Re: Apache/Active Directory authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 14 Mar 2011, Michael B Allen wrote:

> Hi Asya,
>
> You must set the servicePrincipalName attribute on the service account
> (MYSERVER$ in this case) to include all of the hostnames that will be
> used to access the web server which in this case would be at least
> "HTTP/myserver.server.com". One way to do this would be to use
> setspn.exe on a Windows client but if you really have no access to the
> Windows side as you say, you could use the Samba keytab to acquire
> credentials for doing the necessary LDAP add operation using some tool
> (maybe there is a Samba utility for this, I don't know) or program.

That's not true, and I'm not even sure it's possible from samba (at least, I'm
not sure it *should* be possible).

I have a machine with an A record that matches the keytab entry ("real").  The PTR
record for the IP goes back that the hostname.  There's then a CNAME record
for the name used in reality for the web server ("friendly").

A client will access:

https://www.friendly/kerberised

Client correctly pulls down HTTP/real@KRB-REALM, and the authentication works
just fine.

jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux