Jaap Winius <[email protected]> writes: > Until recently, using ssh with Kerberos authentication to connect to > these same hosts was also a problem, until I set GSSAPIStrictAcceptorCheck > to 'off' in sshd_config and added lots of host keys to the system keytab > to match the reverse lookup names of the machine's various interfaces.
> Can the same thing somehow be achieved with libapache2-mod-auth-kerb > v5.4-2 (for Debian wheezy), Yes, but I'm confused because you're already doing what you should do in order to support this. > Right now my configuration looks like: > AuthType Kerberos > KrbAuthRealms EXAMPLE.COM > KrbServiceName Any > Krb5Keytab /etc/apache2/krb5-apache.keytab > KrbLocalUserMapping On > AuthName "Example login" KrbServiceName Any is the key setting. This works for us. > Like with the ssh solution, I've added http keys to this keytab to match > all of the machine's interfaces, but in this case the result is still > negative. Make sure that you added HTTP keys (all caps), not lowercase http. The case matters. Also, different browsers want different things here. Some browers want keys that match the hostname in the URL that the user typed. Other browsers want keys that match the hostname resulting from forward and reverse DNS resolution of that hostname. So you need to add both. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
