我已经配置了 apache2 和 mod_auth_kerb。我以这种方式设置了我的 .htaccess
# cat .htaccess
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user
当我在 IE 中打开页面时,apache 日志中出现以下错误:
gss_accept_sec_context() failed: Miscellaneous failure (, Key version number for principal in key table is incorrect)
然后我可以设置密码并通过 Basic Auth 登录,完全没问题。但我无法通过票证进行身份验证。
# klist -k /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
6 host/[email protected]
6 host/[email protected]
6 host/[email protected]
6 host/[email protected]
6 host/[email protected]
6 host/[email protected]
6 [email protected]
6 [email protected]
6 [email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
6 HTTP/[email protected]
我该如何处理 KVNO?它有什么问题?
PS KDC 是 ActiveDirectory(Windows 2003 服务器)内的 KDC。我的服务器平台是 SUSE Linux 10:
# cat /proc/version
Linux version 2.6.16.60-0.21-smp (geeko@buemphasized textildhost) (gcc version 4.1.2 20070115 (SUSE Linux)) #1 SMP Tue May 6 12:41:02 UTC 2008
mod_auth_kerb 是最新版本 (5.4-4.15)。Kerberos lib 不是:
# zypper search krb
Restoring system sources...
Parsing metadata for SUSE Linux Enterprise Server 10 SP3...
S | Catalog | Type | Name | Version | Arch
--+-------------------------------------+---------+--------------------+----------------+-------
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5 | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-clients | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-servers | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-client | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-devel | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-server | 1.4.3-19.43.27 | x86_64
答案1
这KVNO是密钥表的版本号,每次生成新的密钥表或更改密码时,版本号都会KVNO递增。该数字应与 Active Directory 中的数字相匹配。此错误表示密钥表包含主服务器认为已过期的条目。
您可以KVNO使用 在目录中查看adsiedit.msc。在适当的用户下查找属性msDS-KeyVersionNumber;通常它应该与 keytab 相同。(在您的例子中为 6。)