[[http://tmade.de|Home tmade.de]]

[[http://wiki.tmade.de|Home Wiki]]

==== Kerberos Authentification Linux <--> Windows AD ====

=== Configuration ===

To get an apache2-webserver authenticated with an Windows Actice directory create on your DC a

  *Computer Account
  *keytab file 

The key-tab-file can be created as follows:

  ktpass -princ HTTP/server-name.domain.local@DOMAIN.LOCAL -mapuser domain\computer-account$ -pass secret -ptype KRB5_NT_PRINCIPAL -out some_name.keytab
  
The created keytab-file has to be copied to the apache2-webserver (fqdn = server-name.domain.local).

Following additional packages has to be installed on apache2-webserver:

  kerberos-client-x.x.x.x
  kerberos-server-x.x.x.x
  krb5-devel-32bit-x.x.x.x
  krb5-devel-x.x.x.x
  krb5-x.x.x.x
  krb5-x.x.x.x


  
Within the apache configuration folder (e. g. /etc/apache2/) create a vHost (or within default site) with following content inside "directory tag":

<code>
 <Directory "/path/to/share/">
        Options None
        AllowOverride All
        Order allow,deny
        Allow from all

        AuthName "Name to be shown on auth-form"
        AuthType Kerberos
        KrbAuthRealms DOMAIN.LOCAL
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/keytab/some_name.keytab
        KrbMethodNegotiate on
        require valid-user
      </Directory>
</code>

**Note:** If you don´t want to grant all users access on your DC you have to change "require user user1@domain.local user2@domain.local user3@domain.local ..."

Edit kerberos config (/etc/krb5.conf) as follows:

<code>
[libdefaults]
        default_realm = DOMAIN.LOCAL
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        DOMAIN.LOCAL = {
                kdc = dc1.domain.local
                kdc = dc2.domain.local
                admin_server = dc1.domain.local
                default_domain = domain.local
        }

[domain_realm]
        .domain.local = DOMAIN.LOCAL
        domain.local = DOMAIN.LOCAL

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON
</code>

=== Testing ===

  klist -k -t /etc/apache2/httpotrskeytab
  klist
  kinit
  klist -kte
  kinit someuser@EXAMPLE.COM
  kinit -k HTTP/SERVER.EXAMPLE.COM@EXAMPLE.COM
  
=== Explications ===

  tgt                          #"ticket granting ticket", session ticket
  
See also:

http://acksyn.org/?p=460

http://modauthkerb.sourceforge.net/

http://grolmsnet.de/kerbtut/

http://interop.blog.de/2010/02/13/kapitel-6-apache-kerberos-ad-8001577/

http://comments.gmane.org/gmane.comp.apache.mod-auth-kerb.general/2579

http://sammoffatt.com.au/jauthtools/Kerberos/Troubleshooting