On Fri, Mar 11, 2011 at 3:50 PM, Dvorkin, Asya <dvorkias@xxxxxxxxx> wrote:
> [root@myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
> 2 host/myserver.server.com@xxxxxxxxxxxxx
> 2 host/rmyserver.server.com@xxxxxxxxxxxxx
> 2 host/myserver.server.com@xxxxxxxxxxxxx
> 2 host/myserver@xxxxxxxxxxxxx
> 2 host/myserver@xxxxxxxxxxxxx
> 2 host/myserver@xxxxxxxxxxxxx
> 2 MYSERVER$@CORE.HOST.EDU
> 2 MYSERVER$@CORE.HOST.EDU
> 2 MYSERVER$@CORE.HOST.EDU
> 2 http/myserver.server.com@xxxxxxxxxxxxx
> 2 http/myserver.server.com@xxxxxxxxxxxxx
> 2 http/myserver.server.com@xxxxxxxxxxxx
> 2 http/myserver@xxxxxxxxxxxxx
> 2 http/myserver@xxxxxxxxxxxxx
> 2 http/myserver@xxxxxxxxxxxxx
>
> My problem is that I am getting an error message in apache logs:
>
> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
>
> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
Hi Asya,
You must set the servicePrincipalName attribute on the service account
(MYSERVER$ in this case) to include all of the hostnames that will be
used to access the web server which in this case would be at least
"HTTP/myserver.server.com". One way to do this would be to use
setspn.exe on a Windows client but if you really have no access to the
Windows side as you say, you could use the Samba keytab to acquire
credentials for doing the necessary LDAP add operation using some tool
(maybe there is a Samba utility for this, I don't know) or program.
Mike
--
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
