apache_mod_kerberos install & use

Daniel Kouril kouril at ics.muni.cz
Thu Aug 19 04:48:27 EDT 2004 

ghasem wrote:
> Dear fellows:
> I have recently installed kerberos on a linux debian box. Then I
> installed apache_mod_kerb because actually this was I wanted to
> install kerberos in the first place. Now I am stuck in the part which
> says this:
> "Default name of the service key is HTTP/<fqdn_of_www_server>@REALM,
> another name of the first instance can be set using the KrbServiceName
> option. The key must be stored in a keytab on a local disk, the
> Krb5Keytab and Krb4Srvtab option......." in the configuration options
> on http://modauthkerb.sourceforge.net/configure.html . Actually, while
> installing kerberos, I got stuck in the making of the client.
> The making of the server was pretty hard until I got the hang of how
> things work. Although the ports were open but I could not use it since
> I got a connection refused, which means that I had not configures the
> username passwords correctly.
> So I got the server running, but giving access to clients and later
> the configuration of the clients still remain.

You definetely need the kerberos working before configuring the module. 
Check that you can do kinit succesfully from the web service machine.
See also the INSTALL file from the modauthkerb package and have a look 
at http://www.grolmsnet.de/kerbtut

> I would really appreciate guidance on this from anyone of you
> kerberos/apache_mod_kerb experts.

The best way is contacting them on the modauthkerb mailinglist (see 
links from www.sf.net/projects/modauthkerb)

> I ultimately want to connect to make trust between a
> Linux/kerberos/apache_mod_kerb and a windows network, so that Windows
> users can use their passwords to access certain pages served by the
> apache, does anyone have any comments on this?

If you only want the module to support password verification you can use 
almost any browser from arbitrary OS today. The module also supports SSO 
using clients tickets, which however requires support on the browser 
side (currently Mozilla and IE are known to work).

Daniel

More information about the Kerberos mailing list