{"node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "revisions": [{"id": "f3b82b64-2f95-11f1-aafe-e86a64d24d78", "node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "user_id": "edc3f576-2f95-11f1-900f-e86a64d24d78", "author": "foxhop", "data": "Kerberos and Apache2 Single-Sign-on\r\n###########################################\r\n\r\n**Record of steps taken when building testweb.foxhop.net**\r\n\r\n.. contents::\r\n\r\nPrepare Service AD account and keytab\r\n===================================================\r\n \r\nWindows Domain admin required. \r\n \r\n#. configure the testservice AD user account\r\n#. configure the testservice AD user password to sup3rs3cur3\r\n#. generate a keytab file\r\n\r\n .. code-block:: txt\r\n \r\n  # run on srv0103\r\n  ktpass -out c:\\temp\\testweb.foxhop.net.keytab ^\r\n   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^\r\n   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^\r\n   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL\r\n\r\nCopy keytab to /tmp on linux webserver.\r\n\r\nConfigure Kerberos\r\n===================================================\r\n\r\nvim /etc/krb5.conf\r\n\r\n.. code-block:: ini\r\n \r\n [logging]\r\n default = FILE:/var/log/krb5libs.log\r\n kdc = FILE:/var/log/krb5kdc.log\r\n admin_server = FILE:/var/log/kadmind.log\r\n\r\n [libdefaults]\r\n default_realm = AD.FOXHOP.NET\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n [realms]\r\n AD.FOXHOP.NET = {\r\n  kdc = DS1.AD.FOXHOP.NET\r\n  kdc = DS2.AD.FOXHOP.NET\r\n  admin_server = DS1.AD.FOXHOP.NET\r\n  default_domain = AD.FOXHOP.NET\r\n }\r\n\r\n [domain_realm]\r\n  .ad.foxhop.net = AD.FOXHOP.NET\r\n  ad.foxhop.net = AD.FOXHOP.NET\r\n\r\n [appdefaults]\r\n pam = {\r\n   debug = false\r\n   ticket_lifetime = 36000\r\n   renew_lifetime = 36000\r\n   forwardable = true\r\n   krb4_convert = false\r\n }\r\n\r\nTest Kerberos\r\n====================================\r\n \r\nGet a ticket and authenticate your user\r\n\r\n.. code-block:: cli\r\n \r\n kinit foxhop-test@AD.FOXHOP.NET\r\n \r\n   Password for foxhop@AD.FOXHOP.NET:\r\n   \r\nView the ticket\r\n\r\n.. code-block:: cli\r\n   \r\n klist\r\n\r\n   Valid starting     Expires            Service principal\r\n   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET\r\n        renew until 08/02/12 11:07:22\r\n\r\nDelete or destroy all tickets\r\n\r\n.. code-block:: cli\r\n        \r\n kdestroy\r\n klist\r\n \r\nSuccessfully configured kerberos\r\n\r\nConfigure Apache\r\n====================================================\r\n\r\nCopy keytab and adjust perms\r\n\r\n.. code-block:: bash\r\n\r\n cd /etc/httpd\r\n cp /tmp/testweb.foxhop.net.keytab .\r\n chown root:apache testweb.foxhop.net.keytab\r\n chmod 640 testweb.foxhop.net.keytab\r\n \r\nTest keytab\r\n\r\n.. code-block:: bash\r\n \r\n # you should see a ticket\r\n kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net\r\n klist\r\n\r\nInstall custom mod_auth_kerb RPM\r\n\r\n.. code-block:: bash\r\n\r\n rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n \r\nConfigure Apache2 VirtualHost\r\n\r\n\r\nvi /etc/httpd/conf.d/000-testweb.foxhop.net.conf\r\n\r\n.. code-block:: apache\r\n   #... \r\n\r\n  ##################\r\n  #    Kerberos    #\r\n  ##################\r\n\r\n    KrbServiceName HTTP\r\n    KrbAuthRealms AD.FOXHOP.NET\r\n    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab\r\n    KrbMethodNegotiate on\r\n    KrbMethodK5Passwd on\r\n    KrbSaveCredentials on\r\n    # KrbLocalUserMapping removes @REALM | NA in RHEL5 \r\n    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n    KrbLocalUserMapping on\r\n\r\n    #...\r\n\r\n", "source_format": "rst", "revision_number": 5, "created": 1346238796000}, {"id": "f3b82730-2f95-11f1-bb2a-e86a64d24d78", "node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "user_id": "edc3f576-2f95-11f1-900f-e86a64d24d78", "author": "foxhop", "data": "Kerberos and Apache2 Single-Sign-on\r\n###########################################\r\n\r\n**Record of steps taken when building testweb.foxhop.net**\r\n\r\n.. contents::\r\n\r\nPrepare Service AD account and keytab\r\n===================================================\r\n \r\nWindows Domain admin required. \r\n \r\n#. configure the testservice AD user account\r\n#. configure the testservice AD user password to sup3rs3cur3\r\n#. generate a keytab file\r\n\r\n .. code-block:: txt\r\n \r\n  # run on srv0103\r\n  ktpass -out c:\\temp\\testweb.foxhop.net.keytab ^\r\n   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^\r\n   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^\r\n   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL\r\n\r\nCopy keytab to /tmp on linux webserver.\r\n\r\nConfigure Kerberos\r\n===================================================\r\n\r\nvim /etc/krb5.conf\r\n\r\n.. code-block:: ini\r\n \r\n [logging]\r\n default = FILE:/var/log/krb5libs.log\r\n kdc = FILE:/var/log/krb5kdc.log\r\n admin_server = FILE:/var/log/kadmind.log\r\n\r\n [libdefaults]\r\n default_realm = AD.FOXHOP.NET\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n [realms]\r\n AD.FOXHOP.NET = {\r\n  kdc = DS1.AD.FOXHOP.NET\r\n  kdc = DS2.AD.FOXHOP.NET\r\n  admin_server = DS1.AD.FOXHOP.NET\r\n  default_domain = AD.FOXHOP.NET\r\n }\r\n\r\n [domain_realm]\r\n  .ad.foxhop.net = AD.FOXHOP.NET\r\n  ad.foxhop.net = AD.FOXHOP.NET\r\n\r\n [appdefaults]\r\n pam = {\r\n   debug = false\r\n   ticket_lifetime = 36000\r\n   renew_lifetime = 36000\r\n   forwardable = true\r\n   krb4_convert = false\r\n }\r\n\r\nTest Kerberos\r\n====================================\r\n \r\nGet a ticket and authenticate your user\r\n\r\n.. code-block:: cli\r\n \r\n kinit foxhop-test@AD.FOXHOP.NET\r\n \r\n   Password for foxhop@AD.FOXHOP.NET:\r\n   \r\nView the ticket\r\n\r\n.. code-block:: cli\r\n   \r\n klist\r\n\r\n   Valid starting     Expires            Service principal\r\n   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET\r\n        renew until 08/02/12 11:07:22\r\n\r\nDelete or destroy all tickets\r\n\r\n.. code-block:: cli\r\n        \r\n kdestroy\r\n klist\r\n \r\nSuccessfully configured kerberos\r\n\r\nConfigure Apache\r\n====================================================\r\n\r\nCopy keytab and adjust perms::\r\n\r\n cd /etc/httpd\r\n cp /tmp/testweb.foxhop.net.keytab .\r\n chown root:apache testweb.foxhop.net.keytab\r\n chmod 640 testweb.foxhop.net.keytab\r\n \r\nTest keytab::\r\n \r\n # you should see a ticket\r\n kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net\r\n klist\r\n\r\nInstall custom mod_auth_kerb RPM::\r\n\r\n rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n \r\nConfigure Apache2 VirtualHost::\r\n\r\n vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf::\r\n \r\n  ##################\r\n  #    Kerberos    #\r\n  ##################\r\n\r\n    KrbServiceName HTTP\r\n    KrbAuthRealms AD.FOXHOP.NET\r\n    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab\r\n    KrbMethodNegotiate on\r\n    KrbMethodK5Passwd on\r\n    KrbSaveCredentials on\r\n    # KrbLocalUserMapping removes @REALM | NA in RHEL5 \r\n    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n    KrbLocalUserMapping on\r\n", "source_format": "rst", "revision_number": 4, "created": 1346238647000}, {"id": "f3b82273-2f95-11f1-8d30-e86a64d24d78", "node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "user_id": "edc3f576-2f95-11f1-900f-e86a64d24d78", "author": "foxhop", "data": "Kerberos and Apache2 Single-Sign-on\r\n###########################################\r\n\r\n**Record of steps taken when building testweb.foxhop.net**\r\n\r\n.. contents::\r\n\r\nPrepare Service AD account and keytab\r\n===================================================\r\n \r\nWindows Domain admin required. \r\n \r\n#. configure the testservice AD user account\r\n#. configure the testservice AD user password to sup3rs3cur3\r\n#. generate a keytab file\r\n\r\n .. code-block:: txt\r\n \r\n  # run on srv0103\r\n  ktpass -out c:\\temp\\testweb.foxhop.net.keytab ^\r\n   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^\r\n   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^\r\n   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL\r\n\r\nCopy keytab to /tmp on linux webserver.\r\n\r\nConfigure Kerberos\r\n===================================================\r\n\r\nvim /etc/krb5.conf\r\n\r\n.. code-block:: ini\r\n \r\n [logging]\r\n default = FILE:/var/log/krb5libs.log\r\n kdc = FILE:/var/log/krb5kdc.log\r\n admin_server = FILE:/var/log/kadmind.log\r\n\r\n [libdefaults]\r\n default_realm = AD.FOXHOP.NET\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n [realms]\r\n AD.FOXHOP.NET = {\r\n  kdc = DS1.AD.FOXHOP.NET\r\n  kdc = DS2.AD.FOXHOP.NET\r\n  admin_server = DS1.AD.FOXHOP.NET\r\n  default_domain = AD.FOXHOP.NET\r\n }\r\n\r\n [domain_realm]\r\n  .ad.foxhop.net = AD.FOXHOP.NET\r\n  ad.foxhop.net = AD.FOXHOP.NET\r\n\r\n [appdefaults]\r\n pam = {\r\n   debug = false\r\n   ticket_lifetime = 36000\r\n   renew_lifetime = 36000\r\n   forwardable = true\r\n   krb4_convert = false\r\n }\r\n\r\nTest Kerberos\r\n====================================\r\n \r\nGet a ticket and authenticate your user::\r\n \r\n kinit foxhop-test@AD.FOXHOP.NET\r\n \r\n   Password for foxhop@AD.FOXHOP.NET:\r\n   \r\nView the ticket::\r\n   \r\n klist\r\n\r\n   Valid starting     Expires            Service principal\r\n   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET\r\n        renew until 08/02/12 11:07:22\r\n\r\nDelete or destroy all tickets::\r\n        \r\n kdestroy\r\n klist\r\n \r\nSuccessfully configured kerberos\r\n\r\nConfigure Apache\r\n====================================================\r\n\r\nCopy keytab and adjust perms::\r\n\r\n cd /etc/httpd\r\n cp /tmp/testweb.foxhop.net.keytab .\r\n chown root:apache testweb.foxhop.net.keytab\r\n chmod 640 testweb.foxhop.net.keytab\r\n \r\nTest keytab::\r\n \r\n # you should see a ticket\r\n kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net\r\n klist\r\n\r\nInstall custom mod_auth_kerb RPM::\r\n\r\n rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n \r\nConfigure Apache2 VirtualHost::\r\n\r\n vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf::\r\n \r\n  ##################\r\n  #    Kerberos    #\r\n  ##################\r\n\r\n    KrbServiceName HTTP\r\n    KrbAuthRealms AD.FOXHOP.NET\r\n    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab\r\n    KrbMethodNegotiate on\r\n    KrbMethodK5Passwd on\r\n    KrbSaveCredentials on\r\n    # KrbLocalUserMapping removes @REALM | NA in RHEL5 \r\n    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n    KrbLocalUserMapping on\r\n", "source_format": "rst", "revision_number": 3, "created": 1346238521000}, {"id": "f3b81cc1-2f95-11f1-8d26-e86a64d24d78", "node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "user_id": "edc3f576-2f95-11f1-900f-e86a64d24d78", "author": "foxhop", "data": "Kerberos and Apache2 Single-Sign-on\r\n###########################################\r\n\r\n**Record of steps taken when building testweb.foxhop.net**\r\n\r\n.. contents::\r\n\r\nPrepare Service AD account and keytab\r\n===================================================\r\n \r\nWindows Domain admin required. \r\n \r\n#. configure the testservice AD user account\r\n#. configure the testservice AD user password to sup3rs3cur3\r\n#. generate a keytab file\r\n\r\n .. code-block:: txt\r\n \r\n  # run on srv0103\r\n  ktpass -out c:\\temp\\testweb.foxhop.net.keytab ^\r\n   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^\r\n   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^\r\n   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL\r\n\r\nCopy keytab to /tmp on linux webserver.\r\n\r\nConfigure Kerberos\r\n===================================================\r\n\r\nvim /etc/krb5.conf::\r\n \r\n [logging]\r\n default = FILE:/var/log/krb5libs.log\r\n kdc = FILE:/var/log/krb5kdc.log\r\n admin_server = FILE:/var/log/kadmind.log\r\n\r\n [libdefaults]\r\n default_realm = AD.FOXHOP.NET\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n [realms]\r\n AD.FOXHOP.NET = {\r\n  kdc = DS1.AD.FOXHOP.NET\r\n  kdc = DS2.AD.FOXHOP.NET\r\n  admin_server = DS1.AD.FOXHOP.NET\r\n  default_domain = AD.FOXHOP.NET\r\n }\r\n\r\n [domain_realm]\r\n  .ad.foxhop.net = AD.FOXHOP.NET\r\n  ad.foxhop.net = AD.FOXHOP.NET\r\n\r\n [appdefaults]\r\n pam = {\r\n   debug = false\r\n   ticket_lifetime = 36000\r\n   renew_lifetime = 36000\r\n   forwardable = true\r\n   krb4_convert = false\r\n }\r\n\r\nTest Kerberos\r\n====================================\r\n \r\nGet a ticket and authenticate your user::\r\n \r\n kinit foxhop-test@AD.FOXHOP.NET\r\n \r\n   Password for foxhop@AD.FOXHOP.NET:\r\n   \r\nView the ticket::\r\n   \r\n klist\r\n\r\n   Valid starting     Expires            Service principal\r\n   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET\r\n        renew until 08/02/12 11:07:22\r\n\r\nDelete or destroy all tickets::\r\n        \r\n kdestroy\r\n klist\r\n \r\nSuccessfully configured kerberos\r\n\r\nConfigure Apache\r\n====================================================\r\n\r\nCopy keytab and adjust perms::\r\n\r\n cd /etc/httpd\r\n cp /tmp/testweb.foxhop.net.keytab .\r\n chown root:apache testweb.foxhop.net.keytab\r\n chmod 640 testweb.foxhop.net.keytab\r\n \r\nTest keytab::\r\n \r\n # you should see a ticket\r\n kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net\r\n klist\r\n\r\nInstall custom mod_auth_kerb RPM::\r\n\r\n rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n \r\nConfigure Apache2 VirtualHost::\r\n\r\n vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf::\r\n \r\n  ##################\r\n  #    Kerberos    #\r\n  ##################\r\n\r\n    KrbServiceName HTTP\r\n    KrbAuthRealms AD.FOXHOP.NET\r\n    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab\r\n    KrbMethodNegotiate on\r\n    KrbMethodK5Passwd on\r\n    KrbSaveCredentials on\r\n    # KrbLocalUserMapping removes @REALM | NA in RHEL5 \r\n    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n    KrbLocalUserMapping on\r\n", "source_format": "rst", "revision_number": 2, "created": 1346238427000}, {"id": "f3b814e4-2f95-11f1-acd0-e86a64d24d78", "node_id": "f3b7332f-2f95-11f1-941e-e86a64d24d78", "user_id": "edc3f576-2f95-11f1-900f-e86a64d24d78", "author": "foxhop", "data": "Kerberos and Apache2 Single-Sign-on\r\n###########################################\r\n\r\n**Record of steps taken when building testweb.foxhop.net**\r\n\r\n.. contents::\r\n\r\nPrepare Service AD account and keytab\r\n===================================================\r\n \r\nWindows Domain admin required. \r\n \r\n#. configure the testservice AD user account\r\n#. configure the testservice AD user password to sup3rs3cur3\r\n#. generate a keytab file\r\n\r\n ::\r\n \r\n  # run on srv0103\r\n  ktpass -out c:\\temp\\testweb.foxhop.net.keytab ^\r\n   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^\r\n   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^\r\n   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL\r\n\r\nCopy keytab to /tmp on linux webserver.\r\n\r\nConfigure Kerberos\r\n===================================================\r\n\r\nvim /etc/krb5.conf::\r\n \r\n [logging]\r\n default = FILE:/var/log/krb5libs.log\r\n kdc = FILE:/var/log/krb5kdc.log\r\n admin_server = FILE:/var/log/kadmind.log\r\n\r\n [libdefaults]\r\n default_realm = AD.FOXHOP.NET\r\n dns_lookup_realm = true\r\n dns_lookup_kdc = true\r\n ticket_lifetime = 24h\r\n forwardable = yes\r\n\r\n [realms]\r\n AD.FOXHOP.NET = {\r\n  kdc = DS1.AD.FOXHOP.NET\r\n  kdc = DS2.AD.FOXHOP.NET\r\n  admin_server = DS1.AD.FOXHOP.NET\r\n  default_domain = AD.FOXHOP.NET\r\n }\r\n\r\n [domain_realm]\r\n  .ad.foxhop.net = AD.FOXHOP.NET\r\n  ad.foxhop.net = AD.FOXHOP.NET\r\n\r\n [appdefaults]\r\n pam = {\r\n   debug = false\r\n   ticket_lifetime = 36000\r\n   renew_lifetime = 36000\r\n   forwardable = true\r\n   krb4_convert = false\r\n }\r\n\r\nTest Kerberos\r\n====================================\r\n \r\nGet a ticket and authenticate your user::\r\n \r\n kinit foxhop-test@AD.FOXHOP.NET\r\n \r\n   Password for foxhop@AD.FOXHOP.NET:\r\n   \r\nView the ticket::\r\n   \r\n klist\r\n\r\n   Valid starting     Expires            Service principal\r\n   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET\r\n        renew until 08/02/12 11:07:22\r\n\r\nDelete or destroy all tickets::\r\n        \r\n kdestroy\r\n klist\r\n \r\nSuccessfully configured kerberos\r\n\r\nConfigure Apache\r\n====================================================\r\n\r\nCopy keytab and adjust perms::\r\n\r\n cd /etc/httpd\r\n cp /tmp/testweb.foxhop.net.keytab .\r\n chown root:apache testweb.foxhop.net.keytab\r\n chmod 640 testweb.foxhop.net.keytab\r\n \r\nTest keytab::\r\n \r\n # you should see a ticket\r\n kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net\r\n klist\r\n\r\nInstall custom mod_auth_kerb RPM::\r\n\r\n rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n \r\nConfigure Apache2 VirtualHost::\r\n\r\n vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf::\r\n \r\n  ##################\r\n  #    Kerberos    #\r\n  ##################\r\n\r\n    KrbServiceName HTTP\r\n    KrbAuthRealms AD.FOXHOP.NET\r\n    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab\r\n    KrbMethodNegotiate on\r\n    KrbMethodK5Passwd on\r\n    KrbSaveCredentials on\r\n    # KrbLocalUserMapping removes @REALM | NA in RHEL5 \r\n    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm\r\n    KrbLocalUserMapping on\r\n", "source_format": "rst", "revision_number": 1, "created": 1346238220000}], "count": 5}