Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

Problem enabling spengo with webauth.

Mustafa A. Hashmi mahashmi at gmail.com
Wed Jun 14 01:55:50 PDT 2006


All:

In the process of setting up spengo with webauth, all appears to work
barring the following issues:

The kerberos keytab which was exported was 'weblogin.emergen.biz',
which is where the webkdc is running and is the apache virtual host.
However, the server's hostname is 'ldap1.emergen.biz', and the
kerberos server kept looking for the principal HTTP/ldap1.emergen.biz.
I am not sure why this is, though I exported a keytab accordingly.

The second issue is that users which are redirected to the webkdc
login (when no ticket is available or the browser doesn't support it),
can't login. The webkdc service makes a post to the /webkdc-service/
uri and then times out. The complete error log follows below:

-- this is recorded log immediately after the user hits submit to login --

[Wed Jun 14 13:37:59 2006] [info] Connection to child 82 established
(server weblogin.emergen.biz:443, client 127.0.0.1)
[Wed Jun 14 13:37:59 2006] [info] Seeding PRNG with 136 bytes of entropy
[Wed Jun 14 13:37:59 2006] [info] Initial (No.1) HTTPS request
received for child 82 (server weblogin.emergen.biz:443)
[Wed Jun 14 13:37:59 2006] [notice] mod_webkdc: event=requestToken
server=krb5:webauth/node30.emergen.biz at EMERGEN.BIZ user=<unknown>
rtt=id sa=webkdc lec=15 lem="need a proxy-token"
[Wed Jun 14 13:37:59 2006] [info] Connection to child 82 closed with
standard shutdown(server weblogin.emergen.biz:443, client 127.0.0.1)
[Wed Jun 14 13:37:59 2006] [error] [client 192.168.0.125]
(104)Connection reset by peer: ap_content_length_filter:
apr_bucket_read() failed, referer:
https://weblogin.emergen.biz/login?RT=RI/K3pglVy6NqaV7lLLEyJu/ArYOwc/+Qtdqp/Lo5IfyDj9UUB7045VfGTR92cmYF7Y7c7ai2Z3YA8MQ95ZXi4Fzwaj7mDX9NVwOFuIA26ZHlgFiixuBMsCbmKezengVSzoPoU1LOrnqq6zHLjtX7K9jlo3zs1dSk0d6hWTS+foAr3/Sdq7JkcVBcMilHLsRKXLpKs+6T5RUcjT3a9Awqtb+I6OBL/B1DFMNkcDKIa24CQIeZK5N7xtlxszkJql44GwLYIV+7qNZj4VVJmz6awkxpNk=;ST=RI+13bZzM2LKZk4aowyziIs8j7PbpDVzTBaV+o/+vqDdvIU/UYfE0+1XQ/7N5tnZTXl81g8n76lzaALrGMsKMEQwgUjCrq+p7CF2xamabtfqjUKWiMeskk37KXfPB8JJgeJ/vO+e9QkuXp0Y8+4ykeXBt5VJp5PQVXfDnzWgpfdgUiLpDIokGO7QUdtAVq3e24IMrw==
[Wed Jun 14 13:38:14 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Wed Jun 14 13:38:14 2006] [info] Connection to child 81 closed with
standard shutdown(server weblogin.emergen.biz:443, client
192.168.0.125)
[Wed Jun 14 13:38:14 2006] [info] Connection to child 19 established
(server weblogin.emergen.biz:443, client 192.168.0.125)
[Wed Jun 14 13:38:14 2006] [info] Seeding PRNG with 136 bytes of entropy
[Wed Jun 14 13:38:14 2006] [info] Initial (No.1) HTTPS request
received for child 19 (server weblogin.emergen.biz:443)
[Wed Jun 14 13:38:14 2006] [error] [client 192.168.0.125] File does
not exist: /var/www/favicon.ico
[Wed Jun 14 13:38:29 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Wed Jun 14 13:38:29 2006] [info] Connection to child 19 closed with
standard shutdown(server weblogin.emergen.biz:443, client
192.168.0.125)

-- end log --

Apache vhost container has the following (relevant) settings:

        ScriptAlias /login "/usr/share/weblogin/login.fcgi"
        ScriptAlias /login-simple "/usr/share/weblogin/login.fcgi"
        ScriptAlias /logout "/usr/share/weblogin/logout.fcgi"

        <Location "/login">
                AuthType Kerberos
                require valid-user
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
                Krb5Keytab /etc/webkdc/ldap1krb5.keytab
                ErrorDocument 401 /login-simple
        </Location>


Finally, the webkdc conf file has:

our $HONOR_REMOTE_USER = 1;
our $REMUSER_EXPIRES = 60 * 60 * 8;
our $REALM = 'EMERGEN.BIZ';

--
I verified that the system indeed does redirect to /login-simple,
however could not find anything meaningful for the following error (as
seen in logs above):

ap_content_length_filter: apr_bucket_read() failed, referer:

If someone could please shed some light on this, it would be much appreciated.

Also: please note that the first issue has no bearing on the second one.

Regards,
-- 
Mustafa A. Hashmi
mahashmi at gmail.com
mh at stderr.net



More information about the webauth-info mailing list