[Freeipa-users] IPA 2.2 and windows clients with MIT kerberos distribution

Baptiste AGASSE baptiste.agasse at lyra-network.com
Thu Sep 13 09:58:43 UTC 2012 

Hi all,

Some days ago i've said on freeipa IRC channel that the documentation on freeipa + apache + SNI (located here http://freeipa.org/page/Apache_SNI_With_Kerberos) was wrong. 
I've set up a apache server with SNI and tested sso with mit kerberos on windows 7 64bits + firefox . On my windows 7 client, sso don't work if i set "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName, but works if Krb5KeyTab and KrbServiceName are those of real host. This behavior is reversed with fedora 17 + firefox client: sso works only if "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName are those of the "dummyhost".

So, the conclusion is: the documentation is good for linux clients (at least on fedora 17 + firefox), but not for windows clients

I think it will be good to have the same behavior on linux and windows client because it will be painful in cross platform environments if it stay as this.

rcrit said on IRC that you are working on v3 at this time, it will be good to know if the v3.0 have the same behavior, but i don't have resources at this time to setup another test environment with v3 beta.

Detailed test configuration:

(see attached apache config extract for virtualhost configuration)

IPA server:
OS: CentOS 6.3
IPA: ipa-server.x86_64      2.2.0-16.el6
389 ds: 389-ds-base.x86_64     1.2.10.2-20.el6_3

IPA Realm: EXAMPLE.COM

Apache SNI server:
OS: CentOS 6.3
real hostname: projects.foo.example.com
dummy host 1: svn.example.com
dummy host 2: redmine.example.com
[...]

Windows client:
OS: Windows 7 64Bits.
Browser: Firefox 15.0.1, 14.0.x (32bits)
MIT Kerberos dist: 3.2.2 (32bits) (http://web.mit.edu/kerberos/dist/)

GNU/Linux client:
OS: Fedora 17 x86_64
Browser: Firefox 15 (latest provided by fedora)
Kerberos: (latest provided by fedora)

Have a nice day.

Regards.

Baptiste.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: works_with_linux_clients.conf
Type: application/octet-stream
Size: 774 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120913/3e3c993e/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: works_with_windows7_clients.conf
Type: application/octet-stream
Size: 773 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120913/3e3c993e/attachment-0001.obj>

More information about the Freeipa-users mailing list