apache virtual hosts and keytabs

Russ Allbery rra at stanford.edu
Thu Sep 30 03:43:44 EDT 2010


Nikolay Shopik <shopik at inblock.ru> writes:
> On 30.09.2010 1:23, Russ Allbery wrote:

>> In practice, you need to add HTTP/* principals for both names to the
>> Apache keytab if they differ, and then configure mod_auth_kerb to
>> accept any credential that's available in the keytab.  Last time we did
>> testing, Firefox did one thing and IE did the opposite thing, so you'll
>> have substantial numbers of users in both camps.

> So if my hostname is machine.example.com and virtual hostname 
> virtual.example.com I have to add both in keytab?

Yup.

> I did try that didn't help me either.

Works for us.  Be sure that you've set KrbServiceName to any in the
mod_auth_kerb configuration (and you're using a new enough mod_auth_kerb
that this is supported).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list