[30495] in Kerberos
Re: [solved] Using Apache with mod_auth_kerb
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Dec 2 19:21:46 2008
To: kerberos@mit.edu
In-Reply-To: <gnus-86tz9mdz78.fsf@blight.43-1.org> (Ansgar Burchardt's message
of "Tue\, 02 Dec 2008 22\:50\:03 +0100")
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 02 Dec 2008 16:20:50 -0800
Message-ID: <874p1mglct.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ansgar Burchardt <ansgar@2008.43-1.org> writes:
> I have found the problem: Firefox seems to require that the Kerberos
> service principal matches the domain name entered in the address bar,
> while Konqueror was satisfied with the service principal matching the
> host name of the server.
>
> I added another service principal "HTTP/www.example.com" (only had
> "HTTP/server.example.com" before) and put "KrbServiceName Any" in the
> Apache configuration and everything works now.
Yeah, common problem (and why KrbServiceName any is there).
> The krb5.conf only has the default_realm, all other options can be
> obtained via DNS here. This makes using Kerberos from home much easier
> to set up.
Note that domain to realm mappings via TXT records aren't enabled by
default for MIT Kerberos because it has security implications.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
