When i try to authenticate through apache2 with kerberos5 i get an error.
i use mod_auth_kerb
when i look to my apache logs i can see my principal modified by adding:
.0.16.172.in-addr.arpa@ at the end.
so kerberos answer with
failed to verify krb5 credentials: Server not found in Kerberos database
i am able to get a ticket from kerberos
i use keytab with an random key to authenticate my server: HTTP/admin-apache.domain.com here an extract of apache logs :
[Wed Apr 15 16:12:50.539355 2015] [authz_core:debug] [pid 30467] mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 15 16:12:50.539412 2015] [authz_core:debug] [pid 30467] mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626: authorization result of : denied (no authenticated user yet)
[Wed Apr 15 16:12:50.539440 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1971): [client 192.168.90.100:43211] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Apr 15 16:12:50.541680 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1049): [client 192.168.90.100:43211] Using HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@ as server principal for password verification
[Wed Apr 15 16:12:50.541715 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(753): [client 192.168.90.100:43211] Trying to get TGT for user [email protected]
[Wed Apr 15 16:12:50.565806 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(663): [client 192.168.90.100:43211] Trying to verify authenticity of KDC using principal HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@
[Wed Apr 15> 16:12:50.575915 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(678): [client 192.168.90.100:43211] krb5_get_credentials() failed when verifying KDC
[Wed Apr 15 16:12:50.575946 2015] [auth_kerb:error] [pid 30467] [client 192.168.90.100:43211] failed to verify krb5 credentials: Server not found > in Kerberos database
[Wed Apr 15 16:12:50.575959 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1131): [client 192.168.90.100:43211] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
here my config of vhost:
ServerName ldapadmin.domain.com ServerAdmin root@localhost DocumentRoot /usr/share/phpldapadmin/htdocs ErrorLog /var/log/apache2/ldap.localhost-error.log CustomLog /var/log/apache2/ldap.localhost-access.log common </VirtualHost>
AuthType Kerberos
AuthName "domain.com"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Krb5Keytab /etc/apache2/http.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
Require valid-userDirectoryIndex index.php Options +FollowSymLinks AllowOverride None Order allow,deny Allow from all <IfModule mod_mime.c> <IfModule mod_php5.c> AddType application/x-httpd-php .php php_flag magic_quotes_gpc Off php_flag track_vars On php_flag register_globals Off php_value include_path . </IfModule> <IfModule !mod_php5.c> <IfModule mod_actions.c> <IfModule mod_cgi.c> AddType application/x-httpd-php .php Action application/x-httpd-php /cgi-bin/php5 </IfModule> <IfModule mod_cgid.c> AddType application/x-httpd-php .php Action application/x-httpd-php /cgi-bin/php5 </IfModule> </IfModule> </IfModule> </IfModule>
Why my principal is modified by apache ?
What can i do for fix this ?
Thanks for your help
Be nice i am a beginner in Kerberos5
