please explain a valid kerberos setting with AD

franz.pfoertsch.brose franz.pfoertsch at brose.com
Mon May 31 10:14:48 PDT 2010 

I try to activate kerberos in a AD-environment, but it will not work!

My apache is up and running with kerberos!

We have approx 12000 Users and 48000 groups.
I mention this because if have to configure the LimitRequestFieldsize to 12392.

in the error.log I got

...
d [31/May/2010:19:00:41 +0200] cupsdFindBest: best = /admin
d [31/May/2010:19:00:41 +0200] cupsdAuthorize: con->uri="/admin/?op=start-printer&printer_name=cobp0708", con->best=0xb78cc600(/admin)
d [31/May/2010:19:00:41 +0200] cupsdAuthorize: Authorization="Negotiate YIIhJQYJKoZIhvcSAQICAQBugiEUMIIhEKADAgEFoQMCAQ6iBwMFAAAAAACjgiA8YYIgODCCIDSgAwIBBaELGwlCUk9TRS5ORVSiJTAjoAMCAQOhHDAaGwRIVFRQGxJjb2J1MDA4My5icm9zZS5uZXSjgh/3MIIf86ADAgEXoQMCASaigh/lBIIf4fmQKA1bdTtV/eBfzFw1VfWVFGjp7TfXDLqNJH55eJwiV/TfbKZzrOktavTa00OS/LVhlzNmI5OTNYIAoxykwvRkSD5lecgaz2pqO/jF9xiGDETd7bUlmorwZXI47k9sfVg/3Y596T4fSAuBZ1oLd52y+rQZhFvJqpAJsQ5vEI+1O7NFPQw7X/QvnlVH4NuEbY+e5QMlBveFuG/k8fisX8fkGZOCZuyzdwTCz7UdMb/xGdHdhoas7QoTut7VCjw8BG2duGlcPrXYK2xHMfENgwITNLaovDFSfSNF7XYs5c6RYRuxqQaAcMhcJoYdBt8Rkr/PbGuWe1alt ....
...
D [31/May/2010:19:00:41 +0200] get_gss_creds: Attempting to acquire credentials for ipp at cobu0083.brose.net...
D [31/May/2010:19:00:41 +0200] get_gss_creds: Credentials acquired successfully for ipp at cobu0083.brose.net.
D [31/May/2010:19:00:41 +0200] cupsdAuthorize: Error accepting GSSAPI security context: Unspecified GSS failure.  Minor code may provide more information, Wrong principal in request
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: con->uri="/admin/?op=start-printer&printer_name=cobp0708", con->best=0xb78cc600(/admin)
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: level=CUPSD_AUTH_ANON, type=None, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
d [31/May/2010:19:00:41 +0200] pipe_command: command="/usr/lib/cups/cgi-bin/admin.cgi", options="?op=start-printer&printer_name=cobp0708"
d [31/May/2010:19:00:41 +0200] pipe_command: argv[0] = "/usr/lib/cups/cgi-bin/admin.cgi"
d [31/May/2010:19:00:41 +0200] pipe_command: argv[1] = "op=start-printer&printer_name=cobp0708"


here the keytab of the machine:
klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  38 host/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 host/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 host/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 host/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 host/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 host/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 COBU0083$@BROSE.NET (DES cbc mode with CRC-32)
  38 COBU0083$@BROSE.NET (DES cbc mode with RSA-MD5)
  38 COBU0083$@BROSE.NET (ArcFour with HMAC/md5)
  38 CIFS/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 CIFS/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 CIFS/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 CIFS/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 CIFS/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 CIFS/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 HTTP/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 HTTP/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 HTTP/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 HTTP/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 HTTP/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 cifs/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 HTTP/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 cifs/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 cifs/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 cifs/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 cifs/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 HOST/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 cifs/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 HOST/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 HOST/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 HOST/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 HOST/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 HOST/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 ipp/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
  38 ipp/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
  38 ipp/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
  38 ipp/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
  38 ipp/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
  38 ipp/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
  38 ipp at cobu0083.brose.net (DES cbc mode with CRC-32)
  38 ipp at cobu0083.brose.net (DES cbc mode with RSA-MD5)
  38 ipp at cobu0083.brose.net (ArcFour with HMAC/md5)



Please give me some more information about a running kerberos with AD configuration.

I hope anybody can give me some hints to drag down the problem!

regards
Franz

More information about the cups mailing list