Re: Apache/Active Directory authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, 22 Mar 2011, Michael B Allen wrote:

> Hi John,
>
> You would not have to create "dummy" machine records. The
> servicePrincipalName attribute on an AD account is multi-valued and
> clients can request and get a ticket for ANY principal in that list.
> So you only need one account.
>
> And you do not need special permissions if you have an existing keytab
> because you can use the keytab to authenticate with AD and add
> servicePrincipalName values to the account itself. At least in theory
> you can. I don't know if Samba's routine for adding HTTP SPNs is smart
> enough to know that it needs to not just add servicePrincipalName
> values but that it will also need to rebuild the keytab.

Yes, but using the machine principal you're able to request any number of
service principals that are SERVICENAME/<machinename>.  For this to work in a
virtual hosting environment, you need multiple machine names (since we're
talking about making a number of HTTP/<blah> principals).  Whilst I accept
this is possible, I don't see how you'd do it without being a domain admin.
How do I create the records starting from a position of only having the
machine credential for the web server, and at best another user credential
with rights to create machine objects?

With domain admin rights, I get how your scheme works, although it wasn't a
route I'd previously considered.

jh
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos


[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux