[CentOS] Apache/Active Directory authentication

Mon Mar 14 10:11:16 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Fri, 11 Mar 2011, Dvorkin, Asya wrote:

> [root at myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>   2 host/myserver.server.com at CORE.HOST.EDU
>   2 host/rmyserver.server.com at CORE.HOST.EDU
>   2 host/myserver.server.com at CORE.HOST.EDU
>   2 host/myserver at CORE.HOST.EDU
>   2 host/myserver at CORE.HOST.EDU
>   2 host/myserver at CORE.HOST.EDU
>   2 MYSERVER$@CORE.HOST.EDU
>   2 MYSERVER$@CORE.HOST.EDU
>   2 MYSERVER$@CORE.HOST.EDU
>   2 http/myserver.server.com at CORE.HOST.EDU
>   2 http/myserver.server.com at CORE.HOST.EDU
>   2 http/myserver.server.com at CORE.HOSTEDU
>   2 http/myserver at CORE.HOST.EDU
>   2 http/myserver at CORE.HOST.EDU
>   2 http/myserver at CORE.HOST.EDU

So how did you get the point of having this keytab?

> My problem is that I am getting an error message in apache logs:
>
> gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (No principal in keytab matches desired name)
>
> I looked in AD configuration and see that my server does not have appropriate ServicePrincipalName for HTTP (only host).

Then something's wrong there.

net ads status

This *must* agree with your keytab.  If it doesn't, let's start again.

net ads keytab flush
net ads keytab create
net ads keytab ADD HTTP

net ads status
klist -k

Make sure you get to a stage where what AD has and what you have agree.  Once
you've got to that stage, use ktutil to read the system keytab
(/etc/krb5.keytab), and delete out the entries you don't want, leaving just
the HTTP ones.  Write that out to /etc/httpd/conf/krb5.keytab.

Check it's correct:

klist -k /etc/httpd/conf/httpd.keytab

Make sure you've told apache where to find it:

Krb5KeyTab /etc/httpd/conf/httpd.keytab

The example that comes with the RPM in /etc/httpd/conf.d/auth_kerb.conf is a
good starting point.

> my keytab file:
> -rw------- 1 apache apache 957 Mar 11 14:31 /etc/httpd/conf/krb5.keytab
>
> I have NO right access to AD server and cannot do much about creating proper keytab file.
>
> Anything else I can do?  Am I missing something?

Have a go with that, and see where you get to.

jh