httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carsten Aulbert <carsten.aulb...@aei.mpg.de>
Subject Re: [users@httpd] Kerberos issues
Date Wed, 26 Nov 2008 19:07:53 GMT
Eric Covener wrote:
> On Wed, Nov 26, 2008 at 9:07 AM, Carsten Aulbert
> <carsten.aulbert@aei.mpg.de> wrote:
>> Hi all,
>>
>> we experience something weird here. We are running Apache 2.2.3 with
>> mod_auth kerb 5.3 on Debian Etch. Authentication against a remote
>> Kerberos server (V5) works but when I access web pages with a lot of
>> (embedded) images, several pop-ups appear, asking me to identify myself
>> again.
> 
> Normally, your browser doesn't bother you if it has already prompted
> you for a matching REALM and the host/port/path of the subsequent
> request is "underneath" the first place it authenticated. How are the
> URL's your re-prompted for related to the first URL?

They are just relative to the main page, e.g. image src="jpeg/image.jpg"
and so on...

After turning on debugging in the server I now see more details (sorry
for the line wraps):
[Wed Nov 26 19:59:11 2008] [info] Subsequent (No.20) HTTPS request
received for child 9 (server SERVER:443)
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1485): [client
X.Y.Z.22] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos, refer
er: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(940): [client
X.Y.Z.22] Using HTTP/SERVER@LIGO.ORG as server principal for pa
ssword verification, referer: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(680): [client
X.Y.Z.22] Trying to get TGT for user carsten@KERBEROS.ORG, referer:
https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client
X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=0 user=carsten@KERBEROS.ORG
authtype=B
asic, referer: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client
X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=0 user=carsten@KERBEROS.ORG
authtype=B
asic, referer: https://SERVER/~christian/LSC/coherent03/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(609): [client
X.Y.Z.22] krb5_get_credentials() failed when verifying KDC, referer:
https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [error] [client X.Y.Z.22] failed to verify
krb5 credentials: Request is a replay, referer: https://SERVER
/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(1019): [client
X.Y.Z.22] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
authtype=(NULL), referer:
https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client
X.Y.Z.22] Trying to verify authenticity of KDC using principal
HTTP/SERVER@LIGO.ORG, referer: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client
X.Y.Z.22] Trying to verify authenticity of KDC using principal
HTTP/SERVER@LIGO.ORG, referer: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] src/mod_auth_kerb.c(594): [client
X.Y.Z.22] Trying to verify authenticity of KDC using principal
HTTP/SERVER@LIGO.ORG, referer: https://SERVER/~username/PROTECTED/dir/
[Wed Nov 26 19:59:11 2008] [debug] ssl_engine_io.c(1775): OpenSSL: read
5/5 bytes from BIO#893340 [mem: 8a48b0] (BIO dump follows)


especially this line about the replay looks fishy, right?

I'm still completely puzzled by this.

Anyone less puzzled? Cheers, Carsten

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message