Problem using KrbServiceName

Richard E. Silverman res at qoxp.net
Tue May 23 01:47:29 EDT 2006 

>>>>> "MG" == "Martin Goldstone" <martin.goldstone at nulc.ac.uk> writes:

Why do you have two different principals for this service?  There should
be only one, and in fact there *can* be only one, since mod_auth_kerb will
only take one as its identity (and report "wrong principal in request" if
a client uses the wrong one).

As for "hostname cannot be canonicalized," check the version of
mod_auth_kerb you're running -- I think using a fully-qualified principal
was added later on.

    MG> Hi, I'm getting further along with my problem, and I think its
    MG> coming down to the fact that we've got 2 AD domains here.

    MG> Right now, I'm having problems using the KrbServiceName directive
    MG> in .htaccess.

    MG> I've had to get two different principles mapped to user accounts
    MG> and put in the keytab (one for each AD domain) using ktpass.exe,
    MG> and now my machine is getting a ticket for the service principle
    MG> for the webserver (as shown by kerbtray.exe).  However, the error
    MG> log on the webserver is telling me "Wrong principal in request".

    MG> I've tried adding a KrbServiceName directive, but I consistently
    MG> get an error message that reads "Hostname cannot be canonicalized"
    MG> if I include the realm, or "No principal in keytab matches desired
    MG> name" if I don't.  What I suspect I need is
    MG> HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK (which is the service
    MG> principle mapped to the user account on the domain.ac.uk AD
    MG> domain), along with HTTP/webtest.nulcollege.ac.uk at NULCOLLEGE.AC.UK
    MG> (which is the equivalent on the nulcollege.ac.uk AD domain, and
    MG> also I believe is the principle that the server is expecting).
    MG> However, when I enter either the full
    MG> HTTP/webtest.nulcollege.ac.uk at DOMAIN.AC.UK I get the first error
    MG> message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the
    MG> second one.

    MG> Can someone tell me where I'm going wrong with this directive?
    MG> Any examples for entries that actually work?  Would I be better of
    MG> just mapping a new service principle such as
    MG> www/webtest.nulcollege.ac.uk at DOMAIN.AC.UK on the domain.ac.uk AD
    MG> domain to avoid having two service principles starting with the
    MG> same string?

    MG> Thanks in advance for any advice given.

    MG> Martin Goldstone | IT Technician Newcastle-under-Lyme College,
    MG> Staffordshire, ST5 2DF 01782 254307 | martin.goldstone at nulc.ac.uk


    MG> ________________________________________________ Kerberos mailing
    MG> list Kerberos at mit.edu
    MG> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list