AW: Different behaviour of mod_auth_kerb depending on kerberos stack

Beier Michael M.Beier at enbw.com
Tue Oct 19 16:19:43 EDT 2010 

This approves a note in the following guide I found at microsoft:
http://technet.microsoft.com/en-us/library/bb742433.aspx

"You cannot map multiple service instances to the same user account."

But on the other hand: we ARE currently running a setup with ~ 300 services shared in only a few accounts. The only limitation seems to be, that this only works with heimdal. It would be a gigantic effort to create separate accounts for each service - and that without impact on the running services. So at the moment using heimdal on sles11 would be the better option.

My questions are now: 
1) Will the following setup work?

keytab 1 will be generated for an account containing spn HTTP/hostname.enbw.net.
keytab 2 will be generated for an account containing spn HTTP/virtualhost.enbw.net
...
keytab x will be generated for an account containing spn HTTP/virtualhostx.enbw.net

We have to create one "big merged" keytab file, containing all generated above, which will be used by mod_auth_kerb.

2) Firefox will always deliver the ticket for service HTTP/hostname.enbw.net - no matter which virtualhost is accessed?

3) Am I right, that the MIT kerberos implementation checks, if the referenced keytab file contains the service requested by the client and that this behaviour can not be changed?

Best regards,
Michael

-----Ursprüngliche Nachricht-----
Von: Russ Allbery [mailto:rra at stanford.edu] 
Gesendet: Dienstag, 19. Oktober 2010 20:02
An: Beier Michael
Cc: 'kerberos at mit.edu'
Betreff: Re: Different behaviour of mod_auth_kerb depending on kerberos stack

Beier Michael <M.Beier at enbw.com> writes:

> Using the MIT implementation, accessing the virtualhost using firefox
> still works, because firefox does a reverse and forward dns-look and
> sends a kerberos ticket for HTTP/hostname.enbw.net, which is found in
> the keytab file. With InternetExplorer mod_auth_kerb declines the access
> to http://virtualhost.enbw.net, because it sends (actually the same)
> kerberos ticket (but) for HTTP/virtualhost.enbw.net, which is not found
> in the keytab file. Apache shows the following error:

> gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
> may provide more information (, Key table entry not found)

> At the moment I've no really good ides how to solve this - the first
> idea was to create a separate account and keytab for each virtualhost,
> but the different behaviour of firefox and IE seem to make that
> impossible, because one ServicePrincipalName would have to be added to
> multiple accounts, but must be unique in active directory at the same
> time.

> Can anyone provide me some help or idea, how to solve this?

Add keytabs for each virtual host and then use "KrbServiceName Any" in
your Apache configuration.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list