Discussing problems related to the Kerberos authentication module for Apache

Irmen, Thomas | 11 Aug 2009 11:40

Picon

Re: Verification returned code 589824

So,

sorry guys, just made it happend:

1. check DNS
2. setup winbind, Kerberos (krb5.conf, use krb5.keytab setting in
smb.conf) 3. join domain with "net ads join"
4. create keytab with "net ads keytab create"
5. add service HTTP with "net ads keytab add HTTP"
6. configure apache to use that file, service principal etc. as
described in the docs ( http://mod_auth_kerb.sf.net )

Now it works perfect - except safari 4 browser - same error code
(589824) I guess the wrong principal name is delivered

Hope that helps others 

Br,
Thomas

PS: some hints regarding safari browser?

> -----Original Message-----
> From: Irmen, Thomas [mailto:irmen <at> amo.de]
> Sent: Tuesday, August 11, 2009 10:16 AM
> To: modauthkerb-help <at> lists.sourceforge.net
> Subject: [modauthkerb] Verification returned code
> 589824
> 
> Hi,

(Continue reading)

Yves Dorfsman | 10 Jan 2007 22:26

Verification returned code 589824


Anybody know what this is ?
I have installed mod_auth_kerb with apache 2.0, had an
HTTP/host.domain.tld <at> XSX.COM keytab generated, the keytab is readable by
apache (the user that runs the web server), I've got the fqdn first in
/etc/hosts, time is synchronised by ntpd (and I verified, it's good). Yes,
I get this in the httpd error log:

[debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1172): [client 123.456.789.2] Acquiring creds
for HTTP/webserver.mydomain.com <at> MYDOMAIN.COM
[debug] src/mod_auth_kerb.c(1316): [client 123.456.789.2] Verifying client
data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1332): [client 123.456.789.2] Verification
returned code 589824
[error] [client 162.139.50.149] gss_accept_sec_context() failed: A token
was invalid (Mechanism is incorrect)

>From searching on the web, it looks like "Verification returned code
589824" means there is something wrong with my keytab. I can't generate
the keytab myself, I have the guys responsible for Active Directory do it.
They've just re-generated a key for me, but I get the same result... How
can I tell for sure there is a problem (or not) with a key ?

What else should I look at ?

Thanks.

(Continue reading)

Henry B. Hotz | 12 Jan 2007 02:58

Picon

Picon

Re: Verification returned code 589824


On Jan 10, 2007, at 1:26 PM, Yves Dorfsman wrote:

>
> Anybody know what this is ?
> I have installed mod_auth_kerb with apache 2.0, had an
> HTTP/host.domain.tld <at> XSX.COM keytab generated, the keytab is  
> readable by
> apache (the user that runs the web server), I've got the fqdn first in
> /etc/hosts, time is synchronised by ntpd (and I verified, it's  
> good). Yes,
> I get this in the httpd error log:
>
> [debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [debug] src/mod_auth_kerb.c(1485): [client 123.456.789.2]
> kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
> [debug] src/mod_auth_kerb.c(1172): [client 123.456.789.2] Acquiring  
> creds
> for HTTP/webserver.mydomain.com <at> MYDOMAIN.COM
> [debug] src/mod_auth_kerb.c(1316): [client 123.456.789.2] Verifying  
> client
> data using KRB5 GSS-API
> [debug] src/mod_auth_kerb.c(1332): [client 123.456.789.2] Verification
> returned code 589824
> [error] [client 162.139.50.149] gss_accept_sec_context() failed: A  
> token
> was invalid (Mechanism is incorrect)
>
>

(Continue reading)

Yves Martin | 11 Jan 2007 08:37

Picon

Re: Verification returned code 589824

On Wed, 2007-01-10 at 14:26 -0700, Yves Dorfsman wrote:
> From searching on the web, it looks like "Verification returned code
> 589824" means there is something wrong with my keytab. I can't generate
> the keytab myself, I have the guys responsible for Active Directory do it.
> They've just re-generated a key for me, but I get the same result... How
> can I tell for sure there is a problem (or not) with a key ?
> 
> What else should I look at ?

 You should follow steps from this tutorial   
  http://www.grolmsnet.de/kerbtut/

 . Check your server /etc/krb5.conf

 . Test (on the server of course) with
     kinit user <at> DOMAIN.COM 
     klist

 . Test your service credential on the server with 
     kvno HTTP/webserver.mydomain.com <at> MYDOMAIN.COM
     klist -e

 . Test your keytab with
     kinit -k -t krb5keytab HTTP/webserver.mydomain.com <at> MYDOMAIN.COM

 Hope this helps
 Regards,
--

-- 
Yves Martin

(Continue reading)

Yves Dorfsman | 11 Jan 2007 18:18

Re: Verification returned code 589824


>> From searching on the web, it looks like "Verification returned code
>> 589824" means there is something wrong with my keytab. I can't generate
>> the keytab myself, I have the guys responsible for Active Directory do
>> it.
>> They've just re-generated a key for me, but I get the same result... How
>> can I tell for sure there is a problem (or not) with a key ?
>>
>> What else should I look at ?
>
>  You should follow steps from this tutorial
>   http://www.grolmsnet.de/kerbtut/

I did (and again, Thanks Achim for this great piece of documentation).

Things have evolved a bit here:

-I got the ticket re-generated (the first version was bad)

-I re-compiled mod_auth_kerb 5.0rc7, because I have it running on another
server so I can compare apples with apples, and that is running fine.

-I re-compiled and re-installed auth_mod_kerb version 3.0, and I know
get the following error when I try to run it:

[error] [client 163.138.52.147] gss_accept_sec_context() failed: A token
was invalid (Mechanism is incorrect)

I'll be using 5.0rc7 for now, but I would like to get 5.3 working.

(Continue reading)

Yves Dorfsman | 11 Jan 2007 18:55

Re: Verification returned code 589824


Sorry, I had turned debug mode off in apache, as I said, my server (RedHat
ES4) works fine with mod_auth_kerb 5.0rc7, but I get the following error
with 5.3:

[debug] src/mod_auth_kerb.c(1172): [client 163.138.52.152] Acquiring creds
for HTTP/machine.exmaple.com <at> EXAMPLE.COM

[debug] src/mod_auth_kerb.c(1316): [client 163.138.52.152] Verifying
client  data using KRB5 GSS-API

[debug] src/mod_auth_kerb.c(1332): [client 163.138.52.152] Verification
returned code 589824

[error] [client 163.138.52.152] gss_accept_sec_context() failed: A token
was invalid (Mechanism is incorrect)

Yves.
----
Yves Dorfsman                                             yves <at> zioup.com
                                                   http://www.SollerS.ca

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Mark Yalenti | 11 Jan 2007 22:44

Picon

mod_auth_kerb ... credentials????

Hey all,

Here is my latest problem with mod_auth_kerb....

[Thu Jan 11 16:34:06 2007] [error] [client 10.2.10.75] gss_acquire_cred()
failed: No credentials were supplied, or the credentials were unavailable or
inaccessible

I've verified that the keytab works fine...

# kinit -V -k -t /usr/home/myalenti/marksolwww2.keytab
HTTP/marksol.toll-kerberos.com
Authenticated to Kerberos v5

Apache conf is as follows....

KrbAuthRealms TOLL-KERBEROS.com
AuthName "Kerberos Login"
KrbServiceName HTTP/marksol.toll-kerberos.com  (also tried to use just HTTP,
same error)
Krb5Keytab /usr/home/myalenti/marksolwww2.keytab
KrbMethodK5Passwd Off
KrbMethodNegotiate on
Require valid-user

krb5.conf is as follows.
[libdefaults]
        default_realm = TOLL-KERBEROS.COM
        default_tkt_enctypes = des-cbc-md5
        default_tgs_enctypes = des-cbc-md5

(Continue reading)

Achim Grolms | 11 Jan 2007 19:12

Picon

Re: Verification returned code 589824

On Thursday 11 January 2007 18:55, Yves Dorfsman wrote:
> Sorry, I had turned debug mode off in apache, as I said, my server (RedHat
> ES4) works fine with mod_auth_kerb 5.0rc7, but I get the following error
> with 5.3:

That means the only difference is the version (5.0rc7 vs. 5.3) 
of mod_auth_kerb?

I am not sure what the problem is, but please send me

1. command line how you invoke ./configure
   for your  5.0rc7 and 5.3 installation

2. the config.log file from both runs
   of ./configure

3. Is it possible that 2 version of Kerberos reside on your machine
   (One in /usr, one in /usr/local)?

4. in any case, send the output of 
   krb5-config --version

Achim

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

(Continue reading)

Yves Dorfsman | 15 Jan 2007 19:32

Re: Verification returned code 589824


> That means the only difference is the version (5.0rc7 vs. 5.3)
> of mod_auth_kerb?

Yes.

> I am not sure what the problem is, but please send me
>
> 1. command line how you invoke ./configure
>    for your  5.0rc7 and 5.3 installation

./configure --without-krb4 --with-krb5=/usr/local/krb --with-apache=/usr/sbin

In both cases.

> 2. the config.log file from both runs
>    of ./configure

I'll send you (Achim) offline.

> 3. Is it possible that 2 version of Kerberos reside on your machine
>    (One in /usr, one in /usr/local)?

There are two versions, the one provided by RedHat, and the MIT one that
I compiled but I verified and I did specified the --with-krb5 option in
both cases.

>
> 4. in any case, send the output of
>    krb5-config --version

(Continue reading)

Achim Grolms | 15 Jan 2007 19:55

Picon

Re: Verification returned code 589824

On Monday 15 January 2007 19:32, Yves Dorfsman wrote:

> There are two versions, the one provided by RedHat, and the MIT one that
> I compiled but I verified and I did specified the --with-krb5 option in
> both cases.
>
> > 4. in any case, send the output of
> >    krb5-config --version
>
> Kerberos 5 release 1.5.1

Sorry,
1. please send output of *both* krb5-config,

1.1 the output of the RedHat krb5-config --version

1.2 the output of /usr/local/krb/bin/krb5-config --version

2. please send the output of
 ldd $APACHEPATH/libexec/mod_auth_kerb.so

Background: mod_auth_kerb is able to strip the SPNEGO-header
from GSSAPI-token. I mod_auth_kerb use it's own SPNEGO-handler
is decided at compiletime (your rc07 uses mod_auth_kerb's own SPNEGO
support, your 5.3 build uses the Kerberos-libs SPNEGO support instead.
MIT 1.5.1 supports SPNEGO.

I want to check

1. if the module is linked against the RedHat libs (at runtime, id using

(Continue reading)

Yves Dorfsman | 15 Jan 2007 23:52

Re: Verification returned code 589824


> 1. please send output of *both* krb5-config,
> 1.1 the output of the RedHat krb5-config --version

I don't have a krb5-config in he /usr/kerberos tree (where RedHat put their
kerberos utilities). Kerberos was installed from RPM packages, those
are at version 1.3.4-27, but I suspect that this is the version of the
package.

> 1.2 the output of /usr/local/krb/bin/krb5-config --version

/usr/local/krb/bin/krb5-config --version
Kerberos 5 release 1.5.1

> 2. please send the output of
>  ldd $APACHEPATH/libexec/mod_auth_kerb.so

Well, that's interresting, here it is with 5.3

ldd /usr/lib/httpd/modules/mod_auth_kerb.so
        libc.so.6 => /lib/tls/libc.so.6 (0xb7eba000)
        /lib/ld-linux.so.2 (0x00bbb000)

And here with 5.0_rc7
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7fcb000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7f65000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7f44000)
        libcom_err.so.3 => /usr/lib/libcom_err.so.3 (0xb7f42000)
        libresolv.so.2 => /lib/libresolv.so.2 (0xb7f2f000)
        libdl.so.2 => /lib/libdl.so.2 (0xb7f2b000)

(Continue reading)

Achim Grolms | 16 Jan 2007 19:42

Picon

Re: Verification returned code 589824

On Monday 15 January 2007 23:52, Yves Dorfsman wrote:
> > 1. please send output of *both* krb5-config,
> > 1.1 the output of the RedHat krb5-config --version
>
> I don't have a krb5-config in he /usr/kerberos tree (where RedHat put their
> kerberos utilities). Kerberos was installed from RPM packages, those
> are at version 1.3.4-27, but I suspect that this is the version of the
> package.

If you don't need the RedHat-RPM - is there a chance to get rid of it 
complete?

> > 1.2 the output of /usr/local/krb/bin/krb5-config --version

> ldd /usr/lib/httpd/modules/mod_auth_kerb.so
>         libc.so.6 => /lib/tls/libc.so.6 (0xb7eba000)
>         /lib/ld-linux.so.2 (0x00bbb000)

Looks like your 5.3 is statically linked against GSSAPI-libs
Do you have static libs only in /usr/local/krb/lib ?

> And here with 5.0_rc7
>         libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7fcb000)
>         libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7f65000)
>         libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7f44000)
>         libcom_err.so.3 => /usr/lib/libcom_err.so.3 (0xb7f42000)
>         libresolv.so.2 => /lib/libresolv.so.2 (0xb7f2f000)
>         libdl.so.2 => /lib/libdl.so.2 (0xb7f2b000)
>         libc.so.6 => /lib/tls/libc.so.6 (0xb7e00000)
>         libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7dfc000)

(Continue reading)

Yves Dorfsman | 31 Jan 2007 23:42

Re: Verification returned code 589824


>
> Seems so. Do you have static libs only in /usr/local/krb/lib?
>
> What I don't understand: if your 5.3 is linked against MIT 1.5.1
> the 1.5.1 should be able to handle the SPNEGO token
> (Without using mod_auth_kerbs SPNEGO stripping).
> Yves, can you tweak your Makefile of 5.3 to use *not* the
> the 1.5.1 native SPNEGO support?
>
> Achim

Just to let everybody know, this problem went away.

I needed specific compile-time configuration in apache, so got rid of the
RedHat Apache package, got the source and recompiled. Obviously, I had to
recompile mod_auth_kerb, and this time 5.3 work right away

I am not sure why it wasn't working with the apache package, the one
thing I did differently is to set the LD_LIBRARY_PATH to point to
/usr/local/krb before compiling mod_auth_kerb, as suggested by Achim, maybe
that did the trick (hadn't thought of it, because we specify
--with-krb= during the ./configure).

Thanks for all the help to everybody who contributed.

Yves.
----
Yves Dorfsman                                             yves <at> zioup.com
                                                   http://www.SollerS.ca

(Continue reading)

Henry B. Hotz | 12 Jan 2007 03:33

Picon

Picon

Re: Verification returned code 589824

One of the changes is the addition of configure logic to detect if  
the installed gssapi library already understands the needed  
mechanisms.  The trouble is the logic only works with Gnu make, not  
with pmake, a.k.a. bsdmake, which is the native make on Solaris as  
well as BSDs other than MacOS.  (The reason is the the syntax for  
including the output of krb5-config into a make variable is different.)

It's possible that configure is mis-detecting the need to build the  
local-to-mod_auth_kerb spnego code.  If it's leaving it out when it's  
needed that could cause an "unknown mechanism" error.

On Jan 11, 2007, at 10:12 AM, Achim Grolms wrote:

> On Thursday 11 January 2007 18:55, Yves Dorfsman wrote:
>> Sorry, I had turned debug mode off in apache, as I said, my server  
>> (RedHat
>> ES4) works fine with mod_auth_kerb 5.0rc7, but I get the following  
>> error
>> with 5.3:
>
> That means the only difference is the version (5.0rc7 vs. 5.3)
> of mod_auth_kerb?
>
> I am not sure what the problem is, but please send me
>
> 1. command line how you invoke ./configure
>    for your  5.0rc7 and 5.3 installation
>
> 2. the config.log file from both runs
>    of ./configure

(Continue reading)

Achim Grolms | 14 Jan 2007 18:58

Picon

Re: Verification returned code 589824

On Friday 12 January 2007 03:33, Henry B. Hotz wrote:
> One of the changes is the addition of configure logic to detect if
> the installed gssapi library already understands the needed
> mechanisms.  The trouble is the logic only works with Gnu make, not
> with pmake, a.k.a. bsdmake, which is the native make on Solaris as
> well as BSDs other than MacOS.  (The reason is the the syntax for
> including the output of krb5-config into a make variable is different.)

I've added a "GNU-make" note to section 8.a of
<http://www.grolmsnet.de/kerbtut/>.

The text is

"Platforms like Solaris or FreeBSD don't ship with GNU-make as default make.
Ensure that your buildprocess of mod_auth_kerb uses GNU-make, because the 
buildprocess works properly only when using GNU-make!"

Please let me know if that needs corrections!

On FreeBSD I know how to install gmake (from the ports collection),
but I don't know how the ./configure of mod_auth_kerb 
can be changed to use an alternative 'make'.
Can someone add that piece of information?

Thank you,
Achim

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your

(Continue reading)

Achim Grolms | 12 Jan 2007 16:23

Picon

Re: Verification returned code 589824

On Friday 12 January 2007 03:33, Henry B. Hotz wrote:
> One of the changes is the addition of configure logic to detect if
> the installed gssapi library already understands the needed
> mechanisms.  The trouble is the logic only works with Gnu make, not
> with pmake, a.k.a. bsdmake, which is the native make on Solaris as
> well as BSDs other than MacOS.

Sounds comprehensible (and needs to be fixed in mod_auth_kerb
documentation and/or buildsystem?), but if Yves (Dorfsman) uses
RedHatES4 as OS to run his Apache - the 'make' *is*
a GNU-make, isn't it?

Achim

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Yves Dorfsman | 15 Jan 2007 19:34

Re: Verification returned code 589824


>> One of the changes is the addition of configure logic to detect if
>> the installed gssapi library already understands the needed
>> mechanisms.  The trouble is the logic only works with Gnu make, not
>> with pmake, a.k.a. bsdmake, which is the native make on Solaris as
>> well as BSDs other than MacOS.
>
> Sounds comprehensible (and needs to be fixed in mod_auth_kerb
> documentation and/or buildsystem?), but if Yves (Dorfsman) uses
> RedHatES4 as OS to run his Apache - the 'make' *is*
> a GNU-make, isn't it?

Yes indeed, GNU make.

Yves.
----
Yves Dorfsman                                             yves <at> zioup.com
                                         http://www.cuug.ab.ca/dorfsmay
                                         http://www.SollerS.ca

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Henry B. Hotz | 12 Jan 2007 22:16

Picon

Picon

Re: Verification returned code 589824

I would assume so;  should have noticed that.  OTOH I think the  
advice to check what configure thought still applies.

I've been meaning to mention the problem in general, since I'm not a  
configure expert, and I don't know how to solve it (except, maybe to  
make Gnu make an explicit requirement).

On Jan 12, 2007, at 7:23 AM, Achim Grolms wrote:

> On Friday 12 January 2007 03:33, Henry B. Hotz wrote:
>> One of the changes is the addition of configure logic to detect if
>> the installed gssapi library already understands the needed
>> mechanisms.  The trouble is the logic only works with Gnu make, not
>> with pmake, a.k.a. bsdmake, which is the native make on Solaris as
>> well as BSDs other than MacOS.
>
> Sounds comprehensible (and needs to be fixed in mod_auth_kerb
> documentation and/or buildsystem?), but if Yves (Dorfsman) uses
> RedHatES4 as OS to run his Apache - the 'make' *is*
> a GNU-make, isn't it?
>
> Achim

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz <at> jpl.nasa.gov, or hbhotz <at> oxy.edu

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT

(Continue reading)

Mark Yalenti | 12 Jan 2007 15:26

Picon

Re: Verification returned code 589824

You will also want to make sure that when your AD gurus run ktpass, that
they specify  DES-CBC-MD5 encryption, which is not the default if you don't
specify it... for instance a keytab of mine looks like this when i create a
keytab.

ktpass -out c:\user.keytab -princ
host/marksol.toll-kerberos.com <at> TOLL-KERBEROS.COM -pass G00bers -mapuser
testuser1 -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5

God luck!

Mark Y!

-----Original Message-----
From: modauthkerb-help-bounces <at> lists.sourceforge.net
[mailto:modauthkerb-help-bounces <at> lists.sourceforge.net] On Behalf Of Henry
B. Hotz
Sent: Thursday, January 11, 2007 9:33 PM
To: achim <at> grolmsnet.de
Cc: Yves Dorfsman; modauthkerb-help <at> lists.sourceforge.net
Subject: Re: [modauthkerb] Verification returned code 589824

One of the changes is the addition of configure logic to detect if the
installed gssapi library already understands the needed mechanisms.  The
trouble is the logic only works with Gnu make, not with pmake, a.k.a.
bsdmake, which is the native make on Solaris as well as BSDs other than
MacOS.  (The reason is the the syntax for including the output of
krb5-config into a make variable is different.)

It's possible that configure is mis-detecting the need to build the

(Continue reading)

Yves Dorfsman | 12 Jan 2007 15:59

Re: Verification returned code 589824


On Fri, 12 Jan 2007, Mark Yalenti wrote:

> You will also want to make sure that when your AD gurus run ktpass, that
> they specify  DES-CBC-MD5 encryption, which is not the default if you don't
> specify it... for instance a keytab of mine looks like this when i create a
> keytab.

I'm not on site today, but I am assuming that if the wrong encryption was 
selected, it wouldn't work with 5.0rc7 either right ?

I will answer the other emails on monday when I am back on that site.

Thanks to everybody for help and sugestions.

Yves.
----
Yves Dorfsman                                             yves <at> zioup.com
                                                    http://www.SollerS.ca

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Achim Grolms | 12 Jan 2007 16:13

Picon

Re: Verification returned code 589824

On Friday 12 January 2007 15:59, you wrote:
> On Fri, 12 Jan 2007, Mark Yalenti wrote:
> > You will also want to make sure that when your AD gurus run ktpass, that
> > they specify  DES-CBC-MD5 encryption, which is not the default if you
> > don't specify it... for instance a keytab of mine looks like this when i
> > create a keytab.
>
> I'm not on site today, but I am assuming that if the wrong encryption was
> selected, it wouldn't work with 5.0rc7 either right ?

Correct, wrong encryption type means it will work with no version
of mod_auth_kerb.

If you are unsure what encryption type your keytab is you can
have a look at the "keytype" field of your keytab-file, see
<http://www.grolmsnet.de/kerbtut/keytabfile.html> for details.

Achim

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Return

Return to gmane.comp.apache.mod-auth-kerb.general.

Advertisement

Project Web Page

Discussing problems related to the Kerberos authentication module for Apache

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane