Principal for Apache httpd vhost

Frank Gruellich frank.gruellich at navteq.com
Tue Apr 28 13:04:08 EDT 2009


Hi,

I have a Linux server which is named goofy (as in the output of hostname
command) with full qualified hostname goofy.example.com (as indicated by
hostname -f on the server itself).  DNS has an A record pointing from
goofy.example.com to 191.168.0.123, including reverse lookup (dig
confirms this, even at other machines).  This server runs an Apache
httpd with several vhosts configured, one of them www.example.com.  This
is configured to use mod_auth_kerb for authentication.  A CNAME
www.example.com is pointing to goofy.example.com.

Which principal do I add to the KDC database and export to
mod_auth_kerb's keytab?  Howtos suggest to use the full qualified
hostname, eg. HTTP/goofy.example.com at EXAMPLE.COM.  However, browsers
have different opinions about that.  Firefox/Seamonkey (I guess all
Gecko based browsers) on Linux use HTTP/goofy.example.com at EXAMPLE.COM.
Safari on Apples Mac OSX requests HTTP/www.example.com at EXAMPLE.COM from
KDC.  Firefox on Mac OSX behaves like the Linux version.  I don't have
more browsers available right now, but I will test others.

What is the correct behavior and configuration?  Thanks for your help.

Kind regards,
-- 
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn
Germany

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20090428/476d3db4/attachment.bin


More information about the Kerberos mailing list