On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
[root@myserver conf]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
2 host/myserver.server.com@CORE.HOST.EDU 2 host/rmyserver.server.com@CORE.HOST.EDU 2 host/myserver.server.com@CORE.HOST.EDU 2 host/myserver@CORE.HOST.EDU 2 host/myserver@CORE.HOST.EDU 2 host/myserver@CORE.HOST.EDU 2 MYSERVER$@CORE.HOST.EDU 2 MYSERVER$@CORE.HOST.EDU 2 MYSERVER$@CORE.HOST.EDU 2 http/myserver.server.com@CORE.HOST.EDU 2 http/myserver.server.com@CORE.HOST.EDU 2 http/myserver.server.com@CORE.HOSTEDU 2 http/myserver@CORE.HOST.EDU 2 http/myserver@CORE.HOST.EDU 2 http/myserver@CORE.HOST.EDU
So how did you get the point of having this keytab?
My problem is that I am getting an error message in apache logs:
gss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (No principal in keytab matches desired name)
I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
Then something's wrong there.
net ads status
This *must* agree with your keytab. If it doesn't, let's start again.
net ads keytab flush net ads keytab create net ads keytab ADD HTTP
net ads status klist -k
Make sure you get to a stage where what AD has and what you have agree. Once you've got to that stage, use ktutil to read the system keytab (/etc/krb5.keytab), and delete out the entries you don't want, leaving just the HTTP ones. Write that out to /etc/httpd/conf/krb5.keytab.
Check it's correct:
klist -k /etc/httpd/conf/httpd.keytab
Make sure you've told apache where to find it:
Krb5KeyTab /etc/httpd/conf/httpd.keytab
The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a good starting point.
my keytab file: -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
I have NO right access to AD server and cannot do much about creating proper keytab file.
Anything else I can do? Am I missing something?
Have a go with that, and see where you get to.
jh