Yep, I do klist -ke and see three for http... Triple DES cbc mode
with HMAC/sha1, ArcFour with HMAC/md5, and DES cbc mode with CRC-32.
There wouldn't need to be separate entries for https, would there? I
assume not since Kerberos requires https anyway.
The entry for http that you see there is it for
http/calendar.domain.com ?
It seems like the problem is in the realm. Kerb is working for
everything else. I have a realm set up to authenticate by Kerb and
to only allow members of a particular OD group. But when a member of
that group tries to hit that realm, Apache says they have the wrong
credentials.
After you attempt to connect to you have a service ticket for http,
even though you weren't allowed in?
Hm; no. I see krbtgt and afpserver but not http. I don't see anything
relevant in my computer's system or console logs (or any others I
could think of).
I did just find this, however. In my server's kdc log, I see this when
I try to pass that realm (names munged a little):
Aug 11 16:50:37 main.domain.com krb5kdc[206](info): TGS_REQ (7 etypes
{18 17 16 23 1 3 2}) 192.168.1.1: UNKNOWN_SERVER: authtime 1123767788,
email@hidden for
http/email@hidden, Server not found in Kerberos
database
Now why would it say the server isn't found in the kerb db? I have the
realm set to kerberos (by double-clicking on the name of the realm). I
must be missing something obvious...?
