[Freeipa-users] http service keytab for cname virtual host
Natxo Asenjo
natxo.asenjo at gmail.com
Thu Mar 29 06:58:37 UTC 2012
On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce <simo at redhat.com> wrote:
>
> CNAMEs should work just fine with the host's HTTP/A-name at REALM key.
> In fact I just tested a virtual host on my ipa server using a cname and
> it worked.
>
great!
> Can you post your (sanitized) mod_auth_kerb configuration ?
> Also what browser are you testing with ?
>
sure:
<VirtualHost *:80>
ServerName vhost.ipa.domain.tld
ServerAdmin webmaster at domain.tld
DocumentRoot /var/www/html/vhost1
LogLevel debug
CustomLog /var/log/httpd/vhost1.access.log combined
ErrorLog /var/log/httpd/vhost1.error.log
<Location "/kerb">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms IPA.DOMAIN.TLD
Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab
KrbSaveCredentials on
Require valid-user
</Location>
</VirtualHost>
> If you kdestroy and then kinit clean, and then try to access the server
> *only* using the CNAME you should see the browser has acquired a ticket
> for HTTP/A-name, You can use klist to verify. If this works you know it
> is a server side issue only. If you do not have the ticket, there may be
> a DNS/browser issue.
>
yes, I get a HTTP/A-name ticket and a 500 internal server error on the
browser. So you are right, we have an apache issue only. If you can shed
some light on the the mod_kerb config that will be great.
TIA.
--
Groeten,
Natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120329/c172f946/attachment.htm>
More information about the Freeipa-users
mailing list