[CentOS] Apache/Active Directory authentication
Dvorkin, Asya
dvorkias at umdnj.edu
Fri Mar 11 20:50:36 UTC 2011
Okay... so at this point I am stuck.
I got this far:
Using modules:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
root at myserver conf]# net ads testjoin
Join is OK
I successfully joined domain.
[root at myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/myserver.server.com at CORE.HOST.EDU
2 host/rmyserver.server.com at CORE.HOST.EDU
2 host/myserver.server.com at CORE.HOST.EDU
2 host/myserver at CORE.HOST.EDU
2 host/myserver at CORE.HOST.EDU
2 host/myserver at CORE.HOST.EDU
2 MYSERVER$@CORE.HOST.EDU
2 MYSERVER$@CORE.HOST.EDU
2 MYSERVER$@CORE.HOST.EDU
2 http/myserver.server.com at CORE.HOST.EDU
2 http/myserver.server.com at CORE.HOST.EDU
2 http/myserver.server.com at CORE.HOSTEDU
2 http/myserver at CORE.HOST.EDU
2 http/myserver at CORE.HOST.EDU
2 http/myserver at CORE.HOST.EDU
My problem is that I am getting an error message in apache logs:
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
my keytab file:
-rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
I have NO right access to AD server and cannot do much about creating proper keytab file.
Anything else I can do? Am I missing something?
Thank you!
Asya
On Mar 10, 2011, at 12:24 PM, John Hodrien wrote:
> On Thu, 10 Mar 2011, Dvorkin, Asya wrote:
>
>> John,
>>
>> Thank you for all your pointers! You are right.. I was able to create a
>> keytab file. Still having some issues with getting apache to work the way I
>> wan to, but will continue troubleshooting it.
>
> No problem, and I'll be interested to hear about any other problems you have.
> I don't get the feeling many people use kerberised Apache.
>
> jh
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list