Its not you that doesn't understand - it is me. Firstly I still dont fully understand kerberos, and secondly, I am (almost) blindly following this guide to mod_auth_krb located at http://www.grolmsnet.de/kerbtut/ to set it up.
On 2/26/07, Mark Proehl <[EMAIL PROTECTED]> wrote:
Active Directory environment it would also be possible if you created HTTP/foundry.example.local as a user principal name. But it is not necessary for kerberizing apache.
OK. So in the tutorial kinit is generating a TGT from the user principal generated earlier in the tut. The variation suggested by you is to net ads keytab ADD HTTP which added a HTTP service principal to the existing host principal. Skipping trying to generate a TGT for a service principal, I just tried running mod_auth_kerb.. Thanks! It all works. Now, a couple of other questions if you dont mind. Firstly, is there some command line way that I can test that the net ads keytab ADD HTTP worked correctly? Also, with regards to generating an apache specific keytab, I have successfully used read_kt to load my /etc/krb5.keytab then write_kt to write it into /etc/apache2/http_svn.krb5keytab (my apache specific keytab). There are currently 168 keys in the keytab, some added by adding the HTTP service principal, the rest by net ads join for samba (which is running on the same server). Can I eliminate all but the HTTP service principals from the apache specific keytab? Thanks, Bradley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
