=================================== kerberos-and-apache2-single-sign-on =================================== .. role:: raw-latex(raw) :format: latex .. kerberos-and-apache2-single-sign-on =================================== Kerberos and Apache2 Single-Sign-on ########################################### **Record of steps taken when building testweb.foxhop.net** .. contents:: Prepare Service AD account and keytab ===================================== Windows Domain admin required. #. configure the testservice AD user account #. configure the testservice AD user password to sup3rs3cur3 #. generate a keytab file .. code-block:: txt # run on srv0103 ktpass -out c::raw-latex:`\temp`:raw-latex:`\testweb`.foxhop.net.keytab ^ -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^ -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^ -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL Copy keytab to /tmp on linux webserver. Configure Kerberos ================== vim /etc/krb5.conf .. code-block:: ini [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = AD.FOXHOP.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h forwardable = yes [realms] AD.FOXHOP.NET = { kdc = DS1.AD.FOXHOP.NET kdc = DS2.AD.FOXHOP.NET admin_server = DS1.AD.FOXHOP.NET default_domain = AD.FOXHOP.NET } [domain_realm] .ad.foxhop.net = AD.FOXHOP.NET ad.foxhop.net = AD.FOXHOP.NET [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } Test Kerberos ============= Get a ticket and authenticate your user .. code-block:: cli kinit foxhop-test@AD.FOXHOP.NET Password for foxhop@AD.FOXHOP.NET: View the ticket .. code-block:: cli klist Valid starting Expires Service principal 08/01/12 11:07:22 08/01/12 21:07:27 krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET renew until 08/02/12 11:07:22 Delete or destroy all tickets .. code-block:: cli kdestroy klist Successfully configured kerberos Configure Apache ================ Copy keytab and adjust perms .. code-block:: bash cd /etc/httpd cp /tmp/testweb.foxhop.net.keytab . chown root:apache testweb.foxhop.net.keytab chmod 640 testweb.foxhop.net.keytab Test keytab .. code-block:: bash # you should see a ticket kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net klist Install custom mod_auth_kerb RPM .. code-block:: bash rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm Configure Apache2 VirtualHost vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf .. code-block:: apache #… ################## # Kerberos # ################## :: KrbServiceName HTTP KrbAuthRealms AD.FOXHOP.NET Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab KrbMethodNegotiate on KrbMethodK5Passwd on KrbSaveCredentials on # KrbLocalUserMapping removes @REALM | NA in RHEL5 # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm KrbLocalUserMapping on #…