Hi all, Some days ago i've said on freeipa IRC channel that the documentation on freeipa + apache + SNI (located here http://freeipa.org/page/Apache_SNI_With_Kerberos) was wrong. I've set up a apache server with SNI and tested sso with mit kerberos on windows 7 64bits + firefox . On my windows 7 client, sso don't work if i set "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName, but works if Krb5KeyTab and KrbServiceName are those of real host. This behavior is reversed with fedora 17 + firefox client: sso works only if "dummyhost" apache virtualhost Krb5KeyTab and KrbServiceName are those of the "dummyhost".
So, the conclusion is: the documentation is good for linux clients (at least on fedora 17 + firefox), but not for windows clients I think it will be good to have the same behavior on linux and windows client because it will be painful in cross platform environments if it stay as this. rcrit said on IRC that you are working on v3 at this time, it will be good to know if the v3.0 have the same behavior, but i don't have resources at this time to setup another test environment with v3 beta. Detailed test configuration: (see attached apache config extract for virtualhost configuration) IPA server: OS: CentOS 6.3 IPA: ipa-server.x86_64 2.2.0-16.el6 389 ds: 389-ds-base.x86_64 1.2.10.2-20.el6_3 IPA Realm: EXAMPLE.COM Apache SNI server: OS: CentOS 6.3 real hostname: projects.foo.example.com dummy host 1: svn.example.com dummy host 2: redmine.example.com [...] Windows client: OS: Windows 7 64Bits. Browser: Firefox 15.0.1, 14.0.x (32bits) MIT Kerberos dist: 3.2.2 (32bits) (http://web.mit.edu/kerberos/dist/) GNU/Linux client: OS: Fedora 17 x86_64 Browser: Firefox 15 (latest provided by fedora) Kerberos: (latest provided by fedora) Have a nice day. Regards. Baptiste.
works_with_linux_clients.conf
Description: Binary data
works_with_windows7_clients.conf
Description: Binary data
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users