I have a few hosts with multiple cnames serving different websites. I need to have Authentication from Kerberos and LDAP authz. This works just fine when I have one service per host.
But, when I add multple services on the host, it's not working.
What I have is this:
I create a service in IdM: HTTP/server.example.com
I add the CNAMES as aliases on the keytab. So, my Principal alias has 3-4 entries:
1. HTTP/server.example.com 2. HTTP/cname1.example.com 3. HTTP/cname2.example.com 4. HTTP/cname3.example.com
Then I download the keytab on the server and I have the following apache configuration:
<VirtualHost *:443> ServerName cnameX.example.com ServerAlias cnameX.example.com
<Location /> AuthType Kerberos AuthName "Login via IdM" KrbMethodNegotiate on KrbServiceName HTTP/cnameX.example.com Krb5Keytab /etc/httpd/http_hostname.keytab KrbSaveCredentials on
AuthLDAPUrl "ldaps://ipamaster.example.com ipa.example.com/dc=example,dc=com?krbPrincipalName" AuthLDAPBindDN "uid=appusers,cn=sysaccounts,cn=etc,dc=example,dc=com" AuthLDAPBindPassword "secret" require ldap-group cn=mygroup,cn=groups,cn=accounts,dc=example,dc=com
</Location> </VirtualHost>
But when I try to login I get this error:
failed to verify krb5 credentials: Decrypt integrity check failed
So, how do I enable kerberos authentication for each virtual host? What do I do wrong here?
I forgot to mention, the most important thing: I don't have DNS on the IPA servers.
I solved this as follows:
1. Create a dummy host for each cname 2. Create a service for each dummy host 3. Create keytabs for each dummy service 4. Use the specific keytabs in Apache.
I am still sure that there is a better way, but for now it's OK for me.
freeipa-users@lists.fedorahosted.org