About

Martin Klier

usn-it.de

Single Sign On for Apache 2.2 and Active Directory 2003 R2 with SuSE 10.2, mod_auth_kerb and MIT Kerberos

Hi,
this is a small howto out of my needs, suggestions are always welcome!

  1. Assumptions for this paper
    1. You know and basically follow http://www.grolmsnet.de/kerbtut, but there are some facts missing/wrong.
    2. 2003R2 KDC’s are 10.0.0.1 and 10.0.0.2 (DNS: dc1.example.com and dc2.example.com)
    3. Kerberos Realm for ADS is ADS.EXAMPLE.COM (upper case required!)
    4. Web server (hostname.domain) is webhostname.server.example.com
    5. DNS and reverse DNS on and for the machine in FQDN works, verified with “dig” and “dig -x”

  2. Used packages on the web server
    1. rpm
      1. krb5
      2. krb5-apps-clients
      3. krb5-client
      4. krb5-devel
      5. apache2
      6. apache2-prefork
      7. apache2-devel
      8. libapr1
      9. libapr1-devel
      10. libapr-util1
      11. libapr-util1-devel
      12. libtool
      13. libltdl
    2. tarball
      1. mod_auth_kerb-5.3.tar.gz from http://modauthkerb.sourceforge.com
  3. Doing “web server”
    1. Install all rpm’s as root with “yast2 sw_single”.
    2. Before continuing, repeat the YaST online update as often as it finds new updates
    3. Create the Kerberos principal inside AD
    4. Let your AD admin create a user with name “httpd_webhostname” and basic rights, e.g. for browsing the domain and let him specify a password for the user.
      Pitfall: AD 2003 seems to be buggy, per definition this step should be enough. But since the user creation routine seems to be internally different from the user password change routine, at user creation time there is no Kerberos key created for the user. So:
    5. Let the AD admin change the created user’s password
    6. This command has to be executed on the Domain Controller of the ADS with domain admin rights (the ktpass.exe is described under http://www.microsoft.com/technet/)
      ktpass
      -princ HTTP/webhostname.server.example.com@ADS.EXAMPLE.COM
      -mapuser httpd_webhostname
      -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
      -mapop set +DESONLY -pass ThIsIsMyPaSsWoRd
      -out C:\apache001.ktab
    7. Copy or move the C:\apache.ktab to /etc/apache2/apache.ktab on the web server and change it’s owner to wwwrun (or any other use Apache 2 will run as) and the mode to 600 (rw for owner)
    8. The Kerberos client setup
    9. Make your /etc/krb5.conf look like
      [libdefaults]
        default_realm = ADS.EXAMPLE.COM
      
      [realms]
        ADS.EXAMPLE.COM = {
          kdc = dc1.ads.example.com:88
          kdc = dc2.ads.example.com:88
        }
      
      [logging]
        kdc = /var/log/krb5/krb5kdc.log
        admin_server = /var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
      
      [domain_realm]
        .ads.example.com = ADS.EXAMPLE.COM
        ads.example.com = ADS.EXAPMLE.COM

It’s just a short overview, take it as my Best Practise.
Usn

Oracle: Remove scheduler jobs in a loop
New job in 2009 – looking back at A.T.U

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.