On 7 Jun 2007, at 15:24, " " <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> wrote: > mod_auth_kerb works great in the right conditions. You must be using > IE or a newer Firefox. Linux works great (not sure about other Unix > systems). On Windows the two browsers can only acquire credentials > from the LSA which means the workstation needs to be joined to a > domain, I believe.
It works with both recent Opera and Safari too, for some definition of works. Where you hit problems is where the name of your webserver is not the hostname of your machine. Different browsers handle this situation in different ways. Some (Firefox) use the DNS to canonicalise the name - so meaning that you (should) always see GSSAPI requests for HTTP/ <hostname> principals. Others (Safari) use the name as entered by the user with no canonicalisation. Ultimately, this means you may need to have a keytab containing multiple different prinicpals for your service, and have mod_auth_kerb accept any one of these principals. Unfortunately, the code isn't there to do that in current mod_auth_kerb's. Russ posted a patch by iterating through every key in the keytab - that should be available from the mod_auth_kerb mailing list. I also have a simpler patch that uses the new behaviour of gss_accept_sec_context when the server credentials are set to GSS_C_NO_CREDENTIAL, that I must contribute upstream. Cheers, Simon. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
