Difference between revisions of "Systems/Services/Kerberos"
Jump to navigation
Jump to search
Amishhammer (talk | contribs) |
Amishhammer (talk | contribs) |
||
Line 47: | Line 47: | ||
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org | ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org | ||
chown www /usr/local/etc/apache24/krb5.keytab | chown www /usr/local/etc/apache24/krb5.keytab | ||
− | <pre> | + | </pre> |
Configure Auth: | Configure Auth: |
Revision as of 19:25, 20 September 2014
Kerberos
The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.
PS1 Kerberos Client config:
/etc/krb5.conf
[libdefaults] default_realm = AD.PUMPINGSTATIONONE.ORG ticket_lifetime = 24h forwardable = yes kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true verify_ap_req_nofail = false check_pac = no kdc_timeout = 2 max_retries = 1 dns_lookup_realm = false [realms] AD.PUMPINGSTATIONONE.ORG = { default_domain = ad.pumpingstationone.org kdc = bob.ad.pumpingstationone.org kdc = dc01.ad.pumpingstationone.org admin = bob.pumpingstationone.org } [domain_realms] ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
Apache SSO
Setting up the keytab:
msktutil -u -s HTTP --server bob cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org chown www /usr/local/etc/apache24/krb5.keytab
Configure Auth:
Authtype Kerberos AuthName "AD.PUMPINGSTATIONONE.ORG" KrbAuthoritative on KrbServiceName HTTP/rack.ad.pumpingstationone.org Krb5Keytab /usr/local/etc/apache24/krb5.keytab KrbAuthRealms AD.PUMPINGSTATIONONE.ORG KrbMethodk5Passwd on KrbMethodNegotiate on Require valid-user