Actually, scratch that. I just discovered that through using AuthType KerberosV5 instead of AuthType Kerberos, it seems to accept my entry in KrbServiceName. That's not to say its working; I've still a way to go for that I think.
Martin Goldstone | IT Technician Newcastle-under-Lyme College, Staffordshire, ST5 2DF 01782 254307 | [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martin Goldstone Sent: 23 May 2006 17:44 To: [email protected] Subject: RE: Problem using KrbServiceName By the way, I'm using 5.0rc6. Do you know of a version which definitely supported fully qualified principals? Could it be down to something else rather than the version of mod_auth_kerb? Martin Goldstone | IT Technician Newcastle-under-Lyme College, Staffordshire, ST5 2DF 01782 254307 | [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard E. Silverman Sent: 23 May 2006 06:47 To: [email protected] Subject: Re: Problem using KrbServiceName >>>>> "MG" == "Martin Goldstone" <[EMAIL PROTECTED]> writes: Why do you have two different principals for this service? There should be only one, and in fact there *can* be only one, since mod_auth_kerb will only take one as its identity (and report "wrong principal in request" if a client uses the wrong one). As for "hostname cannot be canonicalized," check the version of mod_auth_kerb you're running -- I think using a fully-qualified principal was added later on. MG> Hi, I'm getting further along with my problem, and I think its MG> coming down to the fact that we've got 2 AD domains here. MG> Right now, I'm having problems using the KrbServiceName directive MG> in .htaccess. MG> I've had to get two different principles mapped to user accounts MG> and put in the keytab (one for each AD domain) using ktpass.exe, MG> and now my machine is getting a ticket for the service principle MG> for the webserver (as shown by kerbtray.exe). However, the error MG> log on the webserver is telling me "Wrong principal in request". MG> I've tried adding a KrbServiceName directive, but I consistently MG> get an error message that reads "Hostname cannot be canonicalized" MG> if I include the realm, or "No principal in keytab matches desired MG> name" if I don't. What I suspect I need is MG> HTTP/[EMAIL PROTECTED] (which is the service MG> principle mapped to the user account on the domain.ac.uk AD MG> domain), along with HTTP/[EMAIL PROTECTED] MG> (which is the equivalent on the nulcollege.ac.uk AD domain, and MG> also I believe is the principle that the server is expecting). MG> However, when I enter either the full MG> HTTP/[EMAIL PROTECTED] I get the first error MG> message, and when I enter HTTP/webtest.nulcollege.ac.uk I get the MG> second one. MG> Can someone tell me where I'm going wrong with this directive? MG> Any examples for entries that actually work? Would I be better of MG> just mapping a new service principle such as MG> www/[EMAIL PROTECTED] on the domain.ac.uk AD MG> domain to avoid having two service principles starting with the MG> same string? MG> Thanks in advance for any advice given. MG> Martin Goldstone |Â IT Technician Newcastle-under-Lyme College, MG> Staffordshire, ST5 2DF 01782 254307Â | [EMAIL PROTECTED] MG> ________________________________________________ Kerberos mailing MG> list [email protected] MG> https://mailman.mit.edu/mailman/listinfo/kerberos -- Richard Silverman [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
