[CentOS] Apache/Active Directory authentication

Thu Mar 17 10:18:00 UTC 2011
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Wed, 16 Mar 2011, Michael B Allen wrote:

> On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:
>> On Mon, 14 Mar 2011, Michael B Allen wrote:
>>
>>> Hi Asya,
>>>
>>> You must set the servicePrincipalName attribute on the service account
>>> (MYSERVER$ in this case) to include all of the hostnames that will be
>>> used to access the web server which in this case would be at least
>>> "HTTP/myserver.server.com". One way to do this would be to use
>>> setspn.exe on a Windows client but if you really have no access to the
>>> Windows side as you say, you could use the Samba keytab to acquire
>>> credentials for doing the necessary LDAP add operation using some tool
>>> (maybe there is a Samba utility for this, I don't know) or program.
>>
>> That's not true, and I'm not even sure it's possible from samba (at least, I'm
>> not sure it *should* be possible).
>
> What's not true? That you can use the Samba keytab to acquire a ticket
> and perform an LDAP operation on it's own Computer account? It
> certainly is true. In fact Samba uses the keytab to authenticate with
> and at least query AD services on a regular basis to perform normal
> day-to-day operations.

Sorry I overquoted, I'll be more explicit.  You said:

    "You must set the servicePrincipalName attribute on the service account
    (MYSERVER$ in this case) to include all of the hostnames that will be
    used to access the web server"

That just isn't true.  You don't need all those principals in, and I can't
think of a sane way that'd even be possible.  There's no sane way this host
credential could be used to generate HTTP/another.fqdn at REALM credentials.
Surely?

> But from looking at you other response I wonder if "net ads keytab ADD
> HTTP" adds servicePrincipalName attribute values (I don't use Samba
> like that so I don't know). If is supposed to, and the AD account does
> not have them, then I agree, something is wrong and he should start
> over. It could be a replication issue.

Yes.  That command creates servicePrincpalName entries for HTTP with the FQDN
and the short name.

> I don't know what the official view is on going through a CNAME but I
> think that is probably a dubious practice. The proper way to handle
> this scenario would be to add another servicePrincipalName value for
> HTTP/www.friendly and a corresponding keytab entry for
> HTTP/www.friendly at KRB-REALM.

Dubious why?  If I go with your method at the very least I now need more
records in AD for machines that don't exist, and I'm guessing I'll be creating
them by being a domain administrator, which is inconvenient in large
organisations.

I'm assuming I'll also be needing to add A records for these domains.
Kerberos surely won't be a fan of there not being a PTR record, so I assume
you'd need multiple PTR records.  Is this really the path you're suggesting
going down?  I'm genuinely interested here, I'm not having a dig.

jh