For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Angel_Martinez_'s avatar
Angel_Martinez_
Icon for Nimbostratus rankNimbostratus
Apr 16, 2014

Hi

 

This is a very interesting Post... I'm having the same issue, so I checked all the steps that Kevin says but my BigIP is steel reporting the same errors:

 

Apr 16 20:11:09 bigrode2 debug apd[9383]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: a1f91c6a : GSS-API error gss_acquire_cred: d0000 : Unspecified GSS failure. Minor code may provide more information

 

Apr 16 20:11:09 bigrode2 debug apd[9383]: 01490000:7: modules/Authentication/Kerberos/KerberosAuthModule.cpp func: "display_status_1()" line: 84 Msg: a1f91c6a : GSS-API error gss_acquire_cred: 186a4 :

 

My problem is that item 'Kerberos Auth' does not open any connection to the KDC... I don't see any traffic to it with tcpdump -ni 0.0 host my_kdc

 

At the document for Kerberos Authentication (http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-aaa-auth-config-11-4-0.pdf?sr=36691337) there is no refence to /etc/krb5.conf, by the way the LTM/APM is running at 11.4.1 HF3. But I wrote the KDC and the Admin_Server in the krb5.conf, it was necesary for the kinit test...

 

  • DNS register A and PTR is done and also added at /etc/hosts via tmsh.
  • Keytab file, the KVNO is the same in the KDC and y the filestore.
  • Keytab file, tested in apache, bypassing APM, just only doing LTM, so the keytab file seem to be right.
  • Kinit with a Domain User works fine. When I do this test I see traffic to the KDC with wireshark, so there is comunication between BigIp and KDC...

Any idea?

 

Thanks in advanced...