From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Fri, 2 May 2014 03:47:31 +0000 (-0400)
Subject: mod_auth_kerb: Enabled KDC Verification and Negotiate
X-Git-Tag: release_20140509~9
X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/2462aefc2f65464b9f2812d7c01b81c03d4ab9ff?ds=sidebyside

mod_auth_kerb: Enabled KDC Verification and Negotiate

Every <Location> that enables kerberos auth has to include the
keytab/service declarations. Since we're verifying the KDC, allow
gssapi negotiate.
---

diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml
index d4f7fc8..29fdf05 100644
--- a/src/plugins/apache.sml
+++ b/src/plugins/apache.sml
@@ -874,7 +874,7 @@ val () = Env.action_one "authType"
 		  write "\n";
 		  case ty of
 		      "kerberos" => 
-		      write "\tKrbMethodNegotiate off\n\tKrbMethodK5Passwd on\n\tKrbVerifyKDC off\n\tKrbAuthRealms HCOOP.NET\n\tKrbSaveCredentials on\n"
+		      write "\tKrbServiceName apache2\n\tKrb5Keytab /etc/keytabs/service/apache\n\tKrbMethodNegotiate on\n\tKrbMethodK5Passwd on\n\tKrbVerifyKDC on\n\tKrbAuthRealms HCOOP.NET\n\tKrbSaveCredentials on\n"
 		    | _ => ())
 	     else
 		 print "WARNING: Skipped Kerberos authType because this isn't an SSL vhost.\n")