[Samba] SAMBA Kerberos misunderstanding

Bradley Schatz blschatz at gmail.com
Sun Feb 25 22:19:51 GMT 2007

Its not you that doesn't understand - it is me. Firstly I still dont fully
understand kerberos, and secondly, I am (almost) blindly following this
guide to mod_auth_krb located at http://www.grolmsnet.de/kerbtut/ to set it

On 2/26/07, Mark Proehl <M.Proehl at science-computing.de> wrote:
> Active Directory environment it would also be possible if you created
> HTTP/foundry.example.local as a user principal name. But it is not
> necessary for kerberizing apache.

OK. So in the tutorial kinit is generating a TGT from the user principal
generated earlier in the tut. The variation suggested by you is to

net ads keytab ADD HTTP

which added a HTTP service principal to the existing host principal.
Skipping trying to generate a TGT for a service principal, I just tried
running mod_auth_kerb..

Thanks! It all works.

Now, a couple of other questions if you dont mind.

Firstly, is there some command line way that I can test that the net ads
keytab ADD HTTP worked correctly?

Also, with regards to generating an apache specific keytab, I have
successfully used read_kt to load my /etc/krb5.keytab then write_kt to write
it into /etc/apache2/http_svn.krb5keytab (my apache specific keytab).

There are currently 168 keys in the keytab, some added by adding the HTTP
service principal, the rest by net ads join for samba (which is running on
the same server). Can I eliminate all but the HTTP service principals from
the apache specific keytab?



More information about the samba mailing list