On Wed, Mar 28, 2012 at 11:36 PM, Simo Sorce <s...@redhat.com> wrote:

> CNAMEs should work just fine with the host's HTTP/A-name@REALM key.
> In fact I just tested a virtual host on my ipa server using a cname and
> it worked.


> Can you post your (sanitized) mod_auth_kerb configuration ?
> Also what browser are you testing with ?


 <VirtualHost *:80>
        ServerName vhost.ipa.domain.tld
        ServerAdmin webmas...@domain.tld
        DocumentRoot /var/www/html/vhost1
        LogLevel debug
        CustomLog    /var/log/httpd/vhost1.access.log combined
        ErrorLog     /var/log/httpd/vhost1.error.log

<Location "/kerb">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms IPA.DOMAIN.TLD
  Krb5KeyTab /etc/httpd/conf/webserver01_http.keytab
  KrbSaveCredentials on
  Require valid-user


> If you kdestroy and then kinit clean, and then try to access the server
> *only* using the CNAME you should see the browser has acquired a ticket
> for HTTP/A-name, You can use klist to verify. If this works you know it
> is a server side issue only. If you do not have the ticket, there may be
> a DNS/browser issue.

yes, I get a HTTP/A-name ticket and a 500 internal server error on the
browser. So you are right, we have an apache issue only. If you can shed
some light on the the mod_kerb config that will be great.


Freeipa-users mailing list

Reply via email to