apache virtual hosts and keytabs

Nikolay Shopik shopik at inblock.ru
Thu Sep 30 13:04:19 EDT 2010


On 30.09.2010 11:43, Russ Allbery wrote:
> Nikolay Shopik<shopik at inblock.ru>  writes:
>> On 30.09.2010 1:23, Russ Allbery wrote:
>
>>> In practice, you need to add HTTP/* principals for both names to the
>>> Apache keytab if they differ, and then configure mod_auth_kerb to
>>> accept any credential that's available in the keytab.  Last time we did
>>> testing, Firefox did one thing and IE did the opposite thing, so you'll
>>> have substantial numbers of users in both camps.
>
>> So if my hostname is machine.example.com and virtual hostname
>> virtual.example.com I have to add both in keytab?
>
> Yup.
>
>> I did try that didn't help me either.
>
> Works for us.  Be sure that you've set KrbServiceName to any in the
> mod_auth_kerb configuration (and you're using a new enough mod_auth_kerb
> that this is supported).
>

Thanks Russ,

Setting KrbServiceName HTTP/virtual.example.com, make it work flawlessly.




More information about the Kerberos mailing list