Kerberos negation: Repeated password requests during a browser session

10 April, 2008 (22:55) |

I’ve been fighting with this problem for two days. At work, we use kerberos to access most of our resources including internal websites with mod_auth_kerb. Using GSSAPI, your configured firefox should show the website if you’re owner of a valid ticket and prompt for a password one and only one time when you’re not. We had it working perfectly with a valid kerberos ticket, but each visitor without a ticket got prompted repeatedly for a password even after his first authentication. This also resulted in Request is a replay errors in Apache logs. The fix is quite easy, just explicitly set kdc_timesync in /etc/krb5.conf on the server:

[libdefaults] kdc_timesync = 0

This value turns off the time calibration which ensures different ticket time for all threads.

« It ain’t easy being a reporter

Shell History Meme »

Write a comment

2007 2008 2009 2010 astronomy bratislava brno chrocht cloud cluster dns economy egov eu evil fedora freedom fun howto kerberos life links linux open mind openness open source physics qa radio astronomy Red Hat rhel rizoto science space Star Trek stupid sysadmin think vmware

My company
My school

My professional resume
My photstream

Do you like my blog?

For 100 clicks, I get a beer!

M	T	W	T	F	S	S
« Mar				May »
	1	2	3	4	5	6
7	8	9	10	11	12	13
14	15	16	17	18	19	20
21	22	23	24	25	26	27
28	29	30

Marek Mahut

Kerberos negation: Repeated password requests during a browser session

Write a comment

Friends

Archives

Search