[32739] in Kerberos
Re: apache virtual hosts and keytabs
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Sep 30 03:43:53 2010
From: Russ Allbery <rra@stanford.edu>
To: kerberos@mit.edu
In-Reply-To: <i81da8$vmr$1@dough.gmane.org> (Nikolay Shopik's message of "Thu,
30 Sep 2010 11:13:06 +0400")
Date: Thu, 30 Sep 2010 00:43:44 -0700
Message-ID: <87eicb8ymn.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Nikolay Shopik <shopik@inblock.ru> writes:
> On 30.09.2010 1:23, Russ Allbery wrote:
>> In practice, you need to add HTTP/* principals for both names to the
>> Apache keytab if they differ, and then configure mod_auth_kerb to
>> accept any credential that's available in the keytab. Last time we did
>> testing, Firefox did one thing and IE did the opposite thing, so you'll
>> have substantial numbers of users in both camps.
> So if my hostname is machine.example.com and virtual hostname
> virtual.example.com I have to add both in keytab?
Yup.
> I did try that didn't help me either.
Works for us. Be sure that you've set KrbServiceName to any in the
mod_auth_kerb configuration (and you're using a new enough mod_auth_kerb
that this is supported).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
