kerberos-and-apache2-single-sign-on

kerberos-and-apache2-single-sign-on

Kerberos and Apache2 Single-Sign-on ###########################################

Record of steps taken when building testweb.foxhop.net

.. contents::

Prepare Service AD account and keytab

Windows Domain admin required.

  1. configure the testservice AD user account
  2. configure the testservice AD user password to sup3rs3cur3
  3. generate a keytab file

.. code-block:: txt

# run on srv0103 ktpass -out c:.foxhop.net.keytab ^ -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^ -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^ -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Copy keytab to /tmp on linux webserver.

Configure Kerberos

vim /etc/krb5.conf

.. code-block:: ini

[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log

[libdefaults] default_realm = AD.FOXHOP.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes

[realms] AD.FOXHOP.NET = { kdc = DS1.AD.FOXHOP.NET kdc = DS2.AD.FOXHOP.NET admin_server = DS1.AD.FOXHOP.NET default_domain = AD.FOXHOP.NET }

[domain_realm] .ad.foxhop.net = AD.FOXHOP.NET ad.foxhop.net = AD.FOXHOP.NET

[appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }

Test Kerberos

Get a ticket and authenticate your user

.. code-block:: cli

kinit foxhop-test@AD.FOXHOP.NET

Password for foxhop@AD.FOXHOP.NET:

View the ticket

.. code-block:: cli

klist

Valid starting Expires Service principal 08/01/12 11:07:22 08/01/12 21:07:27 krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET renew until 08/02/12 11:07:22

Delete or destroy all tickets

.. code-block:: cli

kdestroy klist

Successfully configured kerberos

Configure Apache

Copy keytab and adjust perms

.. code-block:: bash

cd /etc/httpd cp /tmp/testweb.foxhop.net.keytab . chown root:apache testweb.foxhop.net.keytab chmod 640 testweb.foxhop.net.keytab

Test keytab

.. code-block:: bash

# you should see a ticket kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net klist

Install custom mod_auth_kerb RPM

.. code-block:: bash

rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm

Configure Apache2 VirtualHost

vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf

.. code-block:: apache

#…

################## # Kerberos # ##################

KrbServiceName HTTP
KrbAuthRealms AD.FOXHOP.NET
Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbSaveCredentials on
# KrbLocalUserMapping removes @REALM | NA in RHEL5 
# Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
KrbLocalUserMapping on

#…