我正在使用 mod_auth_kerb 和 Apache HTTPD 针对 Kerberos 服务器对网站用户进行身份验证。我在 Apache 错误日志中收到一条奇怪的错误消息。(请注意,出于安全原因,我在这篇文章中更改了主体,但格式保持不变)。打开 Apache 的调试级别输出使我能够获得更多信息日志:
[debug] src/mod_auth_kerb.c(1932): [client x.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1277): [client x.x.x.x] Acquiring creds for HTTP/kerberos_server.example.com@REALM.EXAMPLE.COM
[debug] src/mod_auth_kerb.c(1470): [client x.x.x.x] Credentials cache FILE:/tmp/krb5cc_48 not found, create one
[error] [client x.x.x.x] Could not parse principal HTTP/kerberos_server.example.com@REALM.EXAMPLE.COM/server_hostname: Malformed representation of principal (-1765328250)
[debug] src/mod_auth_kerb.c(1598): [client x.x.x.x] Failed to obtain credentials for s4u2proxy
[debug] src/mod_auth_kerb.c(1137): [client x.x.x.x] GSS-API major_status:000d0000, minor_status:0000000d
[error] [client x.x.x.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied)
我想问题出在主体末尾的“/server_hostname”上。在我的 Kerberos 密钥表文件中,主体被列为HTTP/kerberos_server.example.com@EXAMPLE.COM. 如何更改提交给 mod_auth_kerb 的主体?还是有另一种方法来协调这个解析错误?