Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
On Mon, 2013-09-16 at 18:35 +, Ondrej Valousek wrote: Thanks, I hoped that with gssproxy I could use a single central /etc/krb5.keytab (with all necessary principals) for nfs, apache, dhcpd,... and not worrying about file permissions. The beauty would be saved work with copying principals to separate files. Is it true? Yes, you can keep the principal's keys wherever you want with gssproxy, although I would personally still use separate keytabs for ease of management should you need to change just one set of keys. Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Simo Sorce s...@redhat.com Datum: Komu: Ondrej Valousek ovalou...@vendavo.com Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Thanks, I hoped that with gssproxy I could use a single central /etc/krb5.keytab (with all necessary principals) for nfs, apache, dhcpd,... and not worrying about file permissions. The beauty would be saved work with copying principals to separate files. Is it true? Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Simo Sorce s...@redhat.com Datum: Komu: Ondrej Valousek ovalou...@vendavo.com Kopie: ch...@fluxcoil.net,freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
On Mon, 2013-09-16 at 17:04 +, Ondrej Valousek wrote: Thanks, Is the article about http principals for apache still relevant? I would guess that with gss-proxy (F19) it is much simpler. You still need a princiapl and a keytab yes. Here instructions if you want to use iot with GSS-Proxy: https://fedorahosted.org/gss-proxy/wiki/Apache HTH, Simo. Ondrej Odesláno ze Samsung Mobile Původní zpráva Od: Christian Horn ch...@fluxcoil.net Datum: Komu: freeipa-users@redhat.com Předmět: Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] IE or Firefox Apache Kerberos authentication
Hi, On Mon, Sep 16, 2013 at 04:04:49PM +, Ondrej Valousek wrote: Is there any howto describing Firefox (or IE, if possible) authenticating against Apache web server using GSSAPI/Kerberos? Both client server in the same IPA domain. Ideally I would like to know FF and Apache setup + compatibility info (i.e. does IE + IIS use the same thing or not) Not aware of a includes all-guide, but would start here: - adding the HTTP service principal: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#adding-service-entry-cmd http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/managing-services.html#adding-service-entry - when you host multiple kerberized sites on the server (access required a Red Hat subscription): https://access.redhat.com/site/solutions/206623 - apache side config: http://modauthkerb.sourceforge.net/configure.html - firefox client side config: http://www.grolmsnet.de/kerbtut/firefox.html Christian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users