将主体发送到 kerberos 服务器时出错。 Apache2 和 kerberos5
Error in sending principal to kerberos server. Apache2 and kerberos5
当我尝试使用 kerberos5 通过 apache2 进行身份验证时出现错误。
我使用 mod_auth_kerb
当我查看我的 Apache 日志时,我可以看到我的主体通过添加修改:
.0.16.172.in-addr.arpa@ 最后。
所以 kerberos 用
回答
failed to verify krb5 credentials: Server not found in Kerberos database
我可以从 kerberos 获得一张票
我使用带有随机密钥的密钥表来验证我的服务器:HTTP/admin-apache。domain.com
这里是 apache 日志的摘录:
[Wed Apr 15 16:12:50.539355 2015] [authz_core:debug] [pid 30467]
mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626:
authorization result of Require valid-user : denied (no authenticated
user yet)
[Wed Apr 15 16:12:50.539412 2015] [authz_core:debug] [pid
30467] mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626:
authorization result of : denied (no authenticated user
yet)
[Wed Apr 15 16:12:50.539440 2015] [auth_kerb:debug] [pid 30467]
src/mod_auth_kerb.c(1971): [client 192.168.90.100:43211]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Apr 15 16:12:50.541680 2015] [auth_kerb:debug] [pid 30467]
src/mod_auth_kerb.c(1049): [client 192.168.90.100:43211] Using
HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@ as server
principal for password verification
[Wed Apr 15 16:12:50.541715 2015]
[auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(753): [client
192.168.90.100:43211] Trying to get TGT for user mope@domain.com
[Wed Apr 15 16:12:50.565806 2015] [auth_kerb:debug] [pid 30467]
src/mod_auth_kerb.c(663): [client 192.168.90.100:43211] Trying to
verify authenticity of KDC using principal
HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@
[Wed Apr 15> 16:12:50.575915 2015] [auth_kerb:debug] [pid 30467]
src/mod_auth_kerb.c(678): [client 192.168.90.100:43211]
krb5_get_credentials() failed when verifying KDC
[Wed Apr 15 16:12:50.575946 2015] [auth_kerb:error] [pid 30467] [client
192.168.90.100:43211] failed to verify krb5 credentials: Server not found > in Kerberos database
[Wed Apr 15 16:12:50.575959 2015]
[auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1131): [client
192.168.90.100:43211] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
这是我的虚拟主机配置:
ServerName ldapadmin.domain.com
ServerAdmin root@localhost
DocumentRoot /usr/share/phpldapadmin/htdocs
ErrorLog /var/log/apache2/ldap.localhost-error.log
CustomLog /var/log/apache2/ldap.localhost-access.log common </VirtualHost>
AuthType Kerberos
AuthName "domain.com"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Krb5Keytab /etc/apache2/http.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
Require valid-user
DirectoryIndex index.php
Options +FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
<IfModule mod_mime.c>
<IfModule mod_php5.c>
AddType application/x-httpd-php .php
php_flag magic_quotes_gpc Off
php_flag track_vars On
php_flag register_globals Off
php_value include_path .
</IfModule>
<IfModule !mod_php5.c>
<IfModule mod_actions.c>
<IfModule mod_cgi.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php5
</IfModule>
<IfModule mod_cgid.c>
AddType application/x-httpd-php .php
Action application/x-httpd-php /cgi-bin/php5
</IfModule>
</IfModule>
</IfModule>
</IfModule>
为什么我的主体被 apache 修改了?
我能做些什么来解决这个问题?
感谢您的帮助
很好,我是 Kerberos5
的初学者
避免这种错误。你必须检查你的 DNS 记录。
检查反向查找。
使用 bind9 您必须检查您的域的记录。
语法是错误的常见来源
它必须有一个“。”在文件中每条记录的末尾 db.xx.xx.xx.in-addr.arpa
当我尝试使用 kerberos5 通过 apache2 进行身份验证时出现错误。
我使用 mod_auth_kerb
当我查看我的 Apache 日志时,我可以看到我的主体通过添加修改:
.0.16.172.in-addr.arpa@ 最后。
所以 kerberos 用
failed to verify krb5 credentials: Server not found in Kerberos database
我可以从 kerberos 获得一张票
我使用带有随机密钥的密钥表来验证我的服务器:HTTP/admin-apache。domain.com 这里是 apache 日志的摘录:
[Wed Apr 15 16:12:50.539355 2015] [authz_core:debug] [pid 30467] mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626: authorization result of Require valid-user : denied (no authenticated user yet)
[Wed Apr 15 16:12:50.539412 2015] [authz_core:debug] [pid 30467] mod_authz_core.c(809): [client 192.168.90.100:43211] AH01626: authorization result of : denied (no authenticated user yet)
[Wed Apr 15 16:12:50.539440 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1971): [client 192.168.90.100:43211] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Apr 15 16:12:50.541680 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1049): [client 192.168.90.100:43211] Using HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@ as server principal for password verification
[Wed Apr 15 16:12:50.541715 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(753): [client 192.168.90.100:43211] Trying to get TGT for user mope@domain.com
[Wed Apr 15 16:12:50.565806 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(663): [client 192.168.90.100:43211] Trying to verify authenticity of KDC using principal HTTP/admin-apache.domain.com.0.16.172.in-addr.arpa@
[Wed Apr 15> 16:12:50.575915 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(678): [client 192.168.90.100:43211] krb5_get_credentials() failed when verifying KDC
[Wed Apr 15 16:12:50.575946 2015] [auth_kerb:error] [pid 30467] [client 192.168.90.100:43211] failed to verify krb5 credentials: Server not found > in Kerberos database
[Wed Apr 15 16:12:50.575959 2015] [auth_kerb:debug] [pid 30467] src/mod_auth_kerb.c(1131): [client 192.168.90.100:43211] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
这是我的虚拟主机配置:
ServerName ldapadmin.domain.com ServerAdmin root@localhost DocumentRoot /usr/share/phpldapadmin/htdocs ErrorLog /var/log/apache2/ldap.localhost-error.log CustomLog /var/log/apache2/ldap.localhost-access.log common </VirtualHost>
AuthType Kerberos
AuthName "domain.com"
KrbMethodNegotiate on
KrbMethodK5Passwd on
Krb5Keytab /etc/apache2/http.keytab
KrbAuthRealms DOMAIN.COM
KrbServiceName HTTP
Require valid-userDirectoryIndex index.php Options +FollowSymLinks AllowOverride None Order allow,deny Allow from all <IfModule mod_mime.c> <IfModule mod_php5.c> AddType application/x-httpd-php .php php_flag magic_quotes_gpc Off php_flag track_vars On php_flag register_globals Off php_value include_path . </IfModule> <IfModule !mod_php5.c> <IfModule mod_actions.c> <IfModule mod_cgi.c> AddType application/x-httpd-php .php Action application/x-httpd-php /cgi-bin/php5 </IfModule> <IfModule mod_cgid.c> AddType application/x-httpd-php .php Action application/x-httpd-php /cgi-bin/php5 </IfModule> </IfModule> </IfModule> </IfModule>
为什么我的主体被 apache 修改了?
我能做些什么来解决这个问题?
感谢您的帮助
很好,我是 Kerberos5
避免这种错误。你必须检查你的 DNS 记录。
检查反向查找。
使用 bind9 您必须检查您的域的记录。
语法是错误的常见来源
它必须有一个“。”在文件中每条记录的末尾 db.xx.xx.xx.in-addr.arpa