Difference between revisions of "Systems/Services/Kerberos"
From Pumping Station One
Amishhammer (talk | contribs) (Created page with "PS1 Kerberos Client config: /etc/krb5.conf <pre> [libdefaults] default_realm = AD.PUMPINGSTATIONONE.ORG dns_lookup_realm = true dns_looku...") |
|||
(8 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | {{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} | ||
+ | |||
+ | = Kerberos = | ||
+ | |||
+ | The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG. | ||
+ | |||
+ | |||
+ | |||
+ | |||
PS1 Kerberos Client config: | PS1 Kerberos Client config: | ||
Line 4: | Line 13: | ||
<pre> | <pre> | ||
− | + | [libdefaults] | |
− | + | default_realm = AD.PUMPINGSTATIONONE.ORG | |
− | + | ticket_lifetime = 24h | |
− | + | forwardable = yes | |
− | + | kdc_timesync = 1 | |
− | + | ccache_type = 4 | |
+ | forwardable = true | ||
+ | proxiable = true | ||
+ | verify_ap_req_nofail = false | ||
+ | check_pac = no | ||
+ | kdc_timeout = 2 | ||
+ | max_retries = 1 | ||
+ | dns_lookup_realm = false | ||
+ | |||
+ | [realms] | ||
+ | AD.PUMPINGSTATIONONE.ORG = { | ||
+ | default_domain = ad.pumpingstationone.org | ||
+ | kdc = bob.ad.pumpingstationone.org | ||
+ | kdc = dc01.ad.pumpingstationone.org | ||
+ | admin = bob.pumpingstationone.org | ||
+ | } | ||
+ | |||
+ | [domain_realms] | ||
+ | ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG | ||
+ | .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG | ||
+ | </pre> | ||
+ | |||
+ | == Apache SSO == | ||
+ | Note: Replace 'rack' with host name of server. | ||
+ | |||
+ | |||
+ | Setting up the keytab: | ||
+ | <pre> | ||
+ | msktutil -u -s HTTP --server bob | ||
+ | cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab | ||
+ | ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ | ||
+ | ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org | ||
+ | chown www /usr/local/etc/apache24/krb5.keytab | ||
+ | </pre> | ||
+ | |||
+ | Configure Auth: | ||
+ | <pre> | ||
+ | <Location /> | ||
+ | Authtype Kerberos | ||
+ | AuthName "AD.PUMPINGSTATIONONE.ORG" | ||
+ | KrbAuthoritative on | ||
+ | KrbServiceName HTTP/rack.ad.pumpingstationone.org | ||
+ | Krb5Keytab /usr/local/etc/apache24/krb5.keytab | ||
+ | KrbAuthRealms AD.PUMPINGSTATIONONE.ORG | ||
+ | KrbMethodk5Passwd on | ||
+ | KrbMethodNegotiate on | ||
+ | Require valid-user | ||
+ | </Location> | ||
+ | </pre> | ||
+ | |||
+ | == SSH SSO == | ||
+ | |||
+ | To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config | ||
+ | |||
+ | <pre> | ||
+ | GSSAPIAuthentication yes | ||
+ | GSSAPIDelegateCredentials yes | ||
+ | PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password | ||
</pre> | </pre> |
Latest revision as of 22:20, 13 September 2020
This information is out of date. Up-to-date IT information can be found here |
Kerberos
The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.
PS1 Kerberos Client config:
/etc/krb5.conf
[libdefaults] default_realm = AD.PUMPINGSTATIONONE.ORG ticket_lifetime = 24h forwardable = yes kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true verify_ap_req_nofail = false check_pac = no kdc_timeout = 2 max_retries = 1 dns_lookup_realm = false [realms] AD.PUMPINGSTATIONONE.ORG = { default_domain = ad.pumpingstationone.org kdc = bob.ad.pumpingstationone.org kdc = dc01.ad.pumpingstationone.org admin = bob.pumpingstationone.org } [domain_realms] ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
Apache SSO
Note: Replace 'rack' with host name of server.
Setting up the keytab:
msktutil -u -s HTTP --server bob cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org chown www /usr/local/etc/apache24/krb5.keytab
Configure Auth:
<Location /> Authtype Kerberos AuthName "AD.PUMPINGSTATIONONE.ORG" KrbAuthoritative on KrbServiceName HTTP/rack.ad.pumpingstationone.org Krb5Keytab /usr/local/etc/apache24/krb5.keytab KrbAuthRealms AD.PUMPINGSTATIONONE.ORG KrbMethodk5Passwd on KrbMethodNegotiate on Require valid-user </Location>
SSH SSO
To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password