Setting a new keytab file from windows DC made kerberos work! But still something missing!
With KrbMethodK5Passwd=off users should open protected page without credentials prompt , this is true for my user (cedtm), but the other users can't. Setting KrbMethodK5Passwd=on, my user still open the page without prompt but other users, correctly, get the credential pop-up. Here is a the apache error.log, connencting with different users to the same client SET KrbMethodK5Passwd off: utente@intranet:~$ tail /var/log/apache2/https443_error.log -f | grep kerb user test - get error: [auth_kerb:debug] [pid 43964] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63038] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos user cedtm - works: [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63099] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63099] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1296): [client 172.16.3.101:63099] Acquiring creds for h...@intranet.zzz.it [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1719): [client 172.16.3.101:63099] Verifying client data using KRB5 GSS-API with our SPNEGO lib [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1735): [client 172.16.3.101:63099] Client didn't delegate us their credential [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1754): [client 172.16.3.101:63099] GSS-API token of length 185 bytes will be sent back [auth_kerb:debug] [pid 43966] src/mod_auth_kerb.c(1869): [client 172.16.3.101:63099] kerb_authenticate_a_name_to_local_name cedtm@XXX.LOCAL -> cedtm SET KrbMethodK5Passwd on: utente@intranet:~$ tail /var/log/apache2/https443_error.log -f | grep kerb user test - get access entering user and password [auth_kerb:debug] [pid 44010] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63290] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63289] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(1046): [client 172.16.3.101:63289] Using HTTP/intranet.zzz.it@XXX.LOCAL as server principal for password verification [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(752): [client 172.16.3.101:63289] Trying to get TGT for user test@XXX.LOCAL [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(662): [client 172.16.3.101:63289] Trying to verify authenticity of KDC using principal HTTP/intranet.zzz.it@XXX.LOCAL [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(1128): [client 172.16.3.101:63289] kerb_authenticate_user_krb5pwd ret=0 user=test@XXX.LOCAL authtype=Basic [auth_kerb:debug] [pid 44014] src/mod_auth_kerb.c(1869): [client 172.16.3.101:63289] kerb_authenticate_a_name_to_local_name test@XXX.LOCAL -> test user cedtm - get access directly [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63368] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1963): [client 172.16.3.101:63368] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1296): [client 172.16.3.101:63368] Acquiring creds for h...@intranet.zzz.it [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1719): [client 172.16.3.101:63368] Verifying client data using KRB5 GSS-API with our SPNEGO lib [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1735): [client 172.16.3.101:63368] Client didn't delegate us their credential [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1754): [client 172.16.3.101:63368] GSS-API token of length 185 bytes will be sent back [auth_kerb:debug] [pid 44011] src/mod_auth_kerb.c(1869): [client 172.16.3.101:63368] kerb_authenticate_a_name_to_local_name cedtm@XXX.LOCAL -> cedtm I don't understand why the user "cedtm" has always SSO granted, while the user "test" gets error with KrbMethodK5Passwd=off, looks like "test" miss something, how could i check for this? And why "cedtm" get SSO acces even if KrbMethodK5Passwd is "on"? Thanks again. Marco
