Apache not finding the kerberos principal in keytab file

active-directoryapache-2.4kerberosmod-auth-kerb

Virtual host has been configured with these options;

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbAuthoritative On
KrbServiceName HTTP/something.example.com@EXAMPLE.COM
Krb5KeyTab /path/to/krb/site.keytab
require valid-user

The site.keytab is readable by apache and contains a valid principal;

root@pa2# klist -k /path/to/krb/site.keytab
Keytab name: FILE:/path/to/krb/site.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  13 HTTP/something.example.com@EXAMPLE.COM (des-cbc-crc)
  13 HTTP/something.example.com@EXAMPLE.COM (des-cbc-md5)
  13 HTTP/something.example.com@EXAMPLE.COM (arcfour-hmac)
  13 HTTP/something.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
  13 HTTP/something.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
root@pa2# kvno -k /path/to/krb/site.keytab HTTP/something.example.com@EXAMPLE.COM
HTTP/something.example.com@EXAMPLE.COM: kvno = 13, keytab entry valid

But when I try to access the site, I get this error in the apache error log;

[Mon Mar 21 10:30:37.846616 2016] [auth_kerb:error] [pid 11217] [client ...:60195]
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information
(, Cannot find key for HTTP/something.example.com@EXAMPLE.COM kvno 5 in keytab)

The current kvno is indeed not 5.

Best Answer

Issuing klist purge on the client windows computer resolved the kvno issue.

Related Solutions

Ldap – How to use ldapsearch with a cross-realm ticket

Insufficient domain realm mapping.

Required either
krb5.conf:
[domain_realm]
windows.domain.tld = WINDOWS.DOMAIN.TLD
.windows.domain.tld = WINDOWS.DOMAIN.TLD
or
DNS:
_kerberos.windows.domain.tld. TXT "WINDOWS.DOMAIN.TLD"

Only had DNS:
_kerberos.domain.tld. IN TXT "DOMAIN.TLD"

NFS4 + Kerberos: BAD_ENCRYPTION_TYPE, GSS: Encryption type not permitted, hang on “doing downcall”

In case someone goes the same way:

The original problem was solved by adding allow_weak_crypto = true to /etc/krb5.conf.

Next I was facing another issue, which was:

Apr 5 16:31:46 nfsserver rpc.svcgssd[2047]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): Unspecified GSS failure. Minor code may provide more information - Encryption type not permitted

Somebody had already described it before: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637660 but nevertheless I did not find any solution, so I decided to try Debian Wheezy as nfsserver.

Wheeze seemed to go a bit further with GSS authentication but stuck on mount requests with something like this on the nfsserver side:

Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: leaving poll
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: handling null request
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: svcgssd_limit_krb5_enctypes: Calling gss_set_allowable_enctypes with 7 enctypes from the kernel
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sname = nfs/nfsclient.mydomain.com@MYDOMAIN.COM
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: DEBUG: serialize_krb5_ctx: lucid version!
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: prepare_krb5_rfc1964_buffer: serializing keys with enctype 4 and length 8
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: doing downcall
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: mech: krb5, hndl len: 4, ctx len 85, timeout: 1365455915 (32884 from now), clnt: nfs@nfsclient.mydomain.com, uid: -1, gid: -1, num aux grps: 0:
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: sending null reply
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: writing message: \x \x6082024606092a864886f71201020201006e82023530820231a003020105a10302010ea20703050020000000a38201596182015530820151a003020105a10d1b0b504152502e474f562e504ca2283026a003020103a11f301d1b036e66731b166e6673736572766572372e706172702e676f762e706ca382010f3082010ba003020112a103020102a281fe0481fbe088a06336ffcc607f9efbafa64f0504ea442ac6a5eb234a0e3c1a332b2648702e8eb0827c0b921fffaa232f093eca19df57ac14fb2f4cf1d7f86ae10c021c86aebd0f1a66916224445b872f05ff741b7978d5aeec8d446527f7aeca27858ce588914c046e321ff37a6db5d1c1b20871657bfafd180f0d1c591efef73ed31a09a04966e869888718da74ac226642c46b78a05f1621f4b1c4fe0dc59f6fa75a6a7feee6e81ee0eb9e4c6d01223b2725fecd7699efc4dc362df32383af681da948431fd3b39c8907a938a3729cff7c89407033341ba3c1f77d96accfe7c66446e1f76a936faa3c44a021a14a96658f89071ed66d4d9a6c6953698000a481be3081bba003020101a281b30481b057d186fa3e7ec53c26efe3535d3d447732da00abd0683e66fb93f457ec19a86fdd5050e2bb054dc721c1235d3156f41465e5a66c23ba5bb9201c4d38edbe92b7265b60c8f49329ffc398af58c0af2228aa1cfc2cc4968b2913abd18f0189996ebe9c57d649925bebc3efe1c53b2c86a5d51a86f7f58bd9d2d80271973190f2e258418581d5f5e1687ea0997ef7350e90061335be1e15b978b03fea21ba697d90f3c88397375cff94a9342306d642dc2a 1365423091 0 0 \x01000000 \x607006092a864886f71201020202006f61305fa003020105a10302010fa2533051a003020101a24a044882577e0441254f6c05add73796908deb02b7f61d90d7ed5bd54f67bb72e7ea2f8898ae1a6eb6e8fe631753b01bc9340dc4cdabf1b1985c449d28b4e9568aa85259f2cc591628a696 
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: finished handling null request
Apr  8 14:10:31 nfsserver7 rpc.svcgssd[3924]: entering poll

Again there was some people who already dealt with this issue: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682709 but the only working solution suggested by them was installing older version of nfs-(common|kernel-server).

This worked for me too.

What I learned is: setting up NFS + Kerberos is no joy. ;-)

Best Answer

Related Solutions

Ldap – How to use ldapsearch with a cross-realm ticket

NFS4 + Kerberos: BAD_ENCRYPTION_TYPE, GSS: Encryption type not permitted, hang on “doing downcall”

Related Topic