Single Sign On for Apache 2.2 and Active Directory 2003 R2 with SuSE 10.2, mod_auth_kerb and MIT Kerberos

Hi,
this is a small howto out of my needs, suggestions are always welcome!

  1. Assumptions for this paper
    1. You know and basically follow http://www.grolmsnet.de/kerbtut, but there are some facts missing/wrong.
    2. 2003R2 KDC’s are 10.0.0.1 and 10.0.0.2 (DNS: dc1.example.com and dc2.example.com)
    3. Kerberos Realm for ADS is ADS.EXAMPLE.COM (upper case required!)
    4. Web server (hostname.domain) is webhostname.server.example.com
    5. DNS and reverse DNS on and for the machine in FQDN works, verified with “dig” and “dig -x”

  2. Used packages on the web server
    1. rpm
      1. krb5
      2. krb5-apps-clients
      3. krb5-client
      4. krb5-devel
      5. apache2
      6. apache2-prefork
      7. apache2-devel
      8. libapr1
      9. libapr1-devel
      10. libapr-util1
      11. libapr-util1-devel
      12. libtool
      13. libltdl
    2. tarball
      1. mod_auth_kerb-5.3.tar.gz from http://modauthkerb.sourceforge.com
  3. Doing “web server”
    1. Install all rpm’s as root with “yast2 sw_single”.
    2. Before continuing, repeat the YaST online update as often as it finds new updates
    3. Create the Kerberos principal inside AD
    4. Let your AD admin create a user with name “httpd_webhostname” and basic rights, e.g. for browsing the domain and let him specify a password for the user.
      Pitfall: AD 2003 seems to be buggy, per definition this step should be enough. But since the user creation routine seems to be internally different from the user password change routine, at user creation time there is no Kerberos key created for the user. So:
    5. Let the AD admin change the created user’s password
    6. This command has to be executed on the Domain Controller of the ADS with domain admin rights (the ktpass.exe is described under http://www.microsoft.com/technet/)
      ktpass
      -princ HTTP/webhostname.server.example.com@ADS.EXAMPLE.COM
      -mapuser httpd_webhostname
      -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL
      -mapop set +DESONLY -pass ThIsIsMyPaSsWoRd
      -out C:\apache001.ktab
    7. Copy or move the C:\apache.ktab to /etc/apache2/apache.ktab on the web server and change it’s owner to wwwrun (or any other use Apache 2 will run as) and the mode to 600 (rw for owner)
    8. The Kerberos client setup
    9. Make your /etc/krb5.conf look like
      [libdefaults]
        default_realm = ADS.EXAMPLE.COM
      
      [realms]
        ADS.EXAMPLE.COM = {
          kdc = dc1.ads.example.com:88
          kdc = dc2.ads.example.com:88
        }
      
      [logging]
        kdc = /var/log/krb5/krb5kdc.log
        admin_server = /var/log/krb5/kadmind.log
        default = SYSLOG:NOTICE:DAEMON
      
      [domain_realm]
        .ads.example.com = ADS.EXAMPLE.COM
        ads.example.com = ADS.EXAPMLE.COM

It’s just a short overview, take it as my Best Practise.
Usn




You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Single Sign On for Apache 2.2 and Active Directory 2003 R2 with SuSE 10.2, mod_auth_kerb and MIT Kerberos”

  1. dns server | AMD.com hot tags Says:

    [...] Vote Single Sign On for Apache 2.2 and Active Directory 2003 R2 with … [...]

  2. Linux, Apache 2 und SIngle-Sign-On mit Active Directory 2003 R2 - Linux: Linux-Forum Says:

    [...] die entsprechende Umgebung sehr weit weg. Aber ein paar Notizen von damals gibts auf meinem Blog: http://www.usn-it.de/index.php/2008/…-mit-kerberos/ Gru Usn __________________ Martin Klier http://www.usn-online.de Usn’s IT-Blog: Linux, [...]

Leave a Reply