kerberos-and-apache2-single-sign-on

13y, 226d ago [edited]

Kerberos and Apache2 Single-Sign-on

Record of steps taken when building testweb.foxhop.net

Prepare Service AD account and keytab

Windows Domain admin required.

configure the testservice AD user account
configure the testservice AD user password to sup3rs3cur3
generate a keytab file

# run on srv0103
ktpass -out c:\temp\testweb.foxhop.net.keytab ^
 -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^
 -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^
 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Copy keytab to /tmp on linux webserver.

Configure Kerberos

vim /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.FOXHOP.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
AD.FOXHOP.NET = {
 kdc = DS1.AD.FOXHOP.NET
 kdc = DS2.AD.FOXHOP.NET
 admin_server = DS1.AD.FOXHOP.NET
 default_domain = AD.FOXHOP.NET
}

[domain_realm]
 .ad.foxhop.net = AD.FOXHOP.NET
 ad.foxhop.net = AD.FOXHOP.NET

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

Test Kerberos

Get a ticket and authenticate your user

kinit foxhop-test@AD.FOXHOP.NET

  Password for foxhop@AD.FOXHOP.NET:

View the ticket

klist

  Valid starting     Expires            Service principal
  08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET
       renew until 08/02/12 11:07:22

Delete or destroy all tickets

kdestroy
klist

Successfully configured kerberos

Configure Apache

Copy keytab and adjust perms

cd /etc/httpd
cp /tmp/testweb.foxhop.net.keytab .
chown root:apache testweb.foxhop.net.keytab
chmod 640 testweb.foxhop.net.keytab

Test keytab

# you should see a ticket
kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net
klist

Install custom mod_auth_kerb RPM

rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm

Configure Apache2 VirtualHost

vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf

#... 

##################
#    Kerberos    #
##################

  KrbServiceName HTTP
  KrbAuthRealms AD.FOXHOP.NET
  Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbSaveCredentials on
  # KrbLocalUserMapping removes @REALM | NA in RHEL5 
  # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
  KrbLocalUserMapping on

#...

Kerberos and Apache2 Single-Sign-on
###########################################

**Record of steps taken when building testweb.foxhop.net**

.. contents::

Prepare Service AD account and keytab
===================================================
 
Windows Domain admin required. 
 
#. configure the testservice AD user account
#. configure the testservice AD user password to sup3rs3cur3
#. generate a keytab file

.. code-block:: txt
 
  # run on srv0103
  ktpass -out c:\temp\testweb.foxhop.net.keytab ^
   -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^
   -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^
   -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Copy keytab to /tmp on linux webserver.

Configure Kerberos
===================================================

vim /etc/krb5.conf

.. code-block:: ini
 
 [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.FOXHOP.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 AD.FOXHOP.NET = {
  kdc = DS1.AD.FOXHOP.NET
  kdc = DS2.AD.FOXHOP.NET
  admin_server = DS1.AD.FOXHOP.NET
  default_domain = AD.FOXHOP.NET
 }

[domain_realm]
  .ad.foxhop.net = AD.FOXHOP.NET
  ad.foxhop.net = AD.FOXHOP.NET

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Test Kerberos
====================================
 
Get a ticket and authenticate your user

.. code-block:: cli
 
 kinit foxhop-test@AD.FOXHOP.NET
 
   Password for foxhop@AD.FOXHOP.NET:
   
View the ticket

.. code-block:: cli
   
 klist

Valid starting     Expires            Service principal
   08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET
        renew until 08/02/12 11:07:22

Delete or destroy all tickets

.. code-block:: cli
        
 kdestroy
 klist
 
Successfully configured kerberos

Configure Apache
====================================================

Copy keytab and adjust perms

.. code-block:: bash

cd /etc/httpd
 cp /tmp/testweb.foxhop.net.keytab .
 chown root:apache testweb.foxhop.net.keytab
 chmod 640 testweb.foxhop.net.keytab
 
Test keytab

.. code-block:: bash
 
 # you should see a ticket
 kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net
 klist

Install custom mod_auth_kerb RPM

.. code-block:: bash

rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
 
Configure Apache2 VirtualHost

vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf

.. code-block:: apache

#...

##################
  #    Kerberos    #
  ##################

KrbServiceName HTTP
    KrbAuthRealms AD.FOXHOP.NET
    Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    KrbSaveCredentials on
    # KrbLocalUserMapping removes @REALM | NA in RHEL5 
    # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
    KrbLocalUserMapping on

#...

Comments

Leave first comment to start a conversation!