[mdlug] OpenSuse 10.2/Apache 2.2/Active Directory

Morris, Tim tmorris at ugs.com
Mon Apr 9 09:19:03 EDT 2007 

Hi everyone! I'm hoping someone can help me.

I am trying to setup a BackupPC server for a few systems in my office.
Ideally, I would like to have the users authenticate using their AD
(domain) credentials. I would also like to do it using the stock
software provided with OpenSuse 10.2, which is currently Apache 2.2. I'd
love to use a different distro, but the office is moving to Suse Ent.
(more or less) for some things, so I'd better get some experience with
it. I don't really care if apache magically authenticates with windows
(not asking for login/password), but I do want it to authenticate to the
domain controllers.

Currently, I have AD authentication setup for the linux host. I can
login as an AD user and it will create the home directory and
everything. Apache still doesn't work. Here's my config, I'm hoping
someone here will know what else to do:

/etc/pam.d/httpd
#%PAM-1.0
# For Domain Authentication
auth    sufficient      pam_winbind.so
auth    required        pam_unix.so

/etc/apache2/default-server.conf
(snip)
 <Directory /opt/BackupPC3/www/cgi-bin/>
        AllowOverride AuthConfig
        Options ExecCGI FollowSymlinks
        AddHandler cgi-script .cgi
        DirectoryIndex index.cgi
        AuthType Kerberos
        AuthName "BackupPC admin"
        KrbMethodNegotiate On
        KrbMethodK5Passwd On
        KrbAuthRealms My.Domain.Net
        Krb5KeyTab /etc/apache2/usdbback01.keytab
        require valid-user
</Directory>

I created the keytab file with the following command: (I think)
ktpass -princ USER at DOMAIN -mapuser USER -crypto DES-CBC-MD5 +DesOnly
-pass PASS -ptype KRB5_NT_PRINCIPAL -out etc/apache2/usdbback01.keytab

Error when using Firefox:
[Mon Apr 09 08:53:57 2007] [error] [client xxx.xxx.xxx.xxx] failed to
verify krb5 credentials: Server not found in Kerberos database

Error when using IE:
[Mon Apr 09 09:14:29 2007] [error] [client xxx.xxx.xxx.xxx]
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may
provide more information (No principal in keytab matches desired name)

There is an account in the domain for the Suse computer. Do I need to
create another user account for the system or something (I have read
this, but haven't tried yet since I have to apply for the account)

I am about 2 days away from going back to Apache 2.0 and mod_auth, which
worked fine but is no longer supported.

Any help would be appreciated!

__________________________________________
Tim Morris
IT Support - Automotive Sector, Dearborn

1555 Fairlane Dr.
Allen Park, MI 48101 
(313) 317-6009 
UGS - Transforming the process of innovation 
__________________________________________

More information about the mdlug mailing list