Monday, 19 August 2013

Kerberos SSO GSS-API error

Kerberos SSO GSS-API error

I had a working setup of Kerberos + Apache using a Windows primary domain
controller for authenication and then it just stopped working. Getting
GSS-API major_status:000d0000, minor_status:000186a4
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sysman@AD.LAN
Valid starting Expires Service principal
08/20/13 08:35:48 08/20/13 18:35:56 krbtgt/AD.LAN@AD.LAN
renew until 08/21/13 08:35:48
08/20/13 08:46:08 08/20/13 18:35:56 ldap/ts1.ad.lan@AD.LAN
renew until 08/21/13 08:35:48
# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 9 HTTP/vm1l6-kl.srv.lan@AD.LAN
2 9 HTTP/vm1l6-kl.srv.lan@AD.LAN
3 9 HTTP/vm1l6-kl.srv.lan@AD.LAN
4 9 HTTP/vm1l6-kl.srv.lan@AD.LAN
5 9 HTTP/vm1l6-kl.srv.lan@AD.LAN
6 9 HTTP/kl@AD.LAN
7 9 HTTP/kl@AD.LAN
8 9 HTTP/kl@AD.LAN
9 9 HTTP/kl@AD.LAN
10 9 HTTP/kl@AD.LAN
11 9 HTTP/info.lan@AD.LAN
12 9 HTTP/info.lan@AD.LAN
13 9 HTTP/info.lan@AD.LAN
14 9 HTTP/info.lan@AD.LAN
15 9 HTTP/info.lan@AD.LAN
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AD.LAN
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
ad.lan = {
kdc = dc-auth
master_kdc = dc-auth
admin_server = dc-auth
default_domain = ad.lan
}
[domain_realm]
.ad.lan = AD.LAN
ad.lan = AD.LAN
# cat /etc/samba/smb.conf
[global]
netbios name = kl
realm = AD.LAN
security = ADS
encrypt passwords = yes
password server = dc-auth
workgroup = AD
winbind refresh tickets = true
In Apache configuration,
<Location /autologin/login_krb.php>
ErrorDocument 401 "<html><meta http-equiv=\"refresh\"
content=\"0;url=/autologin/login_anonymous.php\"></html>"
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbAuthoritative On
KrbMethodK5Passwd Off
KrbAuthRealms AD.LAN
KrbVerifyKDC Off
Krb5KeyTab /etc/krb5.keytab
require valid-user
</Location>
Then on Windows primary DC:
C:\>setspn -q HTTP/info.lan
CN=kl,CN=Computers,DC=ad,DC=lan
HTTP/info.lan
HTTP/vm1l6-kl.srv.lan
HTTP/kl
HOST/vm1l6-kl.srv.lan
HOST/KL
Existing SPN found!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)