I have a simple Apache setup that works fine when I create a keytab on a domain level authentication works fine. When I create a keytab at the forest level authentication does not work. I get the following error message. Does anyone know what I am doing wrong here? I validated there is the SPN is unique on the AD side.
Code:
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1707): [client x] Client didn't delegate us their credential
[Wed Nov 13 10:55:49 2013] [debug] src/mod_auth_kerb.c(1735): [client x] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
Our Network Security folks have mandated that we "Kerberize" our systems to allow them to perform an authenticated scan. This consists of instructions to change /etc/pam.d/sshd from:
# sshd: auth account password session
auth optional pam_krb5.so use_kcminit
auth optional ... (0 Replies)
I'm fairly new to UNIX-land, and one of my first assigned tasks was to try to set up Kerberos authentication on an unused partition. Hopefully everything makes sense, but please let me know if any clarification is needed with any of it.
AIX 7.1, and while I found various docs on the subject, a... (11 Replies)
Dear Expert,
i have linux box that is running in the windows domain, BUT did not being a member of the domain. as I am not the System Administrator so I have no control on the server in the network, such as modify dns entry , add the linux box in AD and domain record and so on that relevant.
... (2 Replies)
I am in the process of developing a application that needs to be able to authenticate users details with a kerberos server, which is proving to be rather difficult. There seems to be a lack of good information on how to do this using the MIT kerberos api.
Can anyone point me in the right... (0 Replies)
I have 2 servers (lft1 and lft3) running AIX 5.3 ML 5. Both are installed with krb5.client.rte 1.4.0.4 and openssh.base.server 4.3.0.5300.
I have configured some of the users on both servers to authenticate against our Windows 2003 Active Directory. From my PC, I can use telnet to login... (1 Reply)
I have installed Kerberos security in my UNIX system but I need to disable because of an application conflict with Kerberos.
So Anybody ca tell me how can I disable it?
Thank you (1 Reply)
K5SRVUTIL(1) MIT Kerberos K5SRVUTIL(1)NAME
k5srvutil - host key table (keytab) manipulation utility
SYNOPSIS
k5srvutil operation [-i] [-f filename]
DESCRIPTION
k5srvutil allows an administrator to list or change keys currently in a keytab or to add new keys to the keytab.
operation must be one of the following:
list Lists the keys in a keytab showing version number and principal name.
change Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the
keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the
operation will fail. Old keys are retained in the keytab so that existing tickets continue to work. If the -i flag is given,
k5srvutil will prompt for confirmation before changing each key. If the -k option is given, the old and new keys will be displayed.
delold Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation
to remove old keys, after existing tickets issued for the service have expired. If the -i flag is given, then k5srvutil will prompt
for confirmation for each principal.
delete Deletes particular keys in the keytab, interactively prompting for each key.
In all cases, the default keytab is used unless this is overridden by the -f option.
k5srvutil uses the kadmin(1) program to edit the keytab in place.
SEE ALSO kadmin(1), ktutil(1)AUTHOR
MIT
COPYRIGHT
1985-2013, MIT
1.11.3K5SRVUTIL(1)
