Login or register    

Kerberos and Apache2 Single-Sign-on

Record of steps taken when building testweb.foxhop.net

Prepare Service AD account and keytab

Windows Domain admin required.

  1. configure the testservice AD user account
  2. configure the testservice AD user password to sup3rs3cur3
  3. generate a keytab file
# run on srv0103
ktpass -out c:\temp\testweb.foxhop.net.keytab ^
 -princ HTTP/testweb.foxhop.net@AD.FOXHOP.NET ^
 -mapUser testservice@AD.FOXHOP.NET -mapOp set -pass sup3rs3cur3 ^
 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL

Copy keytab to /tmp on linux webserver.

Configure Kerberos

vim /etc/krb5.conf

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = AD.FOXHOP.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes

[realms]
AD.FOXHOP.NET = {
 kdc = DS1.AD.FOXHOP.NET
 kdc = DS2.AD.FOXHOP.NET
 admin_server = DS1.AD.FOXHOP.NET
 default_domain = AD.FOXHOP.NET
}

[domain_realm]
 .ad.foxhop.net = AD.FOXHOP.NET
 ad.foxhop.net = AD.FOXHOP.NET

[appdefaults]
pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
}

Test Kerberos

Get a ticket and authenticate your user

kinit foxhop-test@AD.FOXHOP.NET

  Password for foxhop@AD.FOXHOP.NET:

View the ticket

klist

  Valid starting     Expires            Service principal
  08/01/12 11:07:22  08/01/12 21:07:27  krbtgt/AD.FOXHOP.NET@AD.FOXHOP.NET
       renew until 08/02/12 11:07:22

Delete or destroy all tickets

kdestroy
klist

Successfully configured kerberos

Configure Apache

Copy keytab and adjust perms

cd /etc/httpd
cp /tmp/testweb.foxhop.net.keytab .
chown root:apache testweb.foxhop.net.keytab
chmod 640 testweb.foxhop.net.keytab

Test keytab

# you should see a ticket
kinit -k -t /etc/httpd/testweb.foxhop.net.keytab HTTP/testweb.foxhop.net
klist

Install custom mod_auth_kerb RPM

rpm -Uvh /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm

Configure Apache2 VirtualHost

vi /etc/httpd/conf.d/000-testweb.foxhop.net.conf

#...

##################
#    Kerberos    #
##################

  KrbServiceName HTTP
  KrbAuthRealms AD.FOXHOP.NET
  Krb5Keytab /etc/httpd/testweb.foxhop.net.keytab
  KrbMethodNegotiate on
  KrbMethodK5Passwd on
  KrbSaveCredentials on
  # KrbLocalUserMapping removes @REALM | NA in RHEL5
  # Compiled custom RPM: /usr/local/src/mod_auth_kerb-5.4-0.x86_64.rpm
  KrbLocalUserMapping on

#...

Comments

Leave a comment

Please login or register to leave a comment!