On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce <s...@redhat.com> wrote:

>
> CNAMEs should work just fine with the host's HTTP/A-name@REALM key.
> In fact I just tested a virtual host on my ipa server using a cname and
> it worked.
>

great!


> Can you post your (sanitized) mod_auth_kerb configuration ?
> Also what browser are you testing with ?
>

sure:

 <VirtualHost *:80>
        ServerName vhost.ipa.domain.tld
        ServerAdmin webmas...@domain.tld
        DocumentRoot /var/www/html/vhost1
        LogLevel debug
        CustomLog    /var/log/httpd/vhost1.access.log combined
        ErrorLog     /var/log/httpd/vhost1.error.log

<Location "/kerb">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms IPA.DOMAIN.TLD
  Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab
  KrbSaveCredentials on
  Require valid-user
</Location>

</VirtualHost>

> If you kdestroy and then kinit clean, and then try to access the server
> *only* using the CNAME you should see the browser has acquired a ticket
> for HTTP/A-name, You can use klist to verify. If this works you know it
> is a server side issue only. If you do not have the ticket, there may be
> a DNS/browser issue.
>

yes, I get a HTTP/A-name ticket and a 500 internal server error on the
browser. So you are right, we have an apache issue only. If you can shed
some light on the the mod_kerb config that will be great.

TIA.

-- 
Groeten,
Natxo
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to