ermacaz
commented
1 year ago [sad unauthenticated noises]
Closed ermacaz closed 1 year ago
ermacaz
commented
1 year ago [sad unauthenticated noises]
stnoonan
commented
1 year ago This looks like an issue with your service account on the windows side. You need to explicitly enable support for AES256 for each one after generating the keytab.
On Sat 20 May 2023 at 17:14, Matt @.***> wrote:
[sad unauthenticated noises]
— Reply to this email directly, view it on GitHub https://github.com/stnoonan/spnego-http-auth-nginx-module/issues/141#issuecomment-1555944321, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADGOAV53VFQ2GY3RA7S3JDXHDUX7ANCNFSM6AAAAAAYC44IKI . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>
ermacaz
commented
1 year ago That option is enabled on the service account. Tried disabling-reenabling but no luck. Also tried AES128 key but same issue.
stnoonan
commented
1 year ago It is strange that you aren’t getting an error message from the underlying library ( https://github.com/stnoonan/spnego-http-auth-nginx-module/blob/master/ngx_http_auth_spnego_module.c#L1524 )
Are you doing MIT or Heimdal? Can you kinit successfully using the generated keytab?
On Sat 20 May 2023 at 22:45, Matt @.***> wrote:
That option is enabled on the service account. Tried disabling-reenabling but no luck. Also tried AES128 key but same issue.
[image: image] https://user-images.githubusercontent.com/3372343/239710415-52666fdc-507f-452a-bdfb-192bb8538c9c.png
— Reply to this email directly, view it on GitHub https://github.com/stnoonan/spnego-http-auth-nginx-module/issues/141#issuecomment-1556020751, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADGOASLGIDGPLPY472BDXLXHE3RLANCNFSM6AAAAAAYC44IKI . You are receiving this because you commented.Message ID: @.***>
ermacaz
commented
1 year ago 
$ sudo krb5-config --all
Version: Kerberos 5 release 1.15.5
Vendor: Massachusetts Institute of TechnologyI've honestly never been able to get kinit to work with old or new keys, always gives me a realm not local error but didnt cause issues with it working before
stnoonan
commented
1 year ago If you haven’t been able to get it to work, you probably have a busted config in the first place. It’s quite possibly unrelated, but you know how these things go.
I’m still surprised you get no actual error printed.
(For what it’s worth, I don’t actually have an environment to test your case anymore, so it is rather difficult to debug. If you can get kinit to work correctly, we would know the issue lies in the module rather than your local config.)
On Sat 20 May 2023 at 23:26, Matt @.***> wrote:
$ sudo krb5-config --all Version: Kerberos 5 release 1.15.5 Vendor: Massachusetts Institute of Technology
I've honestly never been able to get kinit to work with old or new keys, always gives me a realm not local error but didnt cause issues with it working before
— Reply to this email directly, view it on GitHub https://github.com/stnoonan/spnego-http-auth-nginx-module/issues/141#issuecomment-1556030735, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADGOAXDIVBXTK2ZBUNEUTTXHFAINANCNFSM6AAAAAAYC44IKI . You are receiving this because you commented.Message ID: @.***>
ermacaz
commented
1 year ago Rebuilt our Active directory test env and that seemed to fix it... Closing as likely config issue as suspected
Hi. I am trying to update my existing working setup from arcfour to AES256 however my new keys fail when attempting to auth.
In nginx debug log I get an empty error message for
gss_accept_sec_context() failedKey has good perms and ownership
Keytab is being generated on windows server active directory with
krb5.conf on server should be allowing AES256
Went through and also remade new arc4 keys to ensure there wasnt a step missing from our process and those work fine; something about the AES256 keys is causing a failure.
Any help appreciated