I have a few hosts with multiple cnames serving different websites.
I need to have Authentication from Kerberos and LDAP authz. This works just fine when I
have one service per host.
But, when I add multple services on the host, it's not working.
What I have is this:
I create a service in IdM:
HTTP/server.example.com
I add the CNAMES as aliases on the keytab.
So, my Principal alias has 3-4 entries:
1. HTTP/server.example.com
2. HTTP/cname1.example.com
3. HTTP/cname2.example.com
4. HTTP/cname3.example.com
Then I download the keytab on the server and I have the following apache configuration:
<VirtualHost *:443>
ServerName
cnameX.example.com
ServerAlias
cnameX.example.com
<Location />
AuthType Kerberos
AuthName "Login via IdM"
KrbMethodNegotiate on
KrbServiceName HTTP/cnameX.example.com
Krb5Keytab /etc/httpd/http_hostname.keytab
KrbSaveCredentials on
AuthLDAPUrl "ldaps://ipamaster.example.com
ipa.example.com/dc=example,dc=com?krbPrincipalName"
AuthLDAPBindDN "uid=appusers,cn=sysaccounts,cn=etc,dc=example,dc=com"
AuthLDAPBindPassword "secret"
require ldap-group cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com
</Location>
</VirtualHost>
But when I try to login I get this error:
failed to verify krb5 credentials: Decrypt integrity check failed
So, how do I enable kerberos authentication for each virtual host? What do I do wrong
here?