2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:kerberos< / title >
< meta name = "generator" content = "DokuWiki" / >
2017-08-30 18:47:22 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:04 +02:00
< meta name = "keywords" content = "documentation,2.0,kerberos" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "kerberos.html" / >
< link rel = "contents" href = "kerberos.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : k e r b e r o s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
2017-02-07 17:35:26 +01:00
//else -->
2018-03-08 13:29:31 +01:00
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#prerequisites" > Prerequisites< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#example_values" > Example values< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#server_time" > Server time< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#dns" > DNS< / a > < / div > < / li >
2018-01-26 10:35:45 +01:00
< li class = "level2" > < div class = "li" > < a href = "#ssl" > SSL< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< li class = "level2" > < div class = "li" > < a href = "#web_browser_configuration" > Web browser configuration< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#firefox" > Firefox< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#internet_explorer" > Internet Explorer< / a > < / div > < / li >
< / ul >
< / li >
< / ul >
< / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "#single_ad_domain" > Single AD domain< / a > < / div >
2016-10-15 19:57:04 +02:00
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration" > Client Kerberos configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file" > Obtain keytab file< / a > < / div > < / li >
< / ul >
< / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "#multiple_ad_domains" > Multiple AD domains< / a > < / div >
2016-10-15 19:57:04 +02:00
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration1" > Client Kerberos configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file1" > Obtain keytab file< / a > < / div > < / li >
< / ul >
< / li >
2017-02-07 17:35:26 +01:00
< li class = "level1" > < div class = "li" > < a href = "#other_resources" > Other resources< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "kerberos" > Kerberos< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "Kerberos" [1 - 24] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
2018-01-26 10:35:45 +01:00
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
2016-10-15 19:57:04 +02:00
< / p >
< p >
2018-01-26 10:35:45 +01:00
You can use Kerberos in < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > with the following authentication modules:
2016-10-15 19:57:04 +02:00
< / p >
< ul >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "authkerberos.html" class = "wikilink1" title = "documentation:2.0:authkerberos" > Kerberos< / a > (recommended): use Perl GSSAPI module, compatible with Apache and Nginx< / div >
2016-10-15 19:57:04 +02:00
< / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < a href = "authapache.html" class = "wikilink1" title = "documentation:2.0:authapache" > Apache< / a > : use mod_auth_kerb or mod_auth_gssapi in Apache< / div >
2016-10-15 19:57:04 +02:00
< / li >
< / ul >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT2 SECTION "Presentation" [25 - 454] -->
2016-10-15 19:57:04 +02:00
< h2 class = "sectionedit3" id = "prerequisites" > Prerequisites< / h2 >
< div class = "level2" >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT3 SECTION "Prerequisites" [455 - 481] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit4" id = "example_values" > Example values< / h3 >
< div class = "level3" >
< p >
We will use the following values in our examples
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > EXAMPLE.COM< / strong > : First AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ACME.COM< / strong > : Second AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > auth.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal< / div >
< / li >
2018-01-26 10:35:45 +01:00
< li class = "level1" > < div class = "li" > < strong > KERB_AUTH< / strong > : AD account to generate the keytab for < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server< / div >
2016-10-15 19:57:04 +02:00
< / li >
< / ul >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT4 SECTION "Example values" [482 - 751] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit5" id = "server_time" > Server time< / h3 >
< div class = "level3" >
< p >
It is mandatory that < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > servers and AD servers have the same time. It is recommended to use NTP to do this.
< / p >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT5 SECTION "Server time" [752 - 887] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit6" id = "dns" > DNS< / h3 >
< div class = "level3" >
< p >
2018-01-26 10:35:45 +01:00
The auth.example.com must be registered in the < abbr title = "Domain Name System" > DNS< / abbr > server (which is Active Directory). The reverse < abbr title = "Domain Name System" > DNS< / abbr > of auth.example.com < strong > must< / strong > return the portal < abbr title = "Internet Protocol" > IP< / abbr > .
2016-10-15 19:57:04 +02:00
< / p >
2018-01-26 10:35:45 +01:00
< div class = "notetip" > If you have a < abbr title = "Single Sign On" > SSO< / abbr > cluster, you must setup a Virtual < abbr title = "Internet Protocol" > IP< / abbr > in cluster and register this < abbr title = "Internet Protocol" > IP< / abbr > in < abbr title = "Domain Name System" > DNS< / abbr > .
< / div >
2016-10-15 19:57:04 +02:00
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT6 SECTION "DNS" [888 - 1170] -->
< h3 class = "sectionedit7" id = "ssl" > SSL< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
2018-01-26 10:35:45 +01:00
SSL is not mandatory, but it is strongly recommended. Your portal < abbr title = "Uniform Resource Locator" > URL< / abbr > should be < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > .
2016-10-15 19:57:04 +02:00
< / p >
2018-01-26 10:35:45 +01:00
2016-10-15 19:57:04 +02:00
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT7 SECTION "SSL" [1171 - 1292] -->
2016-10-15 19:57:04 +02:00
< h3 class = "sectionedit8" id = "web_browser_configuration" > Web browser configuration< / h3 >
< div class = "level3" >
< / div >
< h4 id = "firefox" > Firefox< / h4 >
< div class = "level4" >
< p >
Type < code > about:config< / code > in a tab and search for < code > trusted< / code > . Then edit the property < code > network.negotiate-auth.trusted-uris< / code > and set value < code > example.com< / code > .
< / p >
< / div >
< h4 id = "internet_explorer" > Internet Explorer< / h4 >
< div class = "level4" >
< p >
Add < code > < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > < / code > as trusted site.
< / p >
< p >
Check into security parameters that Kerberos authentication is allowed.
< / p >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT8 SECTION "Web browser configuration" [1293 - 1652] -->
< h2 class = "sectionedit9" id = "single_ad_domain" > Single AD domain< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT9 SECTION "Single AD domain" [1653 - 1682] -->
< h3 class = "sectionedit10" id = "client_kerberos_configuration" > Client Kerberos configuration< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
On < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server, edit < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > libdefaults< span class = "br0" > ] < / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [ < / span > realms< span class = "br0" > ] < / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "br0" > } < / span >
< span class = "re0" > < span class = "br0" > [ < / span > domain_realm< span class = "br0" > ] < / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span > < / pre >
< p >
You can check that Kerberos is working by trying to get a ticket for a user of the domain (for example coudot):
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM< / pre >
< p >
You should be prompted to enter password. Then list the tickets:
< / p >
< pre class = "code" > klist -e< / pre >
< p >
You should see a krbtgt ticket:
< / p >
< pre class = "code" > Valid starting Expires Service principal
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96< / pre >
< p >
You can then close the Kerberos session:
< / p >
< pre class = "code" > kdestroy< / pre >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT10 SECTION "Client Kerberos configuration" [1683 - 2684] -->
< h3 class = "sectionedit11" id = "obtain_keytab_file" > Obtain keytab file< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
You have to run this command on Active Directory:
< / p >
< pre class = "code" > ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\auth.keytab< / pre >
< div class = "noteimportant" > The values passed in -crypto and -ptype depend on the Active Directory version and the windows version of the workstations. You can for example use RC4-HMAC-NT as crypto protocol if DES is not supported by workstations (this the case by default for Window 8 for example).
< / div >
< p >
The file < code > auth.keytab< / code > should then be copied (with a secure media) to the Linux server (for example in < code > /etc/lemonldap-ng< / code > ).
< / p >
< p >
Change rights on keytab file:
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< p >
You can check the validity of the keytab file by trying to request a service ticket, and compare the result with the keytab content.
< / p >
< p >
Open a Kerberos session (like done in the previous step):
< / p >
< pre class = "code" > kinit coudot@example.com< / pre >
< p >
Request a service ticket:
< / p >
< pre class = "code" > kvno HTTP/auth.example.com@EXAMPLE.COM< / pre >
< p >
The result of the command should be:
< / p >
< pre class = "code" > HTTP/auth.example.com@EXAMPLE.COM: kvno = 3< / pre >
< p >
Read the service ticket:
< / p >
< pre class = "code" > klist -e< / pre >
< p >
You should see this kind of ticket:
< / p >
< pre class = "code" > 06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac< / pre >
< p >
You can close the Kerberos session:
< / p >
< pre class = "code" > kdestroy< / pre >
< p >
Now you can compare the above result with the same request done trough the keytab file:
< / p >
< pre class = "code" > klist -e -k -t /etc/lemonldap-ng/auth.keytab< / pre >
< p >
The result of the command should be:
< / p >
< pre class = "code" > Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)< / pre >
< p >
The important things to check are:
< / p >
< ul >
< li class = "level1" > < div class = "li" > KVNO must be the same< / div >
< / li >
< li class = "level1" > < div class = "li" > Principal names must be the same< / div >
< / li >
< li class = "level1" > < div class = "li" > Encryption types must be the same< / div >
< / li >
< / ul >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT11 SECTION "Obtain keytab file" [2685 - 4814] -->
< h2 class = "sectionedit12" id = "multiple_ad_domains" > Multiple AD domains< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT12 SECTION "Multiple AD domains" [4815 - 4847] -->
< h3 class = "sectionedit13" id = "client_kerberos_configuration1" > Client Kerberos configuration< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The two domains must be defined in < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > libdefaults< span class = "br0" > ] < / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [ < / span > realms< span class = "br0" > ] < / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > default_domain< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "br0" > } < / span >
ACME.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "br0" > } < / span >
< span class = "re0" > < span class = "br0" > [ < / span > domain_realm< span class = "br0" > ] < / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
.acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span >
acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span > < / pre >
< p >
You should then be able to open a Kerberos session on each domain:
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM
klist -e
kdestroy< / pre >
< pre class = "code" > kinit coudot@ACME.COM
klist -e
kdestroy< / pre >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT13 SECTION "Client Kerberos configuration" [4848 - 5592] -->
< h3 class = "sectionedit14" id = "obtain_keytab_file1" > Obtain keytab file< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
You need to obtain a keytab for each node on each domain. This means the ktpass commands should be run on both AD.
< / p >
< p >
Then you will have 2 keytab files for each node, for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > node1-example.keytab< / div >
< / li >
< li class = "level1" > < div class = "li" > node1-acme.keytab< / div >
< / li >
< / ul >
< p >
You need to concatenate the keytab files, thanks to < code > ktutil< / code > command:
< / p >
< pre class = "code" > ktutil
ktutil: read_kt node1-example.keytab
ktutil: read_kt node1-acme.keytab
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
ktutil: quit< / pre >
< p >
You can then remove the original keytab files and protect the final keytab file:
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT14 SECTION "Obtain keytab file" [5593 - 6254] -->
< h2 class = "sectionedit15" id = "other_resources" > Other resources< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< p >
You can check these documentations to get more information:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < a href = "http://modauthkerb.sourceforge.net/configure.html" class = "urlextern" title = "http://modauthkerb.sourceforge.net/configure.html" rel = "nofollow" > http://modauthkerb.sourceforge.net/configure.html< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > < a href = "http://www.grolmsnet.de/kerbtut/" class = "urlextern" title = "http://www.grolmsnet.de/kerbtut/" rel = "nofollow" > http://www.grolmsnet.de/kerbtut/< / a > < / div >
< / li >
< / ul >
< / div >
2018-01-26 10:35:45 +01:00
<!-- EDIT15 SECTION "Other resources" [6255 - ] --> < / div >
2016-10-15 19:57:04 +02:00
< / body >
< / html >