[CentOS] Apache/Active Directory authentication
John Hodrien
J.H.Hodrien at leeds.ac.uk
Tue Mar 22 09:55:16 UTC 2011
On Tue, 22 Mar 2011, Michael B Allen wrote:
> Hi John,
>
> You would not have to create "dummy" machine records. The
> servicePrincipalName attribute on an AD account is multi-valued and
> clients can request and get a ticket for ANY principal in that list.
> So you only need one account.
>
> And you do not need special permissions if you have an existing keytab
> because you can use the keytab to authenticate with AD and add
> servicePrincipalName values to the account itself. At least in theory
> you can. I don't know if Samba's routine for adding HTTP SPNs is smart
> enough to know that it needs to not just add servicePrincipalName
> values but that it will also need to rebuild the keytab.
Yes, but using the machine principal you're able to request any number of
service principals that are SERVICENAME/<machinename>. For this to work in a
virtual hosting environment, you need multiple machine names (since we're
talking about making a number of HTTP/<blah> principals). Whilst I accept
this is possible, I don't see how you'd do it without being a domain admin.
How do I create the records starting from a position of only having the
machine credential for the web server, and at best another user credential
with rights to create machine objects?
With domain admin rights, I get how your scheme works, although it wasn't a
route I'd previously considered.
jh
More information about the CentOS
mailing list