Systems/Services/Kerberos
Jump to navigation
Jump to search
 | This information is out of date. Up-to-date IT information can be found here |
Kerberos
The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.
PS1 Kerberos Client config:
/etc/krb5.conf
[libdefaults]
default_realm = AD.PUMPINGSTATIONONE.ORG
ticket_lifetime = 24h
forwardable = yes
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
verify_ap_req_nofail = false
check_pac = no
kdc_timeout = 2
max_retries = 1
dns_lookup_realm = false
[realms]
AD.PUMPINGSTATIONONE.ORG = {
default_domain = ad.pumpingstationone.org
kdc = bob.ad.pumpingstationone.org
kdc = dc01.ad.pumpingstationone.org
admin = bob.pumpingstationone.org
}
[domain_realms]
ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
.ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
Apache SSO
Note: Replace 'rack' with host name of server.
Setting up the keytab:
msktutil -u -s HTTP --server bob cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org chown www /usr/local/etc/apache24/krb5.keytab
Configure Auth:
<Location />
Authtype Kerberos
AuthName "AD.PUMPINGSTATIONONE.ORG"
KrbAuthoritative on
KrbServiceName HTTP/rack.ad.pumpingstationone.org
Krb5Keytab /usr/local/etc/apache24/krb5.keytab
KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
KrbMethodk5Passwd on
KrbMethodNegotiate on
Require valid-user
</Location>
SSH SSO
To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password