On Wed, Mar 23, 2011 at 2:35 PM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Wed, 23 Mar 2011, Michael B Allen wrote:
Yes, but using the machine principal you're able to request any number of
service principals that are SERVICENAME/machinename. For this to work
in a
virtual hosting
On Wed, 23 Mar 2011, Michael B Allen wrote:
Yes, but using the machine principal you're able to request any number of
service principals that are SERVICENAME/machinename. For this to work in a
virtual hosting environment, you need multiple machine names (since we're
talking about making a
On Tue, 22 Mar 2011, Michael B Allen wrote:
Hi John,
You would not have to create dummy machine records. The
servicePrincipalName attribute on an AD account is multi-valued and
clients can request and get a ticket for ANY principal in that list.
So you only need one account.
And you do
On Tue, Mar 22, 2011 at 5:55 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Tue, 22 Mar 2011, Michael B Allen wrote:
Hi John,
You would not have to create dummy machine records. The
servicePrincipalName attribute on an AD account is multi-valued and
clients can request and get a ticket
On Sat, Mar 19, 2011 at 4:28 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
An HTTP client can authenticate with any principal in the service
keytab and only one of their hostnames is going to have a PTR record.
So I'm not sure I understand your claim here.
Two A records, with PTR record
On Fri, 18 Mar 2011, Michael B Allen wrote:
Hi John,
Actually I think this practice is now considered poor behavior. I look
at a lot of packet captures and I don't recall seeing PTR lookups. At
least not from Windows clients. Also I recall there was a discussion
about this on the Kerberos list
On Thu, Mar 17, 2011 at 6:18 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Wed, 16 Mar 2011, Michael B Allen wrote:
I don't know what the official view is on going through a CNAME but I
think that is probably a dubious practice. The proper way to handle
this scenario would be to add
On Fri, 18 Mar 2011, Michael B Allen wrote:
Hi John,
Arguably it's not the end-of-the-world to go though CNAMEs. If it
works for you, then don't let me deter you.
Indeed it does, and it was the only way I could see you /could/ do this.
Especially if you're not a domain admin. I'm still not
On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Fri, 18 Mar 2011, Michael B Allen wrote:
Hi John,
Arguably it's not the end-of-the-world to go though CNAMEs. If it
works for you, then don't let me deter you.
Indeed it does, and it was the only way I could
On Fri, 18 Mar 2011, Michael B Allen wrote:
True. You cannot have multiple PTR records for an IP. I did not mean
to suggest that you could.
Not saying you are wrong here, but have you an RFC reference
to this effect? We previously held this belief from our prior
practice, but cannot find a
On Fri, Mar 18, 2011 at 2:58 PM, R P Herrold herr...@owlriver.com wrote:
On Fri, 18 Mar 2011, Michael B Allen wrote:
True. You cannot have multiple PTR records for an IP. I did not mean
to suggest that you could.
Not saying you are wrong here, but have you an RFC reference
to this effect?
On Fri, Mar 18, 2011 at 2:36 PM, Michael B Allen iop...@gmail.com wrote:
On Fri, Mar 18, 2011 at 6:25 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
Surely that wouldn't care how I'd done it? That requires the PTR record, and
that it points back to the name of the pricipal you want to use.
On Wed, 16 Mar 2011, Michael B Allen wrote:
On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Mon, 14 Mar 2011, Michael B Allen wrote:
Hi Asya,
You must set the servicePrincipalName attribute on the service account
(MYSERVER$ in this case) to include all of
On Mon, Mar 14, 2011 at 5:58 AM, John Hodrien j.h.hodr...@leeds.ac.uk wrote:
On Mon, 14 Mar 2011, Michael B Allen wrote:
Hi Asya,
You must set the servicePrincipalName attribute on the service account
(MYSERVER$ in this case) to include all of the hostnames that will be
used to access the
On Mon, 14 Mar 2011, Michael B Allen wrote:
Hi Asya,
You must set the servicePrincipalName attribute on the service account
(MYSERVER$ in this case) to include all of the hostnames that will be
used to access the web server which in this case would be at least
HTTP/myserver.server.com. One
On Fri, 11 Mar 2011, David Brian Chait wrote:
It appears as though you need to create a proper SPN/keytab from the AD
server:
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_config_dc.html
I've done this just with
On Fri, 11 Mar 2011, David Brian Chait wrote:
I looked in AD configuration and see that my server does not have
appropriate ServicePrincipalName for HTTP (only host).
Of course it doesn't, you gathered that ticket by joining the domain with
Samba, but are not using samba auth with apache...
On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
[root@myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
2 host/myserver.server@core.host.edu
2 host/rmyserver.server@core.host.edu
Thank you!
I'm working on it right now and will give my progress report soon :)
Asya
On Mar 14, 2011, at 6:11 AM, John Hodrien wrote:
On Fri, 11 Mar 2011, Dvorkin, Asya wrote:
[root@myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
On Fri, Mar 11, 2011 at 3:50 PM, Dvorkin, Asya dvork...@umdnj.edu wrote:
[root@myserver conf]# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
2 host/myserver.server@core.host.edu
2
Okay... so at this point I am stuck.
I got this far:
Using modules:
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so
root@myserver conf]# net ads testjoin
Join is OK
I successfully joined domain.
[root@myserver conf]# klist -k
Keytab
I looked in AD configuration and see that my server does not have appropriate
ServicePrincipalName for HTTP (only host).
Of course it doesn't, you gathered that ticket by joining the domain with
Samba, but are not using samba auth with apache...
-boun...@centos.org] On Behalf Of
David Brian Chait
Sent: Friday, March 11, 2011 1:15 PM
To: CentOS mailing list
Subject: Re: [CentOS] Apache/Active Directory authentication
I looked in AD configuration and see that my server does not have appropriate
ServicePrincipalName for HTTP (only host
John,
Thank you for all your pointers! You are right.. I was able to create a keytab
file. Still having some issues with getting apache to work the way I wan to,
but will continue troubleshooting it.
Thank you!
Asya
On Mar 9, 2011, at 10:09 AM, John Hodrien wrote:
On Wed, 9 Mar 2011,
On Thu, 10 Mar 2011, Dvorkin, Asya wrote:
John,
Thank you for all your pointers! You are right.. I was able to create a
keytab file. Still having some issues with getting apache to work the way I
wan to, but will continue troubleshooting it.
No problem, and I'll be interested to hear
Hi everyone,
I'm trying to figure out the best way to accomplish below project and would
appreciate your input.
I need to setup a web page on CentOS with Active Directory authentication.
So far I've accomplished the following:
- Setup httpd.conf to successfully authenticate against AD by
On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
I was wondering if there is a way to do http authentication without passing
my username/password considering server is already binded to AD, thus
authenticated.
Would I be able to utilize PAM authentication for this purpose?
mod_auth_kerb can use
Thank you, John.
I forgot to add that we cannot generate keytab from AD server for various
reasons that I have no control over.
Would mod_auth_kerb still work? My google searches all point to keytab file
being there...
Thank you,
Asya
On Mar 9, 2011, at 9:35 AM, John Hodrien wrote:
On
On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
Thank you, John.
I forgot to add that we cannot generate keytab from AD server for various
reasons that I have no control over.
Would mod_auth_kerb still work? My google searches all point to keytab file
being there...
Yes. If you join AD
On Wed, 9 Mar 2011, John Hodrien wrote:
On Wed, 9 Mar 2011, Dvorkin, Asya wrote:
Thank you, John.
I forgot to add that we cannot generate keytab from AD server for various
reasons that I have no control over.
And are you really sure this is the case? If you can join to a domain, you
can
30 matches
Mail list logo
