Apache2 + mod_auth_kerb:密钥表中主体的密钥版本号不正确

Apache2 + mod_auth_kerb:密钥表中主体的密钥版本号不正确

我已经配置了 apache2 和 mod_auth_kerb。我以这种方式设置了我的 .htaccess

# cat .htaccess
AuthType Kerberos
AuthName "Domain login"
KrbAuthRealms DOMAIN.COM
KrbMethodK5Passwd on
Krb5KeyTab /etc/httpd/httpd.keytab
require valid-user

当我在 IE 中打开页面时,apache 日志中出现以下错误:

gss_accept_sec_context() failed: Miscellaneous failure (, Key version number for principal in key table is incorrect)

然后我可以设置密码并通过 Basic Auth 登录,完全没问题。但我无法通过票证进行身份验证。

# klist -k /etc/httpd/httpd.keytab
Keytab name: FILE:/etc/httpd/httpd.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   6 host/[email protected]
   6 host/[email protected]
   6 host/[email protected]
   6 host/[email protected]
   6 host/[email protected]
   6 host/[email protected]
   6 [email protected]
   6 [email protected]
   6 [email protected]
   6 HTTP/[email protected]
   6 HTTP/[email protected]
   6 HTTP/[email protected]
   6 HTTP/[email protected]
   6 HTTP/[email protected]
   6 HTTP/[email protected]

我该如何处理 KVNO?它有什么问题?

PS KDC 是 ActiveDirectory(Windows 2003 服务器)内的 KDC。我的服务器平台是 SUSE Linux 10:

# cat /proc/version
Linux version 2.6.16.60-0.21-smp (geeko@buemphasized textildhost) (gcc version 4.1.2 20070115 (SUSE Linux)) #1 SMP Tue May 6 12:41:02 UTC 2008

mod_auth_kerb 是最新版本 (5.4-4.15)。Kerberos lib 不是:

# zypper search krb
Restoring system sources...
Parsing metadata for SUSE Linux Enterprise Server 10 SP3...
S | Catalog                             | Type    | Name               | Version        | Arch
--+-------------------------------------+---------+--------------------+----------------+-------
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5               | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-clients  | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-apps-servers  | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-client        | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-devel         | 1.4.3-19.43.27 | x86_64
i | SUSE Linux Enterprise Server 10 SP3 | package | krb5-server        | 1.4.3-19.43.27 | x86_64

答案1

KVNO是密钥表的版本号,每次生成新的密钥表或更改密码时,版本号都会KVNO递增。该数字应与 Active Directory 中的数字相匹配。此错误表示密钥表包含主服务器认为已过期的条目。

您可以KVNO使用 在目录中查看adsiedit.msc。在适当的用户下查找属性msDS-KeyVersionNumber;通常它应该与 keytab 相同。(在您的例子中为 6。)

相关内容