[32821] in Kerberos
AW: Different behaviour of mod_auth_kerb depending on kerberos stack
daemon@ATHENA.MIT.EDU (Beier Michael)
Tue Oct 19 16:19:51 2010
From: Beier Michael <M.Beier@enbw.com>
To: "'Russ Allbery'" <rra@stanford.edu>
Date: Tue, 19 Oct 2010 22:19:43 +0200
Message-ID: <1CA7D5514D24754B93C9DF23AAFA064509AAB1A179@S3Q2173.enbw.net>
In-Reply-To: <878w1u5af3.fsf@windlord.stanford.edu>
Content-Language: de-DE
MIME-Version: 1.0
Cc: "'kerberos@mit.edu'" <kerberos@mit.edu>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
This approves a note in the following guide I found at microsoft:
http://technet.microsoft.com/en-us/library/bb742433.aspx
"You cannot map multiple service instances to the same user account."
But on the other hand: we ARE currently running a setup with ~ 300 services shared in only a few accounts. The only limitation seems to be, that this only works with heimdal. It would be a gigantic effort to create separate accounts for each service - and that without impact on the running services. So at the moment using heimdal on sles11 would be the better option.
My questions are now:
1) Will the following setup work?
keytab 1 will be generated for an account containing spn HTTP/hostname.enbw.net.
keytab 2 will be generated for an account containing spn HTTP/virtualhost.enbw.net
...
keytab x will be generated for an account containing spn HTTP/virtualhostx.enbw.net
We have to create one "big merged" keytab file, containing all generated above, which will be used by mod_auth_kerb.
2) Firefox will always deliver the ticket for service HTTP/hostname.enbw.net - no matter which virtualhost is accessed?
3) Am I right, that the MIT kerberos implementation checks, if the referenced keytab file contains the service requested by the client and that this behaviour can not be changed?
Best regards,
Michael
-----Ursprüngliche Nachricht-----
Von: Russ Allbery [mailto:rra@stanford.edu]
Gesendet: Dienstag, 19. Oktober 2010 20:02
An: Beier Michael
Cc: 'kerberos@mit.edu'
Betreff: Re: Different behaviour of mod_auth_kerb depending on kerberos stack
Beier Michael <M.Beier@enbw.com> writes:
> Using the MIT implementation, accessing the virtualhost using firefox
> still works, because firefox does a reverse and forward dns-look and
> sends a kerberos ticket for HTTP/hostname.enbw.net, which is found in
> the keytab file. With InternetExplorer mod_auth_kerb declines the access
> to http://virtualhost.enbw.net, because it sends (actually the same)
> kerberos ticket (but) for HTTP/virtualhost.enbw.net, which is not found
> in the keytab file. Apache shows the following error:
> gss_accept_sec_context() failed: Unspecified GSS failure. Minor code
> may provide more information (, Key table entry not found)
> At the moment I've no really good ides how to solve this - the first
> idea was to create a separate account and keytab for each virtualhost,
> but the different behaviour of firefox and IE seem to make that
> impossible, because one ServicePrincipalName would have to be added to
> multiple accounts, but must be unique in active directory at the same
> time.
> Can anyone provide me some help or idea, how to solve this?
Add keytabs for each virtual host and then use "KrbServiceName Any" in
your Apache configuration.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
