win 2000 server running dns, and dhcp. mac os x server 10.4.1 using
static ip with forward and reverse records set up on win dns, mac os
x client 10.4.1 using dhcp.
problem: safari and win ms ie 6 get 401 (authentication)
error when connecting to a kerberos realm on apache using self signed
default certificate.
result: ssl error message in apache server logs saying
hostnames dont match. can't find any kerberos errors.
comments: kerberos.app on the client lists a ticket for the
server. home directories are hosted on the server. the apache
virtualhost has a different name.
one group is added to the realm and has browse rights. everyone
cannot browse or make changes. when i switch to the realm to digest i
notice the following in the logs.
Sun Jun 12 14:07:05 2005] [error] [client <ipaddress>] Apple Digest:
Unable to authenticate for URI "/<path>/" from user "<username>" for
realm "<realmname>" at location "/Active Directory/<domain.tdl>" from
the directory (error = -14091).
when i switch to the realm to basic i notice the following in the logs.
Sun Jun 12 14:20:33 2005] [error] [client <ipaddress>] Checking user
access using lookupd failed, trying legacy method
[Sun Jun 12 14:20:33 2005] [error] [client <ipaddress>] access to /
<path>/ failed, reason: user <username> not allowed access
i can su to <username> on the server and id <username> lists the user
as part of the group that is in the realm. i plan to work on setting
up a self signed certificate with the new hostname but shouldn't
basic or digest work?
