Re: Apache/Active Directory authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Fri, 11 Mar 2011, Dvorkin, Asya wrote:

> [root@myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   2 host/myserver.server.com@xxxxxxxxxxxxx
>   2 host/rmyserver.server.com@xxxxxxxxxxxxx
>   2 host/myserver.server.com@xxxxxxxxxxxxx
>   2 host/myserver@xxxxxxxxxxxxx
>   2 host/myserver@xxxxxxxxxxxxx
>   2 host/myserver@xxxxxxxxxxxxx
>   2 MYSERVER$@CORE.HOST.EDU
>   2 MYSERVER$@CORE.HOST.EDU
>   2 MYSERVER$@CORE.HOST.EDU
>   2 http/myserver.server.com@xxxxxxxxxxxxx
>   2 http/myserver.server.com@xxxxxxxxxxxxx
>   2 http/myserver.server.com@xxxxxxxxxxxx
>   2 http/myserver@xxxxxxxxxxxxx
>   2 http/myserver@xxxxxxxxxxxxx
>   2 http/myserver@xxxxxxxxxxxxx

So how did you get the point of having this keytab?

> My problem is that I am getting an error message in apache logs:
>
> gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (No principal in keytab matches desired name)
>
> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).

Then something's wrong there.

net ads status

This *must* agree with your keytab.  If it doesn't, let's start again.

net ads keytab flush
net ads keytab create
net ads keytab ADD HTTP

net ads status
klist -k

Make sure you get to a stage where what AD has and what you have agree.  Once
you've got to that stage, use ktutil to read the system keytab
(/etc/krb5.keytab), and delete out the entries you don't want, leaving just
the HTTP ones.  Write that out to /etc/httpd/conf/krb5.keytab.

Check it's correct:

klist -k /etc/httpd/conf/httpd.keytab

Make sure you've told apache where to find it:

Krb5KeyTab /etc/httpd/conf/httpd.keytab

The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a
good starting point.

> my keytab file:
> -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
>
> I have NO right access to AD server and cannot do much about creating proper keytab file.
>
> Anything else I can do?  Am I missing something?

Have a go with that, and see where you get to.

jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux