Good morning all,
I have kerberos authentication working properly with one exception: when the
service principal's ticket expires in the kerberos cache on the server, the
http server does not automatically contact the KDC renew it's credentials.
Instead, a 401 header is sent to the client and an error message is
generated in the httpd error log:
----------------------------------------------------------------------------
----
[root@archive_dev ~]# tail /home/apache/logs/error_log
[Thu Nov 30 08:46:51 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:49:22 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:49:34 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:50:09 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:50:32 2006] [warn] RSA server certificate CommonName (CN)
`intranet_dev' does NOT match server name!?
[Thu Nov 30 08:50:34 2006] [warn] RSA server certificate CommonName (CN)
`intranet_dev' does NOT match server name!?
[Thu Nov 30 08:50:37 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Thu Nov 30 08:51:14 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Fri Dec 01 08:17:18 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
[Fri Dec 01 08:19:09 2006] [error] [client 199.86.91.250]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
----------------------------------------------------------------------------
----
The credentials are expired in the ticket cache:
----------------------------------------------------------------------------
----
[root@archive_dev ~]# klist
Credentials cache: /tmp/krb5cc_0
Default principal: HTTP/intranet_dev.my.domain@xxxxxxxxx, 1 entry found.
[1] Service Principal: krbtgt/MY.DOMAIN@xxxxxxxxx
Valid starting: Nov 30, 2006 08:48
Expires: Nov 30, 2006 18:48
[root@archive_dev ~]#
----------------------------------------------------------------------------
----
Renewing the credentials with kinit resolves the problem, BUT I want a
better solution than logging in to renew the credential every time the cache
expires ;-)
SO MY QUESTION: What is the "right" way to set up my server to renew the
ticket for my httpd service account? A cron job? Or is there some setting I
haven't yet discovered for mod_auth_kerb?
Paul Snyder
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|