On Mon, 14 Mar 2011, Michael B Allen wrote:
Hi Asya,
You must set the servicePrincipalName attribute on the service account (MYSERVER$ in this case) to include all of the hostnames that will be used to access the web server which in this case would be at least "HTTP/myserver.server.com". One way to do this would be to use setspn.exe on a Windows client but if you really have no access to the Windows side as you say, you could use the Samba keytab to acquire credentials for doing the necessary LDAP add operation using some tool (maybe there is a Samba utility for this, I don't know) or program.
That's not true, and I'm not even sure it's possible from samba (at least, I'm not sure it *should* be possible).
I have a machine with an A record that matches the keytab entry ("real"). The PTR record for the IP goes back that the hostname. There's then a CNAME record for the name used in reality for the web server ("friendly").
A client will access:
https://www.friendly/kerberised
Client correctly pulls down HTTP/real@KRB-REALM, and the authentication works just fine.
jh