httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Snyder" <psny...@postbulletin.com>
Subject [users@httpd] Kerberos Authentication Question
Date Fri, 01 Dec 2006 14:49:39 GMT
Good morning all,

I have kerberos authentication working properly with one exception: when the
service principal's ticket expires in the kerberos cache on the server, the
http server does not automatically contact the KDC renew it's credentials.
Instead, a 401 header is sent to the client and an error message is
generated in the httpd error log:

----------------------------------------------------------------------------
----
[root@archive_dev ~]# tail /home/apache/logs/error_log
[Thu Nov 30 08:46:51 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:49:22 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:49:34 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:50:09 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:50:32 2006] [warn] RSA server certificate CommonName (CN)
`intranet_dev' does NOT match server name!?
[Thu Nov 30 08:50:34 2006] [warn] RSA server certificate CommonName (CN)
`intranet_dev' does NOT match server name!?
[Thu Nov 30 08:50:37 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:51:14 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Fri Dec 01 08:17:18 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Fri Dec 01 08:19:09 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
----------------------------------------------------------------------------
----

The credentials are expired in the ticket cache:

----------------------------------------------------------------------------
----
[root@archive_dev ~]# klist

Credentials cache: /tmp/krb5cc_0

Default principal: HTTP/intranet_dev.my.domain@MY.DOMAIN, 1 entry found.

[1]  Service Principal:  krbtgt/MY.DOMAIN@MY.DOMAIN
     Valid starting:  Nov 30, 2006 08:48
     Expires:         Nov 30, 2006 18:48
[root@archive_dev ~]#
----------------------------------------------------------------------------
----

Renewing the credentials with kinit resolves the problem, BUT I want a
better solution than logging in to renew the credential every time the cache
expires ;-)

SO MY QUESTION: What is the "right" way to set up my server to renew the
ticket for my httpd service account? A cron job? Or is there some setting I
haven't yet discovered for mod_auth_kerb?

Paul Snyder



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message