Load balanced apache and Keytab entries

Simon Young simon at excession.net
Tue Apr 19 11:54:05 EDT 2011


Hi,

I've been trying to get our load balanced apache web servers to do
kerberos authentication. I've got everything working in a single
server environment with no load balancer, but when I duplicate the
config in the load balanced environment (using one web server for
simplicity), mod_auth_kerb comes back with the following:

gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code
may provide more information (, Key table entry not found)

But I haven't been able to determine *which* key table entry it's
looking for. I have LogLevel set to debug, and have run apache under
strace, that didn't reveal anything useful.

This is how we've set it up:

* Load balancer IP address (VIP) fqdn: vip5.mydomain.com
* Single host behind load balancer:    host1.mydomain.com

* Created an AD user account for the load balancer IP address (vip5)
* Two SPNs associated with the account:

  HOST/vip5.mydomain.com at MYDOMAIN.COM
  HTTP/vip5.mydomain.com at MYDOMAIN.COM

* Keytabs for these two SPNs exported to apache web server and
appropriately installed: HTTP to mod_auth_kerb's keytab, HOST and HTTP
to the system keytab.

The most likely explanation (considering that the same mod_auth_kerb
configuration works in a single-server setup) is that it's
searching for:

HTTP/host1.mydomain.com at MYDOMAIN.COM

With this in mind, I reconfigured the OS so that 'hostname -f' returned
the fqdn of the VIP (vip5.mydomain.com), but that didn't help.

I'm about to get our AD team to start making keytabs for the
individual web hosts, but I was wondering if there is any way to find
out for certain what apache is searching for?

Also, I'd appreciate any input if for any reason you think this
approach is inadvisable.

Many thanks,

Simon.


--

P.S. For completeness, my mod_auth_kerb directives look like this:

AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab /opt/apache/conf/vip5http.keytab
KrbAuthRealms MYDOMAIN.COM
KrbServiceName HTTP/vip5.mydomain.com at MYDOMAIN.COM
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials on
Require valid-user




More information about the Kerberos mailing list