[CentOS] Apache/Active Directory authentication

Mon Mar 14 14:02:10 UTC 2011
Dvorkin, Asya <dvorkias at umdnj.edu>

Thank you!

I'm working on it right now and will give my progress report soon :)

Asya


On Mar 14, 2011, at 6:11 AM, John Hodrien wrote:

> On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
> 
>> [root at myserver conf]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>> ---- --------------------------------------------------------------------------
>>  2 host/myserver.server.com at CORE.HOST.EDU
>>  2 host/rmyserver.server.com at CORE.HOST.EDU
>>  2 host/myserver.server.com at CORE.HOST.EDU
>>  2 host/myserver at CORE.HOST.EDU
>>  2 host/myserver at CORE.HOST.EDU
>>  2 host/myserver at CORE.HOST.EDU
>>  2 MYSERVER$@CORE.HOST.EDU
>>  2 MYSERVER$@CORE.HOST.EDU
>>  2 MYSERVER$@CORE.HOST.EDU
>>  2 http/myserver.server.com at CORE.HOST.EDU
>>  2 http/myserver.server.com at CORE.HOST.EDU
>>  2 http/myserver.server.com at CORE.HOSTEDU
>>  2 http/myserver at CORE.HOST.EDU
>>  2 http/myserver at CORE.HOST.EDU
>>  2 http/myserver at CORE.HOST.EDU
> 
> So how did you get the point of having this keytab?
> 
>> My problem is that I am getting an error message in apache logs:
>> 
>> gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (No principal in keytab matches desired name)
>> 
>> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).
> 
> Then something's wrong there.
> 
> net ads status
> 
> This *must* agree with your keytab.  If it doesn't, let's start again.
> 
> net ads keytab flush
> net ads keytab create
> net ads keytab ADD HTTP
> 
> net ads status
> klist -k
> 
> Make sure you get to a stage where what AD has and what you have agree.  Once
> you've got to that stage, use ktutil to read the system keytab
> (/etc/krb5.keytab), and delete out the entries you don't want, leaving just
> the HTTP ones.  Write that out to /etc/httpd/conf/krb5.keytab.
> 
> Check it's correct:
> 
> klist -k /etc/httpd/conf/httpd.keytab
> 
> Make sure you've told apache where to find it:
> 
> Krb5KeyTab /etc/httpd/conf/httpd.keytab
> 
> The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a
> good starting point.
> 
>> my keytab file:
>> -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
>> 
>> I have NO right access to AD server and cannot do much about creating proper keytab file.
>> 
>> Anything else I can do?  Am I missing something?
> 
> Have a go with that, and see where you get to.
> 
> jh
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos