[CentOS] Apache/Active Directory authentication

Michael B Allen ioplex at gmail.com
Wed Mar 16 21:41:00 UTC 2011

On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:
> On Mon, 14 Mar 2011, Michael B Allen wrote:
>> Hi Asya,
>> You must set the servicePrincipalName attribute on the service account
>> (MYSERVER$ in this case) to include all of the hostnames that will be
>> used to access the web server which in this case would be at least
>> "HTTP/myserver.server.com". One way to do this would be to use
>> setspn.exe on a Windows client but if you really have no access to the
>> Windows side as you say, you could use the Samba keytab to acquire
>> credentials for doing the necessary LDAP add operation using some tool
>> (maybe there is a Samba utility for this, I don't know) or program.
> That's not true, and I'm not even sure it's possible from samba (at least, I'm
> not sure it *should* be possible).

What's not true? That you can use the Samba keytab to acquire a ticket
and perform an LDAP operation on it's own Computer account? It
certainly is true. In fact Samba uses the keytab to authenticate with
and at least query AD services on a regular basis to perform normal
day-to-day operations.

But from looking at you other response I wonder if "net ads keytab ADD
HTTP" adds servicePrincipalName attribute values (I don't use Samba
like that so I don't know). If is supposed to, and the AD account does
not have them, then I agree, something is wrong and he should start
over. It could be a replication issue.

> I have a machine with an A record that matches the keytab entry ("real").  The PTR
> record for the IP goes back that the hostname.  There's then a CNAME record
> for the name used in reality for the web server ("friendly").
> A client will access:
> https://www.friendly/kerberised
> Client correctly pulls down HTTP/real at KRB-REALM, and the authentication works
> just fine.

I don't know what the official view is on going through a CNAME but I
think that is probably a dubious practice. The proper way to handle
this scenario would be to add another servicePrincipalName value for
HTTP/www.friendly and a corresponding keytab entry for
HTTP/www.friendly at KRB-REALM.


Michael B Allen
Java Active Directory Integration

More information about the CentOS mailing list