Hi, On Wed, Feb 21, 2007 at 06:41:42PM +1000, Bradley Schatz wrote: > Hi Mark, > > For some background, I am actually trying to set up a http kerberos service > so that I can use mod_auth_krb in apache2. > > Would net ads join createupn=http/foundry.example.local do the trick?
no. That command only creates a user principal name for the machine account. So that you could obtain kerberos tickets as http/foundry.example.local, i.e. you could become the identity of http/foundry.example.local. If you want to kerberize apache, you need to create a service principal on the active directory controller: HTTP/foundry.example.local (note: HTTP is uppercase). And you need to create a keytab file for apache. This can be done by samba via net ads keytab ADD HTTP/foundry.example.com This would add some HTTP entries to /etc/krb5.keytab. Typically apache is not running as root, so it cannot read /etc/krb5.keytab. Therefore you should move the HTTP entries to a separate keytab file wich apache can read. This could be done by ktutil or by setting the environment variable "KRB5_KTNAME". > > I am on 3.0.22, which does not support this syntax. Any work-arounds? "createupn" was a new feature in 3.0.23a... - Mark > > On 2/21/07, Mark Proehl <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > >try > > > > net ads join createupn=host/foundry.example.local > > > >- Mark > > > >On Tue, Feb 20, 2007 at 05:57:47PM +1000, Bradley Schatz wrote: > >> I suspect I might be grossly misunderstanding kerberos and AD here, but > >I > >> cant seem to grok the following. > >> > >> net ads join integrates my linux samba server (named foundry) into an AD > >> domain and all works fine. The samba server is using the kerberos > >keytab. > >> > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab foundry$ > >> [EMAIL PROTECTED]:~ # kinit -k -t /etc/krb5.keytab > >> host/foundry.example.local > >> kinit(v5): Client not found in Kerberos database while getting initial > >> credentials > >> > >> Why can't kinit find the service host/foundry.example.local in the AD > >> Kerberos database? It seems to be in the local linux server keylist: > >> > >> [EMAIL PROTECTED]:~ # klist -k > >> Keytab name: FILE:/etc/krb5.keytab > >> KVNO Principal > >> ---- > >> > >-------------------------------------------------------------------------- > >> 2 host/[EMAIL PROTECTED] > >> 2 host/[EMAIL PROTECTED] > >> .... cut ... > >> > >> What am I missing here? > >> > >> Thanks, > >> > >> Bradley > >-- > >To unsubscribe from this list go to the following URL and read the > >instructions: https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- Mit freundlichen Grüßen, Mark Pröhl _______________________________________________creating IT solutions Mark Proehl phone +49(0)7071 9457-591 Senior Solutions Engineer fax +49(0)7071 9457-411 CAx Professional Services science + computing ag [EMAIL PROTECTED] Hagellocher Weg 71-75 [EMAIL PROTECTED] D-72070 Tuebingen, Germany www.science-computing.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
