[CentOS] Apache/Active Directory authentication

Mon Mar 14 09:58:37 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Mon, 14 Mar 2011, Michael B Allen wrote:

> Hi Asya,
>
> You must set the servicePrincipalName attribute on the service account
> (MYSERVER$ in this case) to include all of the hostnames that will be
> used to access the web server which in this case would be at least
> "HTTP/myserver.server.com". One way to do this would be to use
> setspn.exe on a Windows client but if you really have no access to the
> Windows side as you say, you could use the Samba keytab to acquire
> credentials for doing the necessary LDAP add operation using some tool
> (maybe there is a Samba utility for this, I don't know) or program.

That's not true, and I'm not even sure it's possible from samba (at least, I'm
not sure it *should* be possible).

I have a machine with an A record that matches the keytab entry ("real").  The PTR
record for the IP goes back that the hostname.  There's then a CNAME record
for the name used in reality for the web server ("friendly").

A client will access:

https://www.friendly/kerberised

Client correctly pulls down HTTP/real at KRB-REALM, and the authentication works
just fine.

jh