mod_auth_kerberos "Unspecified GSS failure"

Question

I did an apache 2.4 fresh install. I'd like to use kerberos authentication. I compiled and install mod_auth_kerb modules. here is my config

<location "/restriced/">
SSLRequireSSL
AuthName "Kerberos login"
AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbVerifyKDC Off
KrbServiceName HTTPS
KrbAuthRealms ******.***
Krb5KeyTab /etc/krb5.keytab
KrbLocalUserMapping On
require valid-user
</location>

When I try to access "restricted" location I got this error :

[Mon Sep 30 10:21:18.782978 2013] [authz_core:debug] [pid 2219:tid 140278178531072] mod_authz_core.c(802): [client xx.xx.xx.xx:61773] **AH01626: authorization result of Require valid-user : denied (no authenticated user yet)**
[Mon Sep 30 10:21:18.783004 2013] [authz_core:debug] [pid 2219:tid 140278178531072] mod_authz_core.c(802): [client xx.xx.xx.xx:61773] **AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)**
[Mon Sep 30 10:21:18.783042 2013] [auth_kerb:debug] [pid 2219:tid 140278178531072] src/mod_auth_kerb.c(1643): [client xx.xx.xx.xx:61773] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Sep 30 10:21:18.783099 2013] [auth_kerb:debug] [pid 2219:tid 140278178531072] src/mod_auth_kerb.c(1255): [client xx.xx.xx.xx:61773] Acquiring creds for HTTPS@**********.***
[Mon Sep 30 10:21:18.786080 2013] [auth_kerb:debug] [pid 2219:tid 140278178531072] src/mod_auth_kerb.c(1116): [client xx.xx.xx.xx:61773] GSS-API major_status:000d0000, minor_status:000186a4
[Mon Sep 30 10:21:18.786127 2013] [auth_kerb:error] [pid 2219:tid 140278178531072] [client xx.xx.xx.xx:61773] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, )

Thanks for any help.

score 3 · Answer 1 · answered Oct 18 '13 at 07:19

3

The message "minor_status:000186a4" means that apache can't read the keyfile.

The most likely reasons are that the file has got the wrong permissions, or it's not in the proper format.

answered Oct 18 '13 at 07:19

Jenny D

27,358
21
74
110

Hi Jenny, Thanks for the prompt answer. Apache run with a own user an d group nammed apache. I dit a chown 644 apache:apache to the keytab file. Isn't that enough ? I have to give more permission ? Thank you – ampy Oct 18 '13 at 07:41
Those permissions should be enough. So you would need to look at the actual contents of the file, to figure out why apache can't use it. There's some good info in http://fluxcoil.net/doku.php/software/kerberos/kerberized_apache that might be helpful to you – Jenny D Oct 18 '13 at 12:58
Hi, New information, when I put the parameter KrbMethodK5Passwd to ON. Firefox prompt for credentials and the authentication work. But it's not exactly what I want for a single sign on. Thank you for any help. – ampy Oct 21 '13 at 17:03

mod_auth_kerberos "Unspecified GSS failure"

1 Answers1