[32736] in Kerberos
Re: apache virtual hosts and keytabs
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Sep 29 17:23:25 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <2be9b04f-899f-42ed-a31b-8beb56e75650@q2g2000vbk.googlegroups.com>
(Vlad's message of "Mon, 27 Sep 2010 12:29:05 -0700 (PDT)")
Date: Wed, 29 Sep 2010 14:23:20 -0700
Message-ID: <87sk0sw8fr.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Vlad <vladistan@gmail.com> writes:
> You should always use the hostname that is typed in the browser.
> Browsers always use the hostname from the URL to request the ticket from
> KDC. If you use your actual server name, which will cause the principal
> mismatch. And you will get exactly the error you getting.
This is, sadly, not the case. Some browsers do that. Others use the
result from doing a forward and then reverse DNS lookup of the hostname.
In practice, you need to add HTTP/* principals for both names to the
Apache keytab if they differ, and then configure mod_auth_kerb to accept
any credential that's available in the keytab. Last time we did testing,
Firefox did one thing and IE did the opposite thing, so you'll have
substantial numbers of users in both camps.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
