linux:kerberos
 
Trace: kerberos

Home tmade.de

Home Wiki

Kerberos Authentification Linux <--> Windows AD

Configuration

To get an apache2-webserver authenticated with an Windows Actice directory create on your DC a

  • Computer Account
  • keytab file

The key-tab-file can be created as follows: 

ktpass -princ HTTP/server-name.domain.local@DOMAIN.LOCAL -mapuser domain\computer-account$ -pass secret -ptype KRB5_NT_PRINCIPAL -out some_name.keytab

The created keytab-file has to be copied to the apache2-webserver (fqdn = server-name.domain.local).

Following additional packages has to be installed on apache2-webserver: 

kerberos-client-x.x.x.x
kerberos-server-x.x.x.x
krb5-devel-32bit-x.x.x.x
krb5-devel-x.x.x.x
krb5-x.x.x.x
krb5-x.x.x.x

Within the apache configuration folder (e. g. /etc/apache2/) create a vHost (or within default site) with following content inside “directory tag”: 

 <Directory "/path/to/share/">
        Options None
        AllowOverride All
        Order allow,deny
        Allow from all

        AuthName "Name to be shown on auth-form"
        AuthType Kerberos
        KrbAuthRealms DOMAIN.LOCAL
        KrbServiceName HTTP
        Krb5Keytab /etc/apache2/keytab/some_name.keytab
        KrbMethodNegotiate on
        require valid-user
      </Directory>

Note: If you don´t want to grant all users access on your DC you have to change “require user user1@domain.local user2@domain.local user3@domain.local …”

Edit kerberos config (/etc/krb5.conf) as follows: 

[libdefaults]
        default_realm = DOMAIN.LOCAL
        ticket_lifetime = 24h
        forwardable = yes

[realms]
        DOMAIN.LOCAL = {
                kdc = dc1.domain.local
                kdc = dc2.domain.local
                admin_server = dc1.domain.local
                default_domain = domain.local
        }

[domain_realm]
        .domain.local = DOMAIN.LOCAL
        domain.local = DOMAIN.LOCAL

[appdefaults]
        pam = {
                debug = false
                ticket_lifetime = 36000
                renew_lifetime = 36000
                forwardable = true
                krb4_convert = false
        }

[logging]
    kdc = FILE:/var/log/krb5/krb5kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log
    default = SYSLOG:NOTICE:DAEMON

Testing

klist -k -t /etc/apache2/httpotrskeytab
klist
kinit
klist -kte
kinit someuser@EXAMPLE.COM
kinit -k HTTP/SERVER.EXAMPLE.COM@EXAMPLE.COM

Explications

tgt                          #"ticket granting ticket", session ticket

See also:

http://acksyn.org/?p=460

http://modauthkerb.sourceforge.net/

http://grolmsnet.de/kerbtut/

http://interop.blog.de/2010/02/13/kapitel-6-apache-kerberos-ad-8001577/

http://comments.gmane.org/gmane.comp.apache.mod-auth-kerb.general/2579

http://sammoffatt.com.au/jauthtools/Kerberos/Troubleshooting

linux/kerberos.txt · Last modified: 2017/12/09 01:19 by 127.0.0.1
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki