Php apache-mod_auth_路缘石；kerb_authenticate_user输入用户（NULL）和身份验证类型Kerberos；客户没有'；不要把他们的证件委托给我们

我正在尝试在WindowsServer2008中使用ActiveDirectory设置集成的Windows身份验证和kerberos，一切正常，并且我能够在成功登录时获得kerberos票证。我在将此票证转发到配置了Apache的服务器时遇到问题。当forwading票证KRB5CCNAME未在Apache/PHP环境变量中设置时

我的kerberos配置文件（krb5.conf）是

Apache mod_auth_kerb配置文件（auth_kerb）为

即

当我将KrbMethodK5Passwd设置为On时，会生成关于提供有效凭证票证的kerberos用户名和密码的浏览器提示，并在Apache/PHP环境变量KRB5CCNAME中设置其缓存位置。使用这个变量KRB5CCNAME，我们可以使用kerberos票证作为身份验证的凭证

KrbMethodK5Passwd关闭时，我收到以下错误消息

[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1278): [client 10.81.17.156] Acquiring creds for HTTP/greenplum.divami.com
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1707): [client 10.81.17.156] Client didn't delegate us their credential
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1726): [client 10.81.17.156] GSS-API token of length 180 bytes will be sent back
plum.divami.com/perfmon/login.php
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API , referer:http://greenplum.divami.com/perfmon/login.php

我不知道浏览器是否未能拾取kerberos票证，或者浏览器拾取票证但无法在KRB5CCNAME中设置缓存位置。 请帮助我解决此问题。

检查您的密钥表文件

cat apache.keytab

如果您看到纯文本且没有奇怪的字符，则无法正确生成键表。可能是广告方面的东西

一个合适的键表应该是这样的

cat httpd.keytab 
.G..COMPANY.LOCALweb01.httpd.[N5�...��f\.Z�GR._x?���.G..COMPANY.LOCALweb01.httpd.[N5�...�=.�.�6w!k�e���.W..COMPANY.LOCALweb01.httpd.[N5�.. ]c��84��w�1Jo�.zH�rDY>�
                                                             ����B.F..COMPANY.LOCAL.HTTtestlogs.[N5�...��f\.Z�GR._x?���.F..COMPANY.LOCAL.HTTtestlogs.[N5�...�=.�.�6w!k�e���.V..

---

你发现问题了吗？我也面临同样的问题。

Set network.negotiate-auth.delegation-uris to greenplum.divami.com.
Set network.negotiate-auth.trusted-uris to greenplum.divami.com

 In Internet Explorer, select Tools > Internet Options.
 In the Local Internet (Advanced) dialog box, enter all relative domain names that will be used on the intranet (e.g. greenplum.divami.com).

[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1939): [client 10.81.17.156] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1278): [client 10.81.17.156] Acquiring creds for HTTP/greenplum.divami.com
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1707): [client 10.81.17.156] Client didn't delegate us their credential
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1726): [client 10.81.17.156] GSS-API token of length 180 bytes will be sent back
plum.divami.com/perfmon/login.php
[Wed Sep 25 18:48:11 2013] [debug] src/mod_auth_kerb.c(1691): [client 10.81.17.156] Verifying client data using KRB5 GSS-API , referer:http://greenplum.divami.com/perfmon/login.php

cat httpd.keytab 
.G..COMPANY.LOCALweb01.httpd.[N5�...��f\.Z�GR._x?���.G..COMPANY.LOCALweb01.httpd.[N5�...�=.�.�6w!k�e���.W..COMPANY.LOCALweb01.httpd.[N5�.. ]c��84��w�1Jo�.zH�rDY>�
                                                             ����B.F..COMPANY.LOCAL.HTTtestlogs.[N5�...��f\.Z�GR._x?���.F..COMPANY.LOCAL.HTTtestlogs.[N5�...�=.�.�6w!k�e���.V..