Kerberos and Apache Virtual Hosted Websites

Donn Cave donn at u.washington.edu
Fri Jan 21 12:39:31 EST 2005


In article <1105723992.473938.247700 at z14g2000cwz.googlegroups.com>,
 "Scott Moseman" <scmoseman at gmail.com> wrote:
...
> When I attempt to access the website, vhost.domain.com,
> I get this error message in the Apache error logs:
> 
> gss_acquire_cred() failed: Miscellaneous failure
> (No principal in keytab matches desired name)
> 
> How can I further trouble shoot this Kerberos problem?
> When I use kerbtray on my PC, it shows the correct name
> for the Kerberos ticket (vhost.domain.com).  Any help?

The way it looks to me, you have a fairly good case
from your troubleshooting so far.  Someone now needs
to look at the code.  This gss_acquire_cred() gets the
service principal name from its caller, so you can
start there, where the module calls gss_acquire_cred
with the wrong principal name, and see how that happened.
I don't know anything about it, but I would guess there
may be two ways to get it right.  Either propagate this
information from whatever configuration option initially
determines the virtual host, or dig it up via getsockname()
on the service port socket.  Instead they probably did
the easiest thing and used gethostname().

   Donn Cave, donn at u.washington.edu


More information about the Kerberos mailing list