From owner-freebsd-questions@freebsd.org Wed Jul 15 17:47:53 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D37D39A2D59 for ; Wed, 15 Jul 2015 17:47:53 +0000 (UTC) (envelope-from greg@mail.gregs-garage.com) Received: from mail.gregs-garage.com (99-158-164-253.uvs.cicril.sbcglobal.net [99.158.164.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A0BE319D9 for ; Wed, 15 Jul 2015 17:47:53 +0000 (UTC) (envelope-from greg@mail.gregs-garage.com) Received: from mail.gregs-garage.com (localhost [127.0.0.1]) by mail.gregs-garage.com (8.15.2/8.15.1) with ESMTP id t6FHacSi024472 for ; Wed, 15 Jul 2015 12:36:38 -0500 (CDT) (envelope-from greg@mail.gregs-garage.com) Received: (from www@localhost) by mail.gregs-garage.com (8.15.2/8.15.1/Submit) id t6FHacqD024471; Wed, 15 Jul 2015 12:36:38 -0500 (CDT) (envelope-from greg@mail.gregs-garage.com) X-Authentication-Warning: mail.gregs-garage.com: www set sender to greg@localhost using -f To: freebsd-questions@freebsd.org Subject: Kerberos X-PHP-Originating-Script: 0:rcube.php MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Date: Wed, 15 Jul 2015 12:36:38 -0500 From: greg Message-ID: <75d664eeb361264e9b4560a89b1a32bf@mail.gregs-garage.com> X-Sender: greg@localhost User-Agent: Roundcube Webmail/1.1.2 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.gregs-garage.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2015 17:47:54 -0000 Setting up a fresh install of FreeBSD 10.1 to run RT42 on Apache 2.4 with PHP 5.6 & a MySQL 5.6 backend. So far, so good. Now trying to configure Apache to authenticate against a fresh install of Windows 2012 using ap24-mod_auth_kerb2, and I'm running into a brick wall. uname -a : FreeBSD ATBSD01 10.1-RELEASE-p10 FreeBSD 10.1-RELEASE-p10 #0: Wed May 13 06:54:13 UTC 2015 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 So far I've created a user on the Windows domain to use in the keytab I've configured my krb5.conf file I've generated a keytab file on the Windows box, and installed it on the FreeBSD server, and configured Apache to use the keytab to authenticate a test directory, but so far, no luck. To troubleshoot the config, I've been trying using the command line tools for Kerberos. Here's my krb5.conf: [libdefaults] default_realm = EXAMPLE.LOCAL [domain_realm] .example.local = EXAMPLE.LOCAL example.local = EXAMPLE.LOCAL [realms] EXAMPLE.LOCAL = { admin_server=ad01.example.local:749 kdc=ad01.example.local:88 } Here's the command I ran on the windows box: C:\Windows\system32>ktpass -princ HTTP/ad01.example.local@EXAMPLE.LOCAL -mapuser aduser -pass P@$$word -ptype KRB5_NT_PRINCIPAL -out :\temp\krb5.keytab I then copy the krb5.keytab file to the /etc directory on the FreeBSD server, then run chown root:wheel on the file, and chmod 600. From the FreeBSD box, I can do the following: $ kinit aduser aduser@EXAMPLE.LOCAL's Password: P@$$word $ klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: aduser@EXAMPLE.LOCAL Issued Expires Principal Jul 15 12:06:49 2015 Jul 15 22:06:49 2015 krbtgt/EXAMPLE.LOCAL@EXAMPLE.LOCAL It works. However if I try: $ kinit -k aduser I get: kinit: krb5_get_init_creds: Already tried ENC-TS-info, looping ("kinit -t /etc/krb5.keytab aduser" returns the same) I've tried to validate the keytab file by running: $ ktutil list and get the following: Vno Type Principal Aliases 27 arcfour-hmac-md5 HTTP/ad01.example.local@EXAMPLE.LOCAL I get the same result if I run as root. I've sat and combed through WireShark captures, and the only thing I notice is that if I run kinit without the keytab, I can see the windows server responding a single time with an error message of "KRB5KDC_ERR_PREAUTH_REQUIRED", it then continues through the communication and a ticket is created. However if I attempt to use kinit and specify the keytab file, I see two "KRB5KDC_ERR_PREAUTH_REQUIRED" errors, one after the other, and the communication stops. I'm guessing that either the password was never saved correctly to the keytab or kinit isn't reading / transmitting it to the Windows server. I've tried multiple versions of the keytab file (as seen by the version number from kutil, this was attempt 28) with the same result. I've tried specifying the encoding type, changing the username to domain\username, as well as username@domain.local, nothing seems to work. Any ideas on how to progress from here? Best regards. Greg Groth