has seen this problem... and my second is it
> anyone has a solution
>
> - Nathan

Did you see this fix, posted by Kevin Thompson <antiduh@csh.rit.edu>
Oct. 11, 2005:

> --- mod_auth_kerb.c 2005-10-10 21:57:59.758317000 -0400
> +++ mod_auth_kerb.c.fixed 2005-10-10 21:57:21.433210000 -0400
> @@ -876,11 +876,11 @@
> ret = OK;
>
> end:
> log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
> "kerb_authenticate_user_krb5pwd ret=%d user=%s
> authtype=%s",
> - ret, (MK_USER)?MK_USER:"(NULL)", MK_AUTH_TYPE);
> + ret, (MK_USER)?MK_USER:"(NULL)", (MK_AUTH_TYPE)?
> MK_AUTH_TYPE:
> "(NULL)");
> if (client)
> krb5_free_principal(kcontext, client);
> if (ccache)
> krb5_cc_destroy(kcontext, ccache);
> if (keytab)


------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=...486&dat=121642