On Mon, 14 Mar 2011, Michael B Allen wrote:
> Hi Asya,
>
> You must set the servicePrincipalName attribute on the service account
> (MYSERVER$ in this case) to include all of the hostnames that will be
> used to access the web server which in this case would be at least
> "HTTP/myserver.server.com". One way to do this would be to use
> setspn.exe on a Windows client but if you really have no access to the
> Windows side as you say, you could use the Samba keytab to acquire
> credentials for doing the necessary LDAP add operation using some tool
> (maybe there is a Samba utility for this, I don't know) or program.
That's not true, and I'm not even sure it's possible from samba (at least, I'm
not sure it *should* be possible).
I have a machine with an A record that matches the keytab entry ("real"). The PTR
record for the IP goes back that the hostname. There's then a CNAME record
for the name used in reality for the web server ("friendly").
A client will access:
https://www.friendly/kerberised
Client correctly pulls down HTTP/real at KRB-REALM, and the authentication works
just fine.
jh