f



Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)

Hi guys,

I'm working about 3 days at this problem and I can't fix it and now I have no more ideas:

Customers environment:
Windowsdomain with DC where all Users are: contoso.local

Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this
And thats the problem. I don't know - how to manage these two domains.

URL to access to the Webapplication is:

When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apache with mod_auth_kerb.
In the errorlog from apache there is:
Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1667): [client 192.168.88.129] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1667): [client 192.168.88.129] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1277): [client 192.168.88.129] Acquiring creds for HTTP@sless11.contoso.lan
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1424): [client 192.168.88.129] Verifying client data using KRB5 GSS-API 
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1440): [client 192.168.88.129] Client didn't delegate us their credential
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1138): [client 192.168.88.129] GSS-API major_status:000d0000, minor_status:96c73ab5
[Thu Apr 03 08:42:36 2014] [error] [client 192.168.88.129] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Key table entry not found)

First question: 
I created a user in the domain contoso.local "aaa" and then I created the keytabfile with this syntax:

Ktpass -princ HTTP/sless11.contoso.lan@CONTOSO.LOCAL -ptype KRB5_NT_Principal -mapuser aaa@contoso.local -pass Start123 -crypto AES128-SHA1 -out c:\test.keytab

And my krb5.conf look like this:

[libdefaults]
     	default_realm = CONTOSO.LOCAL
default_keytab_name = FILE:/etc/apache2/test.keytab
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
        CONTOSO.LOCAL = {
                kdc = 192.168.88.122
                admin_server = 192.168.88.122
                default_domain = CONTOSO.LOCAL
        }

CONTOSO.LAN = {
kdc = 192.168.88.122
default_domain = CONTOSO.LOCAL
}


[domain_realm]
..contoso.local = CONTOSO.LOCAL
..contosov.lan = CONTOSO.LAN


What am I doing wrong???

Thank you!
0
komarek79
4/3/2014 7:02:33 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
2532 Views

Similar Articles

[PageSpeed] 43

Reply: