On Fri, 11 Mar 2011, Dvorkin, Asya wrote: > [root@myserver conf]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 2 host/myserver.server.com@xxxxxxxxxxxxx > 2 host/rmyserver.server.com@xxxxxxxxxxxxx > 2 host/myserver.server.com@xxxxxxxxxxxxx > 2 host/myserver@xxxxxxxxxxxxx > 2 host/myserver@xxxxxxxxxxxxx > 2 host/myserver@xxxxxxxxxxxxx > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 MYSERVER$@CORE.HOST.EDU > 2 http/myserver.server.com@xxxxxxxxxxxxx > 2 http/myserver.server.com@xxxxxxxxxxxxx > 2 http/myserver.server.com@xxxxxxxxxxxx > 2 http/myserver@xxxxxxxxxxxxx > 2 http/myserver@xxxxxxxxxxxxx > 2 http/myserver@xxxxxxxxxxxxx So how did you get the point of having this keytab? > My problem is that I am getting an error message in apache logs: > > gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name) > > I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host). Then something's wrong there. net ads status This *must* agree with your keytab. If it doesn't, let's start again. net ads keytab flush net ads keytab create net ads keytab ADD HTTP net ads status klist -k Make sure you get to a stage where what AD has and what you have agree. Once you've got to that stage, use ktutil to read the system keytab (/etc/krb5.keytab), and delete out the entries you don't want, leaving just the HTTP ones. Write that out to /etc/httpd/conf/krb5.keytab. Check it's correct: klist -k /etc/httpd/conf/httpd.keytab Make sure you've told apache where to find it: Krb5KeyTab /etc/httpd/conf/httpd.keytab The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a good starting point. > my keytab file: > -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab > > I have NO right access to AD server and cannot do much about creating proper keytab file. > > Anything else I can do? Am I missing something? Have a go with that, and see where you get to. jh _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos