[CentOS] Apache/Active Directory authentication
Dvorkin, Asya
dvorkias at umdnj.edu
Mon Mar 14 14:02:10 UTC 2011
Thank you!
I'm working on it right now and will give my progress report soon :)
Asya
On Mar 14, 2011, at 6:11 AM, John Hodrien wrote:
> On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
>
>> [root at myserver conf]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>> 2 host/myserver.server.com at CORE.HOST.EDU
>> 2 host/rmyserver.server.com at CORE.HOST.EDU
>> 2 host/myserver.server.com at CORE.HOST.EDU
>> 2 host/myserver at CORE.HOST.EDU
>> 2 host/myserver at CORE.HOST.EDU
>> 2 host/myserver at CORE.HOST.EDU
>> 2 MYSERVER$@CORE.HOST.EDU
>> 2 MYSERVER$@CORE.HOST.EDU
>> 2 MYSERVER$@CORE.HOST.EDU
>> 2 http/myserver.server.com at CORE.HOST.EDU
>> 2 http/myserver.server.com at CORE.HOST.EDU
>> 2 http/myserver.server.com at CORE.HOSTEDU
>> 2 http/myserver at CORE.HOST.EDU
>> 2 http/myserver at CORE.HOST.EDU
>> 2 http/myserver at CORE.HOST.EDU
>
> So how did you get the point of having this keytab?
>
>> My problem is that I am getting an error message in apache logs:
>>
>> gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
>>
>> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
>
> Then something's wrong there.
>
> net ads status
>
> This *must* agree with your keytab. If it doesn't, let's start again.
>
> net ads keytab flush
> net ads keytab create
> net ads keytab ADD HTTP
>
> net ads status
> klist -k
>
> Make sure you get to a stage where what AD has and what you have agree. Once
> you've got to that stage, use ktutil to read the system keytab
> (/etc/krb5.keytab), and delete out the entries you don't want, leaving just
> the HTTP ones. Write that out to /etc/httpd/conf/krb5.keytab.
>
> Check it's correct:
>
> klist -k /etc/httpd/conf/httpd.keytab
>
> Make sure you've told apache where to find it:
>
> Krb5KeyTab /etc/httpd/conf/httpd.keytab
>
> The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a
> good starting point.
>
>> my keytab file:
>> -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
>>
>> I have NO right access to AD server and cannot do much about creating proper keytab file.
>>
>> Anything else I can do? Am I missing something?
>
> Have a go with that, and see where you get to.
>
> jh
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
More information about the CentOS
mailing list