[Freeipa-users] http service keytab for cname virtual host

Simo Sorce simo at redhat.com
Wed Mar 28 23:07:25 UTC 2012 

On Wed, 2012-03-28 at 17:30 -0400, Rob Crittenden wrote:
> Natxo Asenjo wrote:
> > hi,
> >
> > enable a kerberized site with the fqdn is very easy with freeipa but we
> > would like to use virtual hosting and kerberized sites.
> >
> > I have joined a host webserver01.ipa.domain.tld to a ipa realm. I then
> > created a spn HTTP/webserver01.ipa.domain.tld, generated the keytab,
> > configured the apache webserver and it works.
> >
> > Then I created a cname record (vhost) pointing to
> > webserver01.ipa.domain.tld. I enabled virtual hosting in the apache
> > webserver, configured the vhosts without kerberizing anything. Virtual
> > hosts work as expected.
> >
> > But when I enable a kerberized directory in the vhost, then I see this
> > in the log file:
> >
> > [Wed Mar 28 22:02:14 2012] [error] [client 192.168.0.21]
> > gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
> > provide more information (, Permission denied)
> > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
> > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1578): [client
> > 192.168.0.21] kerb_authenticate_user entered with user (NULL) and
> > auth_type Kerberos
> > [Wed Mar 28 22:02:14 2012] [debug] src/mod_auth_kerb.c(1213): [client
> > 192.168.0.21] Acquiring creds for HTTP at vhost.ipa.domain.tld.
> >
> > When not using vhosts, it works although I see similar debugging info
> > (but instead of HTTP at vhost.ipa.domain.tld,
> > HTTP at webserver01.ipa.domain.tld). So I was wondering if it is possible
> > to do this vhost thing. With the ipa tools I can only add service
> > principals to joined hosts, not to cnames.
> >
> > It would be nice to have. Otherwise we need to have one server per
> > kerberized site, a bit of an overkill really.
> 
> You should be able to add a host entry for the vhost, perhaps with the 
> --force flag to let it add w/o a DNS A record. Then you should be able 
> to create the service.

This shouldn't be necessary unless the vhost uses an A name, but then
you need a key for each vhost, which is burdensome.

I would keep this as a last resort after any other avenue failed.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list