Line 1: |
Line 1: |
| + | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} |
| + | |
| + | = Kerberos = |
| + | |
| + | The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG. |
| + | |
| + | |
| + | |
| + | |
| PS1 Kerberos Client config: | | PS1 Kerberos Client config: |
| | | |
Line 4: |
Line 13: |
| | | |
| <pre> | | <pre> |
− | [libdefaults]
| + | [libdefaults] |
− | default_realm = AD.PUMPINGSTATIONONE.ORG
| + | default_realm = AD.PUMPINGSTATIONONE.ORG |
− | dns_lookup_realm = true
| + | ticket_lifetime = 24h |
− | dns_lookup_kdc = true
| + | forwardable = yes |
− | ticket_lifetime = 24h
| + | kdc_timesync = 1 |
− | forwardable = yes
| + | ccache_type = 4 |
| + | forwardable = true |
| + | proxiable = true |
| + | verify_ap_req_nofail = false |
| + | check_pac = no |
| + | kdc_timeout = 2 |
| + | max_retries = 1 |
| + | dns_lookup_realm = false |
| + | |
| + | [realms] |
| + | AD.PUMPINGSTATIONONE.ORG = { |
| + | default_domain = ad.pumpingstationone.org |
| + | kdc = bob.ad.pumpingstationone.org |
| + | kdc = dc01.ad.pumpingstationone.org |
| + | admin = bob.pumpingstationone.org |
| + | } |
| + | |
| + | [domain_realms] |
| + | ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG |
| + | .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG |
| + | </pre> |
| + | |
| + | == Apache SSO == |
| + | Note: Replace 'rack' with host name of server. |
| + | |
| + | |
| + | Setting up the keytab: |
| + | <pre> |
| + | msktutil -u -s HTTP --server bob |
| + | cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab |
| + | ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ |
| + | ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org |
| + | chown www /usr/local/etc/apache24/krb5.keytab |
| + | </pre> |
| + | |
| + | Configure Auth: |
| + | <pre> |
| + | <Location /> |
| + | Authtype Kerberos |
| + | AuthName "AD.PUMPINGSTATIONONE.ORG" |
| + | KrbAuthoritative on |
| + | KrbServiceName HTTP/rack.ad.pumpingstationone.org |
| + | Krb5Keytab /usr/local/etc/apache24/krb5.keytab |
| + | KrbAuthRealms AD.PUMPINGSTATIONONE.ORG |
| + | KrbMethodk5Passwd on |
| + | KrbMethodNegotiate on |
| + | Require valid-user |
| + | </Location> |
| + | </pre> |
| + | |
| + | == SSH SSO == |
| + | |
| + | To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config |
| + | |
| + | <pre> |
| + | GSSAPIAuthentication yes |
| + | GSSAPIDelegateCredentials yes |
| + | PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password |
| </pre> | | </pre> |