please explain a valid kerberos setting with AD
franz.pfoertsch.brose
franz.pfoertsch at brose.com
Mon May 31 10:14:48 PDT 2010
I try to activate kerberos in a AD-environment, but it will not work!
My apache is up and running with kerberos!
We have approx 12000 Users and 48000 groups.
I mention this because if have to configure the LimitRequestFieldsize to 12392.
in the error.log I got
...
d [31/May/2010:19:00:41 +0200] cupsdFindBest: best = /admin
d [31/May/2010:19:00:41 +0200] cupsdAuthorize: con->uri="/admin/?op=start-printer&printer_name=cobp0708", con->best=0xb78cc600(/admin)
d [31/May/2010:19:00:41 +0200] cupsdAuthorize: Authorization="Negotiate YIIhJQYJKoZIhvcSAQICAQBugiEUMIIhEKADAgEFoQMCAQ6iBwMFAAAAAACjgiA8YYIgODCCIDSgAwIBBaELGwlCUk9TRS5ORVSiJTAjoAMCAQOhHDAaGwRIVFRQGxJjb2J1MDA4My5icm9zZS5uZXSjgh/3MIIf86ADAgEXoQMCASaigh/lBIIf4fmQKA1bdTtV/eBfzFw1VfWVFGjp7TfXDLqNJH55eJwiV/TfbKZzrOktavTa00OS/LVhlzNmI5OTNYIAoxykwvRkSD5lecgaz2pqO/jF9xiGDETd7bUlmorwZXI47k9sfVg/3Y596T4fSAuBZ1oLd52y+rQZhFvJqpAJsQ5vEI+1O7NFPQw7X/QvnlVH4NuEbY+e5QMlBveFuG/k8fisX8fkGZOCZuyzdwTCz7UdMb/xGdHdhoas7QoTut7VCjw8BG2duGlcPrXYK2xHMfENgwITNLaovDFSfSNF7XYs5c6RYRuxqQaAcMhcJoYdBt8Rkr/PbGuWe1alt ....
...
D [31/May/2010:19:00:41 +0200] get_gss_creds: Attempting to acquire credentials for ipp at cobu0083.brose.net...
D [31/May/2010:19:00:41 +0200] get_gss_creds: Credentials acquired successfully for ipp at cobu0083.brose.net.
D [31/May/2010:19:00:41 +0200] cupsdAuthorize: Error accepting GSSAPI security context: Unspecified GSS failure. Minor code may provide more information, Wrong principal in request
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: con->uri="/admin/?op=start-printer&printer_name=cobp0708", con->best=0xb78cc600(/admin)
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: level=CUPSD_AUTH_ANON, type=None, satisfy=CUPSD_AUTH_SATISFY_ALL, num_names=0
d [31/May/2010:19:00:41 +0200] cupsdIsAuthorized: auth=CUPSD_AUTH_ALLOW...
d [31/May/2010:19:00:41 +0200] pipe_command: command="/usr/lib/cups/cgi-bin/admin.cgi", options="?op=start-printer&printer_name=cobp0708"
d [31/May/2010:19:00:41 +0200] pipe_command: argv[0] = "/usr/lib/cups/cgi-bin/admin.cgi"
d [31/May/2010:19:00:41 +0200] pipe_command: argv[1] = "op=start-printer&printer_name=cobp0708"
here the keytab of the machine:
klist -ek
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
38 host/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 host/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 host/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 host/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 host/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 host/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 COBU0083$@BROSE.NET (DES cbc mode with CRC-32)
38 COBU0083$@BROSE.NET (DES cbc mode with RSA-MD5)
38 COBU0083$@BROSE.NET (ArcFour with HMAC/md5)
38 CIFS/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 CIFS/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 CIFS/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 CIFS/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 CIFS/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 CIFS/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 HTTP/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 HTTP/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 HTTP/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 HTTP/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 HTTP/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 cifs/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 HTTP/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 cifs/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 cifs/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 cifs/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 cifs/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 HOST/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 cifs/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 HOST/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 HOST/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 HOST/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 HOST/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 HOST/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 ipp/cobu0083.brose.net at BROSE.NET (DES cbc mode with CRC-32)
38 ipp/cobu0083.brose.net at BROSE.NET (DES cbc mode with RSA-MD5)
38 ipp/cobu0083.brose.net at BROSE.NET (ArcFour with HMAC/md5)
38 ipp/cobu0083 at BROSE.NET (DES cbc mode with CRC-32)
38 ipp/cobu0083 at BROSE.NET (DES cbc mode with RSA-MD5)
38 ipp/cobu0083 at BROSE.NET (ArcFour with HMAC/md5)
38 ipp at cobu0083.brose.net (DES cbc mode with CRC-32)
38 ipp at cobu0083.brose.net (DES cbc mode with RSA-MD5)
38 ipp at cobu0083.brose.net (ArcFour with HMAC/md5)
Please give me some more information about a running kerberos with AD configuration.
I hope anybody can give me some hints to drag down the problem!
regards
Franz
More information about the cups
mailing list