[CentOS] Apache/Active Directory authentication

Dvorkin, Asya dvorkias at umdnj.edu
Fri Mar 11 20:50:36 UTC 2011 

Okay... so at this point I am stuck.

I got this far:

Using modules:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so

root at myserver conf]# net ads testjoin
Join is OK

I successfully joined domain.

[root at myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/myserver.server.com at CORE.HOST.EDU
   2 host/rmyserver.server.com at CORE.HOST.EDU
   2 host/myserver.server.com at CORE.HOST.EDU
   2 host/myserver at CORE.HOST.EDU
   2 host/myserver at CORE.HOST.EDU
   2 host/myserver at CORE.HOST.EDU
   2 MYSERVER$@CORE.HOST.EDU
   2 MYSERVER$@CORE.HOST.EDU
   2 MYSERVER$@CORE.HOST.EDU
   2 http/myserver.server.com at CORE.HOST.EDU
   2 http/myserver.server.com at CORE.HOST.EDU
   2 http/myserver.server.com at CORE.HOSTEDU
   2 http/myserver at CORE.HOST.EDU
   2 http/myserver at CORE.HOST.EDU
   2 http/myserver at CORE.HOST.EDU

My problem is that I am getting an error message in apache logs:

gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (No principal in keytab matches desired name)

I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).  

my keytab file:
-rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab

I have NO right access to AD server and cannot do much about creating proper keytab file.

Anything else I can do?  Am I missing something?

Thank you!
Asya


On Mar 10, 2011, at 12:24 PM, John Hodrien wrote:

> On Thu, 10 Mar 2011, Dvorkin, Asya wrote:
> 
>> John,
>> 
>> Thank you for all your pointers!  You are right.. I was able to create a
>> keytab file.  Still having some issues with getting apache to work the way I
>> wan to, but will continue troubleshooting it.
> 
> No problem, and I'll be interested to hear about any other problems you have.
> I don't get the feeling many people use kerberised Apache.
> 
> jh
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list