Women in Technology

Hear us Roar

  Single Sign-on for Your Web Applications with Apache and Kerberos
Subject:   Nice article, but i still can't get it to work (on FC2)
Date:   2005-03-24 12:34:24
From:   Morpheus4you
I can't get it to work on Fedora Core 2.

The methode where apxs is used doesn't work either, i compile it with this command:

/usr/sbin/apxs -i -a -c -DEAPI_MM \
-I/usr/include -L/usr/lib -L/lib \
../../../spnegohelp/libspnegohelp.a -L/usr/lib -L/lib \
-lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err \

But unfortunately it fails with a lot of errors, starting with the next lines...

mod_auth_gss_krb5.c:32: error: syntax error before "gss_krb5_auth_module"
mod_auth_gss_krb5.c:32: warning: data definition has no type or storage class
mod_auth_gss_krb5.c:69: warning: initialization from incompatible pointer type
mod_auth_gss_krb5.c:70: error: syntax error before "gss_krb5_config_rec"
mod_auth_gss_krb5.c:70: error: initializer element is not constant
mod_auth_gss_krb5.c:70: error: (near initialization for `gss_krb5_cmds[0].cmd_data')
mod_auth_gss_krb5.c:71: error: initializer element is not constant

Can this module be build with Apache 2 anyway?

Could it be that the Kerberos implementation coming with Fedora Core 2 is not the right one? (like it requires MIT but FC2 has HEIMDAL)

Has anyone gotten this module to work with Fedora Core in some way?

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • Nice article, but i still can't get it to work (on FC2)
    2005-03-28 19:57:26  jason_garman [View]

    Hi, since I wrote the article, the mod_auth_kerb module has integrated support for GSSAPI. Have you tried that? You can find mod_auth_kerb at http://modauthkerb.sourceforge.net/

    -- Jason
    • I'm almost there...
      2005-03-29 23:20:01  Morpheus4you [View]

      Thank you for pointing me to that module! I had seen it before, but overlooked it's capability for Negotiate support. btw, I liked your book. It is really helping me to understand how Kerberos works. If possible you should add more information about web authentication via the Negotiate protocol as you did in this article, but i'm confident you will do that ;)

      Although transparent authentication via a winXP client with IE6, a webserver Apache 2 on Fedora Core2 and Windows 2003 Active directory as KDC doesn't work yet for me, i can succesfully do password authentication :)

      The error that was left behind in Apache's error log for using the Negotiate method was:
      [Wed Mar 30 08:44:34 2005] [error] [client] gss_accept_sec_context() failed: A token was invalid (Token header is malformed or corrupt)

      When on the Fedora Core 2 machine, i try to authenticate using the keytab file, i get the following error:

      [root@krbappserver conf.d]# kinit -k -t http.keytab
      kinit(v5): Cannot find KDC for requested realm while getting initial credentials

      However, this does work:

      kinit http/krbappserver.kerberos.local
      Password for http/krbappserver.kerberos.local@KERBEROS.LOCAL:

      Shouldn't the authentication with the keytabe file just have worked?