Re: Apache/Active Directory authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien <J.H.Hodrien@xxxxxxxxxxx> wrote:
> On Mon, 14 Mar 2011, Michael B Allen wrote:
>
>> Hi Asya,
>>
>> You must set the servicePrincipalName attribute on the service account
>> (MYSERVER$ in this case) to include all of the hostnames that will be
>> used to access the web server which in this case would be at least
>> "HTTP/myserver.server.com". One way to do this would be to use
>> setspn.exe on a Windows client but if you really have no access to the
>> Windows side as you say, you could use the Samba keytab to acquire
>> credentials for doing the necessary LDAP add operation using some tool
>> (maybe there is a Samba utility for this, I don't know) or program.
>
> That's not true, and I'm not even sure it's possible from samba (at least, I'm
> not sure it *should* be possible).

What's not true? That you can use the Samba keytab to acquire a ticket
and perform an LDAP operation on it's own Computer account? It
certainly is true. In fact Samba uses the keytab to authenticate with
and at least query AD services on a regular basis to perform normal
day-to-day operations.

But from looking at you other response I wonder if "net ads keytab ADD
HTTP" adds servicePrincipalName attribute values (I don't use Samba
like that so I don't know). If is supposed to, and the AD account does
not have them, then I agree, something is wrong and he should start
over. It could be a replication issue.

> I have a machine with an A record that matches the keytab entry ("real").  The PTR
> record for the IP goes back that the hostname.  There's then a CNAME record
> for the name used in reality for the web server ("friendly").
>
> A client will access:
>
> https://www.friendly/kerberised
>
> Client correctly pulls down HTTP/real@KRB-REALM, and the authentication works
> just fine.

I don't know what the official view is on going through a CNAME but I
think that is probably a dubious practice. The proper way to handle
this scenario would be to add another servicePrincipalName value for
HTTP/www.friendly and a corresponding keytab entry for
HTTP/www.friendly@KRB-REALM.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux