when i configured the apache authentication using the kerberos. it is working fine. It is asking the password and logging into the website. and it is creating a log information like this.
/var/log/kerberos/krb5kdc.log
Jul 03 15:30:03 ashokkrishna-Lenovo-B560 krb5kdc[4060](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.224: NEEDED_PREAUTH: ashokkrishna@IGROUP.COM for krbtgt/IGROUP.COM@IGROUP.COM, Additional pre-authentication required
Jul 03 15:30:03 ashokkrishna-Lenovo-B560 krb5kdc[4060](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.1.224: ISSUE: authtime 1435917603, etypes {rep=18 tkt=18 ses=18}, ashokkrishna@IGROUP.COM for krbtgt/IGROUP.COM@IGROUP.COM
but when i hit
ashokkrishna@ashokkrishna-Lenovo-B560:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)
It is not listing any obtained tickets. why?
everytime when i open the firefox the website is asking the password and username again and again, although my ticket expiration time is long enough.
but when i adding the users using
ashokkrishna@ashokkrishna-Lenovo-B560:~$ kinit ashokkrishna
Password for ashokkrishna@IGROUP.COM:
ashokkrishna@ashokkrishna-Lenovo-B560:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: ashokkrishna@IGROUP.COM
Valid starting Expires Service principal
2015-07-03T15:56:33 2015-07-04T01:56:33 krbtgt/IGROUP.COM@IGROUP.COM
renew until 2015-07-04T15:56:30
2015-07-03T15:56:44 2015-07-04T01:56:33 HTTP/igroup.com@IGROUP.COM
renew until 2015-07-04T15:56:30
its working fine.
why this is happening.
EDIT:
/etc/apache2/sites-enabled/sites-enabled.
**
<Directory /var/www/html/auth-kerberos>
AuthType Kerberos
AuthName "Kerberos Authntication"
KrbAuthRealms IGROUP.COM
Krb5Keytab /etc/krb5.keytab
KrbMethodNegotiate On
KrbSaveCredentials Off
KrbVerifyKDC Off
Require valid-user
</Directory>**
kadmin.local configuration.
kadmin.local: listprincs
HTTP/igroup.com@IGROUP.COM
K/M@IGROUP.COM
ashokkrishna/admin@IGROUP.COM
ashokkrishna@IGROUP.COM
host/igroup.com@IGROUP.COM
kadmin/admin@IGROUP.COM
kadmin/changepw@IGROUP.COM
kadmin/igroup.com@IGROUP.COM
krbtgt/IGROUP.COM@IGROUP.COM
root/admin@IGROUP.COM
ashokkrishna is the user(client).And one thing i am having kdc,admin-server,apache-server,client all are under single host(pc). I am testing in single system.
Best Answer
When
KrbMethodNegotiate
fails because you don't have a valid (in your case any) ticket, Apache fails back toKrbMethodK5Passwd
, which is on by default. This is the expected behavior with your configuration.Side notes