[solved] Using Apache with mod_auth_kerb

Russ Allbery rra at stanford.edu
Tue Dec 2 19:20:50 EST 2008


Ansgar Burchardt <ansgar at 2008.43-1.org> writes:

> I have found the problem: Firefox seems to require that the Kerberos
> service principal matches the domain name entered in the address bar,
> while Konqueror was satisfied with the service principal matching the
> host name of the server.
>
> I added another service principal "HTTP/www.example.com" (only had
> "HTTP/server.example.com" before) and put "KrbServiceName Any" in the
> Apache configuration and everything works now.

Yeah, common problem (and why KrbServiceName any is there).

> The krb5.conf only has the default_realm, all other options can be
> obtained via DNS here.  This makes using Kerberos from home much easier
> to set up.

Note that domain to realm mappings via TXT records aren't enabled by
default for MIT Kerberos because it has security implications.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list