I'm using mod_auth_kerb & Apache HTTPD to authenticate website users against a Kerberos server. I'm receiving a strange error message in my Apache error log. (Please note, I've changed the principal in this post for security reasons, but the format remains the same). Turning on debug level output for Apache allowed me to obtain more informative logs:
[debug] src/mod_auth_kerb.c(1932): [client x.x.x.x] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1277): [client x.x.x.x] Acquiring creds for HTTP/kerberos_server.example.com@REALM.EXAMPLE.COM
[debug] src/mod_auth_kerb.c(1470): [client x.x.x.x] Credentials cache FILE:/tmp/krb5cc_48 not found, create one
[error] [client x.x.x.x] Could not parse principal HTTP/kerberos_server.example.com@REALM.EXAMPLE.COM/server_hostname: Malformed representation of principal (-1765328250)
[debug] src/mod_auth_kerb.c(1598): [client x.x.x.x] Failed to obtain credentials for s4u2proxy
[debug] src/mod_auth_kerb.c(1137): [client x.x.x.x] GSS-API major_status:000d0000, minor_status:0000000d
[error] [client x.x.x.x] gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, Permission denied)
I suppose the problem is with the "/server_hostname" at the end of the principal. In my Kerberos keytab file the principal is listed as HTTP/kerberos_server.example.com@EXAMPLE.COM. How can I change the principal that is submitted to mod_auth_kerb? Or is there another way to reconcile this parsing error?