[Freeipa-users] http service keytab for cname virtual host
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Mar 28 20:49:14 UTC 2012
hi,
enable a kerberized site with the fqdn is very easy with freeipa but we
would like to use virtual hosting and kerberized sites.
I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then
created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab,
configured the apache webserver and it works.
Then I created a cname record (vhost) pointing to
webserver01.ipa.domain.tld. I enabled virtual hosting in the apache
webserver, configured the vhosts without kerberizing anything. Virtual
hosts work as expected.
But when I enable a kerberized directory in the vhost, then I see this in
the log file:
[Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21] gss_acquire_cred()
failed: Unspecified GSS failure. Minor code may provide more information
(, Permission denied)
[Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
192.168.0.21] kerb_authenticate_user entered with user (NULL) and auth_type
Kerberos
[Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client
192.168.0.21] Acquiring creds for HTTP at vhost.ipa.domain.tld.
When not using vhosts, it works although I see similar debugging info (but
instead of HTTP at vhost.ipa.domain.tld, HTTP at webserver01.ipa.domain.tld). So
I was wondering if it is possible to do this vhost thing. With the ipa
tools I can only add service principals to joined hosts, not to cnames.
It would be nice to have. Otherwise we need to have one server per
kerberized site, a bit of an overkill really.
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120328/021dbd3d/attachment.htm>
More information about the Freeipa-users
mailing list