Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

[mod_auth_kerb] Use of Kerberos with multiple vhost

43 views

Skip to first unread message

Yves-Alexis Perez

unread,

Apr 23, 2009, 10:16:35 AM4/23/09

to kerb...@mit.edu

Hi,

I'm trying to setup a system where users are in an active directory and
we use some Linux servers, using apache and mod_auth_kerb. I've
successfully managed to use kerberos to authenticate from a Windows XP
workstation (and from a kerberized Linux box) to the webserver if I use
the fqdn of the server. Using a virtualhost which doesn't point to the
fqdn doesn't work.

I've created the keytab using the ktpass util on the PDC, and the
principal name is HTTP/fqdn.exa...@REALM.EXAMPLE.NET

I then use:

AuthType Kerberos
KrbMethodNegotiate On
KrbServiceName HTTP/fqdn.example.net
KrbAuthRealms REALM
require valid-user

to protect a directory accessible from http://fqdn.example.net/~user/
and another directory accessible using http://vhost.example.net/.
The former works while the latter doesn't

fqdn.example.net has a correct reverse while vhost.example.net doesn't,
but forcing it in the various /etc/hosts involved doesn't work.

Looking at the logs it seems that firefox and internet explorer don't
even try to start to negociate Kerberos auth from the vhost one.

I'm wondering if I should use one principal per vhost (which doesn't
scale very well).

oh, btw I'm using krb5 1.6.1 from RHEL5.

Thanks for any help (please let my CC: on reply cause I'm not subsribed
to the list).

Cheers,
--
Yves-Alexis

Yves-Alexis Perez

unread,

Apr 24, 2009, 9:07:06 AM4/24/09

to kerb...@mit.edu

On jeu, 2009-04-23 at 16:16 +0200, Yves-Alexis Perez wrote:
> fqdn.example.net has a correct reverse while vhost.example.net doesn't,
> but forcing it in the various /etc/hosts involved doesn't work.
>
> Looking at the logs it seems that firefox and internet explorer don't
> even try to start to negociate Kerberos auth from the vhost one.
>
> I'm wondering if I should use one principal per vhost (which doesn't
> scale very well).

I tried to create another user in AD and map the fdqn.example.net to
that user, creating another keytab. Then use that second keytab in the
vhost protection, and it worked.
So kerberos auth works fine, and the config as well. But Having to
create an user per service doesn't scale very well (especially if you
multiply the vhost number by various criticity dev/qa/test/prod/...) so
it'd be nice if I could use only one AD user per server. Having one
service principal name per server would be even better, but I guess I
could do with one SPN per vhost if I can map all of them to the same AD
user.

Any idea on how to do that?

Cheers,
--
Yves-Alexis

0 new messages