[CentOS] Apache/Active Directory authentication
John Hodrien
J.H.Hodrien at leeds.ac.uk
Thu Mar 17 10:18:00 UTC 2011
On Wed, 16 Mar 2011, Michael B Allen wrote:
> On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:
>> On Mon, 14 Mar 2011, Michael B Allen wrote:
>>
>>> Hi Asya,
>>>
>>> You must set the servicePrincipalName attribute on the service account
>>> (MYSERVER$ in this case) to include all of the hostnames that will be
>>> used to access the web server which in this case would be at least
>>> "HTTP/myserver.server.com". One way to do this would be to use
>>> setspn.exe on a Windows client but if you really have no access to the
>>> Windows side as you say, you could use the Samba keytab to acquire
>>> credentials for doing the necessary LDAP add operation using some tool
>>> (maybe there is a Samba utility for this, I don't know) or program.
>>
>> That's not true, and I'm not even sure it's possible from samba (at least, I'm
>> not sure it *should* be possible).
>
> What's not true? That you can use the Samba keytab to acquire a ticket
> and perform an LDAP operation on it's own Computer account? It
> certainly is true. In fact Samba uses the keytab to authenticate with
> and at least query AD services on a regular basis to perform normal
> day-to-day operations.
Sorry I overquoted, I'll be more explicit. You said:
"You must set the servicePrincipalName attribute on the service account
(MYSERVER$ in this case) to include all of the hostnames that will be
used to access the web server"
That just isn't true. You don't need all those principals in, and I can't
think of a sane way that'd even be possible. There's no sane way this host
credential could be used to generate HTTP/another.fqdn at REALM credentials.
Surely?
> But from looking at you other response I wonder if "net ads keytab ADD
> HTTP" adds servicePrincipalName attribute values (I don't use Samba
> like that so I don't know). If is supposed to, and the AD account does
> not have them, then I agree, something is wrong and he should start
> over. It could be a replication issue.
Yes. That command creates servicePrincpalName entries for HTTP with the FQDN
and the short name.
> I don't know what the official view is on going through a CNAME but I
> think that is probably a dubious practice. The proper way to handle
> this scenario would be to add another servicePrincipalName value for
> HTTP/www.friendly and a corresponding keytab entry for
> HTTP/www.friendly at KRB-REALM.
Dubious why? If I go with your method at the very least I now need more
records in AD for machines that don't exist, and I'm guessing I'll be creating
them by being a domain administrator, which is inconvenient in large
organisations.
I'm assuming I'll also be needing to add A records for these domains.
Kerberos surely won't be a fan of there not being a PTR record, so I assume
you'd need multiple PTR records. Is this really the path you're suggesting
going down? I'm genuinely interested here, I'm not having a dig.
jh
More information about the CentOS
mailing list