1) On the windows DNS server, add an entry for the linux server where the apache is running.
2) Install Support tools for Windows 2003 server. We'll need the ktpass tool for the next step.
3) C:\Program Files\Support Tools>ktpass -princ HTTP/testapache.foo.bar@foo.bar -mapuser apache1 -pass apachepassword -out c:\temp\testapache.keytab
4) Copy this file over to the linux machine and drop it in /etc/krb5.keytab
5) Configure the /etc/krb5.conf on linux as follows ( FOO.BAR is the FQDN of the Windows domain, DC.FOO.BAR is the domain controller ):
[root@testapache html]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FOO.BAR
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
FOO.BAR = {
kdc = DC.FOO.BAR:88
admin_server = DC.FOO.BAR:749
default_domain = FOO.BAR
}
[domain_realm]
.foo.bar = FOO.BAR
foo.bar = FOO.BAR
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
6) Add the kerberos authentication module entry in apache. Then add the following ( Remember the caps for the Realm name is important) in httpd.conf within the "Directory" section. The tags seem to be getting overridden when publishing this blog:
Options FollowSymLinks
AllowOverride None
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealm FOO.BAR
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
Require user apache1@FOO.BAR
#require valid-user
That should be it. restart apache and test kerberos using kinit and then the website via logging to the website.
No comments:
Post a Comment