On Thu, 24 Mar 2011, Michael B Allen wrote:
> On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien wrote:
>> On Wed, 23 Mar 2011, Michael B Allen wrote:
>>
>> Sure, but if you're not a domain admin, you've only got a machine principal,
>> and your own principal (which I can use to join machines to the d
On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien wrote:
> On Wed, 23 Mar 2011, Michael B Allen wrote:
>
>>> Yes, but using the machine principal you're able to request any number of
>>> service principals that are SERVICENAME/. For this to work
>>> in a
>>> virtual hosting environment, you need mult
On Wed, 23 Mar 2011, Michael B Allen wrote:
Yes, but using the machine principal you're able to request any number of
service principals that are SERVICENAME/. For this to work in a
virtual hosting environment, you need multiple machine names (since we're
talking about making a number of HTTP/
On Tue, Mar 22, 2011 at 5:55 AM, John Hodrien wrote:
> On Tue, 22 Mar 2011, Michael B Allen wrote:
>
>> Hi John,
>>
>> You would not have to create "dummy" machine records. The
>> servicePrincipalName attribute on an AD account is multi-valued and
>> clients can request and get a ticket for ANY pr
On Tue, 22 Mar 2011, Michael B Allen wrote:
> Hi John,
>
> You would not have to create "dummy" machine records. The
> servicePrincipalName attribute on an AD account is multi-valued and
> clients can request and get a ticket for ANY principal in that list.
> So you only need one account.
>
> And
On Sat, Mar 19, 2011 at 4:28 AM, John Hodrien wrote:
>> An HTTP client can authenticate with any principal in the service
>> keytab and only one of their hostnames is going to have a PTR record.
>> So I'm not sure I understand your claim here.
>
> Two A records, with PTR record pointing to the A r
On Fri, 18 Mar 2011, Michael B Allen wrote:
Hi John,
Actually I think this practice is now considered poor behavior. I look
at a lot of packet captures and I don't recall seeing PTR lookups. At
least not from Windows clients. Also I recall there was a discussion
about this on the Kerberos list
On Fri, Mar 18, 2011 at 2:36 PM, Michael B Allen wrote:
> On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien wrote:
>> Surely that wouldn't care how I'd done it? That requires the PTR record, and
>> that it points back to the name of the pricipal you want to use. With
>> multiple PTR records to the
On Fri, Mar 18, 2011 at 2:58 PM, R P Herrold wrote:
> On Fri, 18 Mar 2011, Michael B Allen wrote:
>
>> True. You cannot have multiple PTR records for an IP. I did not mean
>> to suggest that you could.
>
> Not saying you are wrong here, but have you an RFC reference
> to this effect? We previousl
On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien wrote:
> On Fri, 18 Mar 2011, Michael B Allen wrote:
>
>> Hi John,
>>
>> Arguably it's not the end-of-the-world to go though CNAMEs. If it
>> works for you, then don't let me deter you.
>
> Indeed it does, and it was the only way I could see you /could
On Fri, 18 Mar 2011, Michael B Allen wrote:
> Hi John,
>
> Arguably it's not the end-of-the-world to go though CNAMEs. If it
> works for you, then don't let me deter you.
Indeed it does, and it was the only way I could see you /could/ do this.
Especially if you're not a domain admin. I'm still n
On Thu, Mar 17, 2011 at 6:18 AM, John Hodrien wrote:
> On Wed, 16 Mar 2011, Michael B Allen wrote:
>> I don't know what the official view is on going through a CNAME but I
>> think that is probably a dubious practice. The proper way to handle
>> this scenario would be to add another servicePrincip
On Wed, 16 Mar 2011, Michael B Allen wrote:
> On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien wrote:
>> On Mon, 14 Mar 2011, Michael B Allen wrote:
>>
>>> Hi Asya,
>>>
>>> You must set the servicePrincipalName attribute on the service account
>>> (MYSERVER$ in this case) to include all of the hostn
On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien wrote:
> On Mon, 14 Mar 2011, Michael B Allen wrote:
>
>> Hi Asya,
>>
>> You must set the servicePrincipalName attribute on the service account
>> (MYSERVER$ in this case) to include all of the hostnames that will be
>> used to access the web server wh
Thank you!
I'm working on it right now and will give my progress report soon :)
Asya
On Mar 14, 2011, at 6:11 AM, John Hodrien wrote:
> On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
>
>> [root@myserver conf]# klist -k
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Principal
>>
>> ---
On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
> [root@myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>
> --
> 2 host/myserver.server@core.host.edu
> 2 host/rmyserver.server@core.ho
On Fri, 11 Mar 2011, David Brian Chait wrote:
>> I looked in AD configuration and see that my server does not have
>> appropriate ServicePrincipalName for HTTP (only host).
>
> Of course it doesn't, you gathered that ticket by joining the domain with
> Samba, but are not using samba auth with apa
On Fri, 11 Mar 2011, David Brian Chait wrote:
> It appears as though you need to create a proper SPN/keytab from the AD
> server:
>
> http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_dc.html
I've done this just wi
On Mon, 14 Mar 2011, Michael B Allen wrote:
> Hi Asya,
>
> You must set the servicePrincipalName attribute on the service account
> (MYSERVER$ in this case) to include all of the hostnames that will be
> used to access the web server which in this case would be at least
> "HTTP/myserver.server.com
On Fri, Mar 11, 2011 at 3:50 PM, Dvorkin, Asya wrote:
> [root@myserver conf]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
>
> --
> 2 host/myserver.server@core.host.edu
> 2 host/rmyserver.server
-boun...@centos.org] On Behalf Of
David Brian Chait
Sent: Friday, March 11, 2011 1:15 PM
To: CentOS mailing list
Subject: Re: [CentOS] Apache/Active Directory authentication
> I looked in AD configuration and see that my server does not have appropriate
> ServicePrincipalName for HTTP (onl
> I looked in AD configuration and see that my server does not have appropriate
> ServicePrincipalName for HTTP (only host).
Of course it doesn't, you gathered that ticket by joining the domain with
Samba, but are not using samba auth with apache...
___
Okay... so at this point I am stuck.
I got this far:
Using modules:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
root@myserver conf]# net ads testjoin
Join is OK
I successfully joined domain.
[root@myserver conf]# klist -k
Keytab
On Thu, 10 Mar 2011, Dvorkin, Asya wrote:
> John,
>
> Thank you for all your pointers! You are right.. I was able to create a
> keytab file. Still having some issues with getting apache to work the way I
> wan to, but will continue troubleshooting it.
No problem, and I'll be interested to hear
John,
Thank you for all your pointers! You are right.. I was able to create a keytab
file. Still having some issues with getting apache to work the way I wan to,
but will continue troubleshooting it.
Thank you!
Asya
On Mar 9, 2011, at 10:09 AM, John Hodrien wrote:
> On Wed, 9 Mar 2011, Joh
On Wed, 9 Mar 2011, John Hodrien wrote:
> On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
>
>> Thank you, John.
>>
>> I forgot to add that we cannot generate keytab from AD server for various
>> reasons that I have no control over.
And are you really sure this is the case? If you can join to a domain,
On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
> Thank you, John.
>
> I forgot to add that we cannot generate keytab from AD server for various
> reasons that I have no control over.
>
> Would mod_auth_kerb still work? My google searches all point to keytab file
> being there...
Yes. If you join AD
Thank you, John.
I forgot to add that we cannot generate keytab from AD server for various
reasons that I have no control over.
Would mod_auth_kerb still work? My google searches all point to keytab file
being there...
Thank you,
Asya
On Mar 9, 2011, at 9:35 AM, John Hodrien wrote:
> On Wed
On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
> I was wondering if there is a way to do http authentication without passing
> my username/password considering server is already binded to AD, thus
> authenticated.
>
> Would I be able to utilize PAM authentication for this purpose?
mod_auth_kerb can u
29 matches
Mail list logo
