mod_auth_kerb keytab file for a different FQDN

Question

I have an Active Directory domain that resembles 'AD.EXAMPLE.COM'.
I've installed an Apache server that has an FQDN that is slightly different
from my AD Domain name: 'apache.example.com' (without the AD).

I'm trying to configure a Kerberos pass-through authentication to the Apache server
via mod_auth_kerb, and while generating the keytab I used the following SPN:

HTTP/apache.example.com@AD.EXAMPLE.COM

As the form should be (according to documentation): HTTP/FQDN@REALM

The relevant http.conf portion of the configurration file is as follows:

<Location "/secure">
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate On
   KrbMethodK5Passwd On
   KrbAuthRealms AD.EXAMPLE.COM
   KrbLocalUserMapping On
   KrbServiceName HTTP
   Krb5KeyTab /etc/httpd/conf.d/apache.keytab
   require valid-user
</Location>

When I try to access the Apache server from inside the domain, I get a prompt
to enter my password, so pass-through auth isn't working.
What am I missing?

Thanks in advance.

score 0 · Answer 1 · answered Mar 05 '17 at 00:54

0

You'll probably want to set KrbMethodK5Passwd to off. Source: http://modauthkerb.sourceforge.net/configure.html

KrbMethodK5Passwd on | off

(set to on by default)

To enable or disable the use of password based authentication for Kerberos v5.

answered Mar 05 '17 at 00:54

narwahl

33
7

Also, same source: `Reminder, you need to set the appropriate AllowOverride directive in your server access configuration so that a different AuthType will be allowed.` – narwahl Mar 05 '17 at 00:55

mod_auth_kerb keytab file for a different FQDN

1 Answers1