Revision as of 19:25, 20 September 2014

Kerberos

The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.

PS1 Kerberos Client config:

/etc/krb5.conf

[libdefaults]
        default_realm = AD.PUMPINGSTATIONONE.ORG
        ticket_lifetime = 24h
        forwardable = yes
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        verify_ap_req_nofail = false
        check_pac = no
        kdc_timeout = 2
        max_retries = 1
        dns_lookup_realm = false

[realms]
        AD.PUMPINGSTATIONONE.ORG = {
                default_domain = ad.pumpingstationone.org
                kdc = bob.ad.pumpingstationone.org
                kdc = dc01.ad.pumpingstationone.org
                admin = bob.pumpingstationone.org
        }

[domain_realms]
        ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
        .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG

Apache SSO

Setting up the keytab:

msktutil -u -s HTTP --server bob
cp  /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org
chown www /usr/local/etc/apache24/krb5.keytab
<pre>

Configure Auth:
<pre>
            Authtype Kerberos
            AuthName "AD.PUMPINGSTATIONONE.ORG"
            KrbAuthoritative on
            KrbServiceName  HTTP/rack.ad.pumpingstationone.org
            Krb5Keytab /usr/local/etc/apache24/krb5.keytab
            KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
            KrbMethodk5Passwd on
            KrbMethodNegotiate on
            Require valid-user

Difference between revisions of "Systems/Services/Kerberos"

Revision as of 19:25, 20 September 2014

Kerberos

Apache SSO

Navigation menu

Search