On Mon, 14 Mar 2011, Michael B Allen wrote: > Hi Asya, > > You must set the servicePrincipalName attribute on the service account > (MYSERVER$ in this case) to include all of the hostnames that will be > used to access the web server which in this case would be at least > "HTTP/myserver.server.com". One way to do this would be to use > setspn.exe on a Windows client but if you really have no access to the > Windows side as you say, you could use the Samba keytab to acquire > credentials for doing the necessary LDAP add operation using some tool > (maybe there is a Samba utility for this, I don't know) or program. That's not true, and I'm not even sure it's possible from samba (at least, I'm not sure it *should* be possible). I have a machine with an A record that matches the keytab entry ("real"). The PTR record for the IP goes back that the hostname. There's then a CNAME record for the name used in reality for the web server ("friendly"). A client will access: https://www.friendly/kerberised Client correctly pulls down HTTP/real@KRB-REALM, and the authentication works just fine. jh _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos