[30494] in Kerberos
Re: [solved] Using Apache with mod_auth_kerb
daemon@ATHENA.MIT.EDU (Ansgar Burchardt)
Tue Dec 2 16:51:04 2008
To: kerberos@mit.edu
From: Ansgar Burchardt <ansgar@2008.43-1.org>
Date: Tue, 02 Dec 2008 22:50:03 +0100
Message-ID: <gnus-86tz9mdz78.fsf@blight.43-1.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
Russ Allbery <rra@stanford.edu> writes:
> Ansgar Burchardt <ansgar@2008.43-1.org> writes:
>> I have a small problem with mod_auth_kerb and Firefox 3.0: While
>> authenticating via Kerberos works fine from a computer located in the
>> same domain, I cannot get Firefox to authenticate from my home computer.
>
> After you try to visit the web site in question, run klist. Does an
> HTTP/* ticket for the web server show up in your ticket cache? If so,
> something is going wrong with the Negotiate-Auth part of Firefox's code;
> if not, you probably have a more basic problem with mapping the web server
> to an existing Kerberos principal.
I have found the problem: Firefox seems to require that the Kerberos
service principal matches the domain name entered in the address bar,
while Konqueror was satisfied with the service principal matching the
host name of the server.
I added another service principal "HTTP/www.example.com" (only had
"HTTP/server.example.com" before) and put "KrbServiceName Any" in the
Apache configuration and everything works now.
> Make sure that your realm mappings are correct in your /etc/krb5.conf
> file, for example. That's often the problem.
The krb5.conf only has the default_realm, all other options can be
obtained via DNS here. This makes using Kerberos from home much easier
to set up.
Regards,
Ansgar
--
PGP: 1024D/595FAD19 739E 2D09 0969 BEA9 9797 B055 DDB0 2FF7 595F AD19
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
