I am running RedHat Linux 3.0 ES\n\n$uname -a\nLinux www.domain.com 2.4.21-20.ELsmp #1 SMP Wed Aug 18 20:46:40 EDT 2004 \ni686 i686 i386 GNU/Linux\n\nI have configured kerberos 5 like so:\n\n$cat /etc/krb5.conf\n[logging]\ndefault = FILE:/var/log/krb5libs.log\nkdc = FILE:/var/log/krb5kdc.log\nadmin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\ndefault_realm = DOMAIN.COM\ndefault_tgs_enctypes = des3-hmac-sha1 des-cbc-crc default_tkt_enctypes = \ndes3-hmac-sha1 des-cbc-crc permitted_enctypes = des3-hmac-sha1 des-cbc-crc \ndns_lookup_realm = false dns_lookup_kdc = false kdc_req_checksum_type = 2 \nchecksum_type = 2 ccache_type = 1 forwardable = true proxiable = true\n\n[realms]\nDOMAIN.COM = {\nkdc = 192.168.1.1:88\nkdc = 192.168.1.2:88\nadmin_server = 192.168.1.1:749\ndefault_domain = domain.com\n}\n\n[domain_realm]\n.domain.com = DOMAIN.COM\n\n[kdc]\nprofile = /var/kerberos/krb5kdc/kdc.conf\n\n[appdefaults]\npam = {\ndebug = false\nticket_lifetime = 36000\nrenew_lifetime = 36000\nforwardable = true\nkrb4_convert = false\n}\n\n[login]\nkrb4_convert = false\nkrb4_get_tickets = false\n\n\n\nAnd kdc.conf like so:\n\n[kdcdefaults]\nkdc_ports = 88\nacl_file = /etc/kerberos/krb5kdc/kadm5.acl dict_file = \n/usr/share/dict/words admin_keytab = /etc/kerberos/krb5kdc/kadm5.keytab\n\n[realms]\nDOMAIN.COM = {\nmaster_key_type = des3-cbc-sha1\nsupported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-crc:v4\ndes-cbc-crc:afs3\nprofile = /etc/krb5.conf\ndatabase_name = /etc/kerberos/krb5kdc/principal\nadmin_database_name = /etc/kerberos/krb5kdc/kadm5_adb\nadmin_database_lockfile = /etc/kerberos/krb5kdc/kadm5_adb.lock\nadmin_keytab = FILE:/etc/kerberos/krb5kdc/kadm5.keytab\nacl_file = /etc/kerberos/krb5kdc/kadm5.acl\ndict_file = /usr/share/dict/words\nkey_stash_file = /etc/kerberos/krb5kdc/.k5stash\nkdc_ports = 88\nkadmind_port = 749\nmax_life = 10h 0m 0s\nmax_renewable_life = 7d 0h 0m 0s\n}\n\nNow with this I am able to authenicate off our Active Directory from our \nwebserver ( at least from what I understand ):\n\n$kinit pkoppel\nPassword for pkoppel@DOMAIN.COM:\n\n$klist\nTicket cache: FILE:/tmp/krb5cc_500\nDefault principal: pkoppel@DOMAIN.COM\n\nValid starting Expires Service principal\n09/16/04 16:25:00 09/17/04 02:25:00 krbtgt/DOMAIN.COM@DOMAIN.COM\n\nKerberos 4 ticket cache: /tmp/tkt500\nklist: You have no tickets cached\n\n\nI then created a service principal for the Apache server.\n\n>ktpass -out http.keytab -princ HTTP/www.domain.com@DOMAIN.COM -pass *\n>-mapuser wwwuser\nSuccessfully mapped HTTP/www.domain.com to wwwuser.\nType the password for HTTP/www.domain.com:\nKey created.\nOutput keytab to http.keytab:\n\nKeytab version: 0x502\nkeysize 68 HTTP/www.domain.com@DOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno \n1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x5823c1381fc1da2c) Account has been\nset for DES-only encryption.\n\nI then copied the keytab file to the linux server and I can use it to auth \nfrom AD:\n\n$kinit -k -t /usr/local/apache/etc/http.keytab HTTP/www.domain.com@DOMAIN.COM $ klist Ticket cache: FILE:/tmp/krb5cc_500 \nDefault principal: HTTP/www.domain.com@DOMAIN.COM\n\nValid starting Expires Service principal\n09/16/04 16:46:32 09/17/04 02:46:32 krbtgt/DOMAIN.COM@DOMAIN.COM\n\nKerberos 4 ticket cache: /tmp/tkt500\nklist: You have no tickets cached\n\nApache was installed with:\n./configure --enable-module=so; make; make install;\n\n\nNow I downloaded and installed mod_auth_kerb-5.0-rc6.tar.gz\n\n./configure --with-krb5=/usr/kerberos --with-apache=/usr/local/apache; make; make install;\n\n/usr/local/apache/libexec/mod_auth_kerb.so is created\n\nAdded Loaded Module into httpd.conf:\n\nLoadModule auth_kerb_module libexec/mod_auth_kerb.so\n\nI then added Directory to Virtual Host and restarted the server:\n\n<Directory /www/devel/http>\nAuthType Kerberos\nAuthName "Kerberos Login"\nKrbMethodNegotiate on\nKrbMethodK5Passwd off\nKrbAuthoritative on\nKrbAuthRealm DOMAIN.COM\nKrbVerifyKDC on\nKrbServiceName HTTP\nKrb5Keytab /usr/local/apache/etc/http.keytab\nKrbSaveCredentials on\nrequire valid-user\n</Directory>\n\nOn I.E. under the Internet Options >> Advanced >> Security >> Enable \nIntegrated Windows Authentication { ON } Reboot XP Box\n\nOn I.E. I goto the IP address of the server and I get a "Connect to \n192.168.1.3" Window\n\n1) Shouldnt the "Integrated Windows Authentication" have already \nchecked my auth with AD?\na) and if not how can I set that up?\n\nb) The username defaults to 192.168.1.3\\john ( but my window and linux \nusernames are jsmith )\n\n2) No matter what password and username combo I use I get the same error ( \nInternal Server Error )\nDOMAIN\\jsmith\n192.168.1.3\\jsmith\n\nAnd I get the following error in my apache error log file:\n\n[Thu Sep 16 17:13:55 2004] [error] [client 65.123.211.30] \ngss_acquire_cred() failed: Miscellaneous failure (Unknown code k5g 1)\n\nAny suggestions would be greatly appriated.
[Edit] Fixed long lines