Kerberos and Apache Virtual Hosted Websites

Scott Moseman scmoseman at gmail.com
Fri Jan 14 12:33:12 EST 2005


Host and Http keytabs created on the Windows server.
The keytabs moved to the Red Hat machine and imported
into the /etc/krb5.keytab file.

"klist -ke /etc/krb5.keytab" reports these 2 keytabs:
3 host/host.domain.com at DOMAIN.COM (DES cbc mode with RSA-MD5)
3 HTTP/vhost.domain.com at DOMAIN.COM (DES cbc mode with RSA-MD5)

kinit on both the Host and Http keytabs work just fine.
Setup an Apache website to authenticate using the HTTP.
Here is the htaccess file for the website:

AuthType Kerberos
KrbAuthRealms DOMAIN.COM
Krb5Keytab /usr/local/apache/conf/http.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user

When I attempt to access the website, vhost.domain.com,
I get this error message in the Apache error logs:

gss_acquire_cred() failed: Miscellaneous failure
(No principal in keytab matches desired name)

How can I further trouble shoot this Kerberos problem?
When I use kerbtray on my PC, it shows the correct name
for the Kerberos ticket (vhost.domain.com).  Any help?

Thanks,
Scott



More information about the Kerberos mailing list