Anyone got Kerberos working to auth Apache to W2K3?

We've got a Windows 2003 AD Domain Server that we'd like to authenticate our LAN users to from the Apache webserver. Our webserver admin has already instlled mod_auth_kerb and can authenticate on the command line from the webserver, but not through a browser. Here's the details, names and IPs changed to protect the guilty (sent to the kerberos help mailing list, but the list was unreachable):

I am running RedHat Linux 3.0 ES\n\n$uname -a\nLinux www.domain.com 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:46:40 EDT 2004 \ni686 i686 i386 GNU/Linux\n\nI have configured kerberos 5 like so:\n\n$cat /etc/krb5.conf\n[logging]\ndefault = FILE:/var/log/krb5libs.log\nkdc = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\ndefault_realm = DOMAIN.COM\ndefault_tgs_enctypes = des3-hmac-sha1 des-cbc-crc  default_tkt_enctypes = \ndes3-hmac-sha1 des-cbc-crc  permitted_enctypes = des3-hmac-sha1 des-cbc-crc \ndns_lookup_realm = false  dns_lookup_kdc = false  kdc_req_checksum_type = 2 \nchecksum_type = 2  ccache_type = 1  forwardable = true  proxiable = true\n\n[realms]\nDOMAIN.COM = {\nkdc = 192.168.1.1:88\nkdc = 192.168.1.2:88\nadmin_server = 192.168.1.1:749\ndefault_domain = domain.com\n}\n\n[domain_realm]\n.domain.com = DOMAIN.COM\n\n[kdc]\nprofile = /var/kerberos/krb5kdc/kdc.conf\n\n[appdefaults]\npam = {\ndebug = false\nticket_lifetime = 36000\nrenew_lifetime = 36000\nforwardable = true\nkrb4_convert = false\n}\n\n[login]\nkrb4_convert = false\nkrb4_get_tickets = false\n\n\n\nAnd kdc.conf like so:\n\n[kdcdefaults]\nkdc_ports = 88\nacl_file = /etc/kerberos/krb5kdc/kadm5.acl  dict_file = \n/usr/share/dict/words  admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab\n\n[realms]\nDOMAIN.COM = {\nmaster_key_type = des3-cbc-sha1\nsupported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4\ndes-cbc-crc:afs3\nprofile = /etc/krb5.conf\ndatabase_name = /etc/kerberos/krb5kdc/principal\nadmin_database_name = /etc/kerberos/krb5kdc/kadm5_adb\nadmin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock\nadmin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab\nacl_file = /etc/kerberos/krb5kdc/kadm5.acl\ndict_file = /usr/share/dict/words\nkey_stash_file = /etc/kerberos/krb5kdc/.k5stash\nkdc_ports = 88\nkadmind_port = 749\nmax_life = 10h 0m 0s\nmax_renewable_life = 7d 0h 0m 0s\n}\n\nNow with this I am able to authenicate off our Active Directory from our \nwebserver ( at least from what I understand ):\n\n$kinit pkoppel\nPassword for pkoppel@DOMAIN.COM:\n\n$klist\nTicket cache: FILE:/tmp/krb5cc_500\nDefault principal: pkoppel@DOMAIN.COM\n\nValid starting     Expires            Service principal\n09/16/04 16:25:00  09/17/04 02:25:00  krbtgt/DOMAIN.COM@DOMAIN.COM\n\nKerberos 4 ticket cache: /tmp/tkt500\nklist: You have no tickets cached\n\n\nI then created a service principal for the Apache server.\n\n>ktpass -out http.keytab -princ HTTP/www.domain.com@DOMAIN.COM -pass *\n>-mapuser wwwuser\nSuccessfully mapped HTTP/www.domain.com to wwwuser.\nType the password for HTTP/www.domain.com:\nKey created.\nOutput keytab to http.keytab:\n\nKeytab version: 0x502\nkeysize 68 HTTP/www.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL)  vno \n1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x5823c1381fc1da2c) Account has been\nset for DES-only encryption.\n\nI then copied the keytab file to the linux server and I can use it to auth \nfrom AD:\n\n$kinit -k -t /usr/local/apache/etc/http.keytab HTTP/www.domain.com@DOMAIN.COM $ klist Ticket cache: FILE:/tmp/krb5cc_500 \nDefault principal: HTTP/www.domain.com@DOMAIN.COM\n\nValid starting     Expires            Service principal\n09/16/04 16:46:32  09/17/04 02:46:32  krbtgt/DOMAIN.COM@DOMAIN.COM\n\nKerberos 4 ticket cache: /tmp/tkt500\nklist: You have no tickets cached\n\nApache was installed with:\n./configure --enable-module=so; make; make install;\n\n\nNow I downloaded and installed mod_auth_kerb-5.0-rc6.tar.gz\n\n./configure --with-krb5=/usr/kerberos --with-apache=/usr/local/apache; make; make install;\n\n/usr/local/apache/libexec/mod_auth_kerb.so is created\n\nAdded Loaded Module into httpd.conf:\n\nLoadModule auth_kerb_module   libexec/mod_auth_kerb.so\n\nI then added Directory to Virtual Host and restarted the server:\n\n<Directory /www/devel/http>\nAuthType  Kerberos\nAuthName "Kerberos Login"\nKrbMethodNegotiate on\nKrbMethodK5Passwd off\nKrbAuthoritative on\nKrbAuthRealm DOMAIN.COM\nKrbVerifyKDC on\nKrbServiceName HTTP\nKrb5Keytab /usr/local/apache/etc/http.keytab\nKrbSaveCredentials on\nrequire valid-user\n</Directory>\n\nOn I.E. under the Internet Options >> Advanced >> Security >> Enable \nIntegrated Windows Authentication { ON } Reboot XP Box\n\nOn I.E. I goto the IP address of the server and I get a "Connect to \n192.168.1.3" Window\n\n1) Shouldn’t the "Integrated Windows Authentication" have already \nchecked my auth with AD?\na) and if not how can I set that up?\n\nb) The username defaults to 192.168.1.3\\john ( but my window and linux \nusernames are jsmith )\n\n2) No matter what password and username combo I use I get the same error ( \nInternal Server Error )\nDOMAIN\\jsmith\n192.168.1.3\\jsmith\n\nAnd I get the following error in my apache error log file:\n\n[Thu Sep 16 17:13:55 2004] [error] [client 65.123.211.30] \ngss_acquire_cred() failed: Miscellaneous failure (Unknown code k5g 1)\n\nAny suggestions would be greatly appriated.

[Edit] Fixed long lines

You need AT LEAST version 1.3.1 to communicate properly with W2K3.

Leave the version installed on the machine. Get the newest version from MIT (v1.3.5) I think. Extract it both times (the tar pkg it with signatures). cd into krb5-<version>/src/ directory and do this configure line.

./configure --program-prefix= --prefix=/usr --exec-prefix=/usr \\\n--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share \\\n--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec \\\n--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man \\\n--infodir=/usr/share/info CC=gcc CFLAGS="-O2 -g -pipe -march=i386 -mcpu=i686 \\\n-I/usr/include/et -fPIC" LDFLAGS= CPPFLAGS="-I/usr/include/et" --enable-shared \\\n--enable-static --bindir=/usr/kerberos/bin --mandir=/usr/kerberos/man \\\n--sbindir=/usr/kerberos/sbin --datadir=/usr/kerberos/share \\\n--localstatedir=/var/kerberos --with-krb4 --with-system-et --with-system-ss \\\n--without-tcl --enable-dns

then do the make ; su -c "make test" ; su -c "make install"

To see if it worked, try a kinit ads-user@DOMAIN.COM if your stuff is set properly... it should.

Then you should be able to auth against the krb5 ticket issuer (being ADS).

One other thing ADS only supports 2 types of tickets. Here is the pertinent pieces you need to make sure are right in /etc/krb5.conf:

[logging]\n     default = FILE:/var/log/krb5libs.log\n     kdc = FILE:/var/log/krb5kdc.log\n     admin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\n     ticket_lifetime = 24000\n     default_realm = DOMAIN.COM\n     default_tkt_enctypes = des-cbc-md5 des-cbc-crc\n     default_tgs_enctypes = des-cbc-md5 des-cbc-crc\n     kdc_timesync = 1\n     dns_lookup_realm = true\n     dns_lookup_kdc = true\n     forward = true\n     forwardable = true\n     proxiable = true\n     autologin = true\n     encrypt = true\n\n\n[realms]\n     DOMAIN.COM = {\n     kdc = mydc1.domain.com:88\n     admin_server = mydc1.domain.com:749\n     default_domain = domain.com\n     }

Welcome to IWETHEY!