Kerberos Hostname Mapping for HTTP Server Ticket Requests
Chris Fields
Chris.Fields at pathmaker-group.com
Thu Mar 8 18:44:13 EST 2007
Hello,
I am trying to get a Linux server with the krb5 libraries to talk to a
Windows 2000 domain (KDC) to provide tickets that allow the Linux web
server to grant access to HTTP URLs. This works fine when the host name
in the URL matches the host name of the Linux web server making the
request for the ticket (e.g. HTTP://linuxserver/index.html where
"linuxserver" is the host name of the server making the Kerberos
requests for a ticket)
We have a Windows account matching the Linux host name and mapped to a
Kerberos principal with HTTP/linuxserver at domain.com as the principal
name. This all works fine. It breaks when we try to access an HTTP URL
with a different hostname (e.g. HTTP://server2/index.html) but it is
hosted on the same server. How does the Linux host name come into play
when the Linux server is requesting a ticket from the Windows KDC? Is
Windows Kerberos only going to allow that Linux server to grant tickets
to HTTP applications with the Linux server as the host name in the HTTP
URL?
Thanks for your help.
More information about the krbdev
mailing list