Separate keytab with mod_auth_kerb

["Christian Ullrich" <chris@chrullrich.net>]

Hello all,

I'm having trouble getting my Apache/mod_auth_kerb configuration to
work. No matter what I do, it will only ever use /etc/krb5.keytab,
instead of what I set as Krb5KeyTab in httpd.conf.

The system is FreeBSD 7.0, with Heimdal 1.0.1 compiled from ports, but
it doesn't work with Heimdal 1.1, either. My Apache (2.2.8) is using
the prefork MPM.

I have verified that all the code in mod_auth_kerb that is supposed to
select the keytab (by setting the KRB5_KTNAME environment variable and
calling gsskrb5_register_acceptor_identity()) is run without any
obvious errors, but it doesn't have any effect. Neither has setting the
environment variable prior to starting Apache. Tracing the processes
shows that they don't even look at my custom keytab, but go straight
for the default file.

As far as I understand the mod_auth_kerb code, it doesn't appear to
call any GSSAPI functions before the keytab selection.

Making /etc/krb5.keytab a symlink to my custom file works, as does
setting default_keytab_name to it.

I have been using the very same setup for a while on FreeBSD 6.x with
the base system Heimdal 0.6.3, and there everything worked fine.
However, I would prefer not to use that, because I'm also running other
Kerberized services that insist on the port's version. So on the
FreeBSD 7 box, I have removed the base system Heimdal entirely to avoid
interference.

Thanks in advance for any help.

-- 
Christian Ullrich