[Freeipa-users] http service keytab for cname virtual host

Simo Sorce simo at redhat.com
Wed Mar 28 21:36:17 UTC 2012 

On Wed, 2012-03-28 at 22:49 +0200, Natxo Asenjo wrote:
> hi,
> 
> enable a kerberized site with the fqdn is very easy with freeipa but
> we would like to use virtual hosting and kerberized sites.
> 
> I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then
> created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab,
> configured the apache webserver and it works.
> 
> Then I created a cname record (vhost) pointing to
> webserver01.ipa.domain.tld. I enabled virtual hosting in the apache
> webserver, configured the vhosts without kerberizing anything. Virtual
> hosts work as expected.
> 
> But when I enable a kerberized directory in the vhost, then I see this
> in the log file:
> 
> [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21]
> gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
> provide more information (, Permission denied)
> [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
> 192.168.0.21] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
> 192.168.0.21] kerb_authenticate_user entered with user (NULL) and
> auth_type Kerberos
> [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client
> 192.168.0.21] Acquiring creds for HTTP at vhost.ipa.domain.tld.
> 
> When not using vhosts, it works although I see similar debugging info
> (but instead of HTTP at vhost.ipa.domain.tld,
> HTTP at webserver01.ipa.domain.tld). So I was wondering if it is possible
> to do this vhost thing. With the ipa tools I can only add service
> principals to joined hosts, not to cnames.
> 
> It would be nice to have. Otherwise we need to have one server per
> kerberized site, a bit of an overkill really.

CNAMEs should work just fine with the host's HTTP/A-name at REALM key.
In fact I just tested a virtual host on my ipa server using a cname and
it worked.
Can you post your (sanitized) mod_auth_kerb configuration ?
Also what browser are you testing with ?

If you kdestroy and then kinit clean, and then try to access the server
*only* using the CNAME you should see the browser has acquired a ticket
for HTTP/A-name, You can use klist to verify. If this works you know it
is a server side issue only. If you do not have the ticket, there may be
a DNS/browser issue.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list