Re: Apache/Active Directory authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Okay... so at this point I am stuck.

I got this far:

Using modules:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so

root@myserver conf]# net ads testjoin
Join is OK

I successfully joined domain.

[root@myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/myserver.server.com@xxxxxxxxxxxxx
   2 host/rmyserver.server.com@xxxxxxxxxxxxx
   2 host/myserver.server.com@xxxxxxxxxxxxx
   2 host/myserver@xxxxxxxxxxxxx
   2 host/myserver@xxxxxxxxxxxxx
   2 host/myserver@xxxxxxxxxxxxx
   2 MYSERVER$@CORE.HOST.EDU
   2 MYSERVER$@CORE.HOST.EDU
   2 MYSERVER$@CORE.HOST.EDU
   2 http/myserver.server.com@xxxxxxxxxxxxx
   2 http/myserver.server.com@xxxxxxxxxxxxx
   2 http/myserver.server.com@xxxxxxxxxxxx
   2 http/myserver@xxxxxxxxxxxxx
   2 http/myserver@xxxxxxxxxxxxx
   2 http/myserver@xxxxxxxxxxxxx

My problem is that I am getting an error message in apache logs:

gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (No principal in keytab matches desired name)

I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).  

my keytab file:
-rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab

I have NO right access to AD server and cannot do much about creating proper keytab file.

Anything else I can do?  Am I missing something?

Thank you!
Asya


On Mar 10, 2011, at 12:24 PM, John Hodrien wrote:

> On Thu, 10 Mar 2011, Dvorkin, Asya wrote:
> 
>> John,
>> 
>> Thank you for all your pointers!  You are right.. I was able to create a
>> keytab file.  Still having some issues with getting apache to work the way I
>> wan to, but will continue troubleshooting it.
> 
> No problem, and I'll be interested to hear about any other problems you have.
> I don't get the feeling many people use kerberised Apache.
> 
> jh
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux