虚拟主机已配置了这些选项;
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
KrbAuthoritative On
KrbServiceName HTTP/[email protected]
Krb5KeyTab /path/to/krb/site.keytab
require valid-user
site.keytab 可被 apache 读取,并包含有效的主体;
root@pa2# klist -k /path/to/krb/site.keytab
Keytab name: FILE:/path/to/krb/site.keytab
KVNO Principal
---- --------------------------------------------------------------------------
13 HTTP/[email protected] (des-cbc-crc)
13 HTTP/[email protected] (des-cbc-md5)
13 HTTP/[email protected] (arcfour-hmac)
13 HTTP/[email protected] (aes256-cts-hmac-sha1-96)
13 HTTP/[email protected] (aes128-cts-hmac-sha1-96)
root@pa2# kvno -k /path/to/krb/site.keytab HTTP/[email protected]
HTTP/[email protected]: kvno = 13, keytab entry valid
但是当我尝试访问该站点时,我在 apache 错误日志中收到此错误;
[Mon Mar 21 10:30:37.846616 2016] [auth_kerb:error] [pid 11217] [client ...:60195]
gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information
(, Cannot find key for HTTP/[email protected] kvno 5 in keytab)
当前的kvno确实不是5。
答案1
在客户端 Windows 计算机上发布klist purge解决了 kvno 问题。