2016-10-15 19:57:04 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:kerberos< / title >
< meta name = "generator" content = "DokuWiki" / >
2017-08-30 18:47:22 +02:00
< meta name = "robots" content = "index,follow" / >
2016-10-15 19:57:04 +02:00
< meta name = "keywords" content = "documentation,2.0,kerberos" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "kerberos.html" / >
< link rel = "contents" href = "kerberos.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : k e r b e r o s " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
2017-02-07 17:35:26 +01:00
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/lib/scripts/jquery-ui.js" > < / script >
<!-- //endif -->
2016-10-15 19:57:04 +02:00
< / head >
< body >
< div class = "dokuwiki export container" >
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#presentation" > Presentation< / a > < / div > < / li >
< li class = "level1" > < div class = "li" > < a href = "#prerequisites" > Prerequisites< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#example_values" > Example values< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#server_time" > Server time< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#dns" > DNS< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#ad_accounts" > AD accounts< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#web_browser_configuration" > Web browser configuration< / a > < / div >
< ul class = "toc" >
< li class = "level3" > < div class = "li" > < a href = "#firefox" > Firefox< / a > < / div > < / li >
< li class = "level3" > < div class = "li" > < a href = "#internet_explorer" > Internet Explorer< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level2" > < div class = "li" > < a href = "#apache_kerberos_module_installation" > Apache Kerberos module installation< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#single_llng_serversingle_ad_domain" > Single LL::NG Server / Single AD domain< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration" > Client Kerberos configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file" > Obtain keytab file< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng" > Configuration of LemonLDAP::NG< / a > < / div > < / li >
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#llng_clustersingle_ad_domain" > LL::NG Cluster / Single AD domain< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration1" > Client Kerberos configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file1" > Obtain keytab file< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng1" > Configuration of LemonLDAP::NG< / a > < / div > < / li >
2017-04-13 19:00:28 +02:00
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_portal_virtual_host" > Configuration of portal virtual host< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / li >
< li class = "level1" > < div class = "li" > < a href = "#llng_clustertwo_ad_domains" > LL::NG Cluster / Two AD domains< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#client_kerberos_configuration2" > Client Kerberos configuration< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#obtain_keytab_file2" > Obtain keytab file< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_lemonldapng2" > Configuration of LemonLDAP::NG< / a > < / div > < / li >
2017-04-13 19:00:28 +02:00
< li class = "level2" > < div class = "li" > < a href = "#configuration_of_portal_virtual_host1" > Configuration of portal virtual host< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / li >
2017-02-07 17:35:26 +01:00
< li class = "level1" > < div class = "li" > < a href = "#other_resources" > Other resources< / a > < / div > < / li >
2016-10-15 19:57:04 +02:00
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "kerberos" > Kerberos< / h1 >
< div class = "level1" >
< / div >
<!-- EDIT1 SECTION "Kerberos" [1 - 24] -->
< h2 class = "sectionedit2" id = "presentation" > Presentation< / h2 >
< div class = "level2" >
< p >
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication to AD domain users to < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > .
< / p >
< p >
We will present several architectures:
< / p >
< ul >
< li class = "level1" > < div class = "li" > Single < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server linked to one AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > cluster linked to one AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > cluster linked to two AD domains< / div >
< / li >
< / ul >
< / div >
<!-- EDIT2 SECTION "Presentation" [25 - 376] -->
< h2 class = "sectionedit3" id = "prerequisites" > Prerequisites< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT3 SECTION "Prerequisites" [377 - 403] -->
< h3 class = "sectionedit4" id = "example_values" > Example values< / h3 >
< div class = "level3" >
< p >
We will use the following values in our examples
< / p >
< ul >
< li class = "level1" > < div class = "li" > < strong > EXAMPLE.COM< / strong > : First AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ACME.COM< / strong > : Second AD domain< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > auth.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > authpwd.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal (to failback to a form based authentication)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > node1.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of the first < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal server (in cluster mode)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > node2.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of the second < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > portal server (in cluster mode)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ad.example.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of First Active Directory< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > ad.acme.com< / strong > : < abbr title = "Domain Name System" > DNS< / abbr > of Second Active Directory< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_AUTH< / strong > : AD account to generate the keytab for < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server (in single mode)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_NODE1< / strong > : AD account to generate the keytab for the first < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server (in cluster mode)< / div >
< / li >
< li class = "level1" > < div class = "li" > < strong > KERB_NODE2< / strong > : AD account to generate the keytab for the second < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server (in cluster mode)< / div >
< / li >
< / ul >
< / div >
<!-- EDIT4 SECTION "Example values" [404 - 1263] -->
< h3 class = "sectionedit5" id = "server_time" > Server time< / h3 >
< div class = "level3" >
< p >
It is mandatory that < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > servers and AD servers have the same time. It is recommended to use NTP to do this.
< / p >
< / div >
<!-- EDIT5 SECTION "Server time" [1264 - 1399] -->
< h3 class = "sectionedit6" id = "dns" > DNS< / h3 >
< div class = "level3" >
< p >
All names must be registered in the < abbr title = "Domain Name System" > DNS< / abbr > server (which is Active Directory). The reverse < abbr title = "Domain Name System" > DNS< / abbr > should also work for all the names.
< / p >
< / div >
<!-- EDIT6 SECTION "DNS" [1400 - 1543] -->
< h3 class = "sectionedit7" id = "ad_accounts" > AD accounts< / h3 >
< div class = "level3" >
< p >
It is recommended to create an AD account for each < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server. Each account will hold the Service Principal Name (SPN) of the < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server.
< / p >
< div class = "notetip" > It should be possible to have the same account for all SPN, but this may require some manipulations on AD (command setspn) that are not documented here.
< / div >
< / div >
<!-- EDIT7 SECTION "AD accounts" [1544 - 1884] -->
< h3 class = "sectionedit8" id = "web_browser_configuration" > Web browser configuration< / h3 >
< div class = "level3" >
< / div >
< h4 id = "firefox" > Firefox< / h4 >
< div class = "level4" >
< p >
Type < code > about:config< / code > in a tab and search for < code > trusted< / code > . Then edit the property < code > network.negotiate-auth.trusted-uris< / code > and set value < code > example.com< / code > .
< / p >
< / div >
< h4 id = "internet_explorer" > Internet Explorer< / h4 >
< div class = "level4" >
< p >
Add < code > < a href = "https://auth.example.com" class = "urlextern" title = "https://auth.example.com" rel = "nofollow" > https://auth.example.com< / a > < / code > as trusted site.
< / p >
< p >
Check into security parameters that Kerberos authentication is allowed.
< / p >
< / div >
<!-- EDIT8 SECTION "Web browser configuration" [1885 - 2244] -->
< h3 class = "sectionedit9" id = "apache_kerberos_module_installation" > Apache Kerberos module installation< / h3 >
< div class = "level3" >
< p >
On CentOS/RHEL:
< / p >
< pre class = "code shell" > yum install mod_auth_kerb< / pre >
< p >
On Debian/Ubuntu:
< / p >
< pre class = "code shell" > apt-get install libapache2-mod-auth-kerb< / pre >
< p >
The module must be loaded by Apache (LoadModule directive).
< / p >
< / div >
<!-- EDIT9 SECTION "Apache Kerberos module installation" [2245 - 2497] -->
< h2 class = "sectionedit10" id = "single_llng_serversingle_ad_domain" > Single LL::NG Server / Single AD domain< / h2 >
< div class = "level2" >
< / div >
<!-- EDIT10 SECTION "Single LL::NG Server / Single AD domain" [2498 - 2550] -->
< h3 class = "sectionedit11" id = "client_kerberos_configuration" > Client Kerberos configuration< / h3 >
< div class = "level3" >
< p >
On < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server, edit < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > libdefaults< span class = "br0" > ] < / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [ < / span > realms< span class = "br0" > ] < / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "br0" > } < / span >
< span class = "re0" > < span class = "br0" > [ < / span > domain_realm< span class = "br0" > ] < / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span > < / pre >
< p >
You can check that Kerberos is working by trying to get a ticket for a user of the domain (for example coudot):
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM< / pre >
< p >
You should be prompted to enter password. Then list the tickets:
< / p >
< pre class = "code" > klist -e< / pre >
< p >
You should see a krbtgt ticket:
< / p >
< pre class = "code" > Valid starting Expires Service principal
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96< / pre >
< p >
You can then close the Kerberos session:
< / p >
< pre class = "code" > kdestroy< / pre >
< / div >
<!-- EDIT11 SECTION "Client Kerberos configuration" [2551 - 3552] -->
< h3 class = "sectionedit12" id = "obtain_keytab_file" > Obtain keytab file< / h3 >
< div class = "level3" >
< p >
You have to run this command on Active Directory:
< / p >
< pre class = "code" > ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\auth.keytab< / pre >
< div class = "noteimportant" > The values passed in -crypto and -ptype depend on the Active Directory version and the windows version of the workstations. You can for example use RC4-HMAC-NT as crypto protocol if DES is not supported by workstations (this the case by default for Window 8 for example).
< / div >
< p >
The file < code > auth.keytab< / code > should then be copied (with a secure media) to the Linux server (for example in < code > /etc/lemonldap-ng< / code > ).
< / p >
< p >
Change rights on keytab file:
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< p >
You can check the validity of the keytab file by trying to request a service ticket, and compare the result with the keytab content.
< / p >
< p >
Open a Kerberos session (like done in the previous step):
< / p >
< pre class = "code" > kinit coudot@example.com< / pre >
< p >
Request a service ticket:
< / p >
< pre class = "code" > kvno HTTP/auth.example.com@EXAMPLE.COM< / pre >
< p >
The result of the command should be:
< / p >
< pre class = "code" > HTTP/auth.example.com@EXAMPLE.COM: kvno = 3< / pre >
< p >
Read the service ticket:
< / p >
< pre class = "code" > klist -e< / pre >
< p >
You should see this kind of ticket:
< / p >
< pre class = "code" > 06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac< / pre >
< p >
You can close the Kerberos session:
< / p >
< pre class = "code" > kdestroy< / pre >
< p >
Now you can compare the above result with the same request done trough the keytab file:
< / p >
< pre class = "code" > klist -e -k -t /etc/lemonldap-ng/auth.keytab< / pre >
< p >
The result of the command should be:
< / p >
< pre class = "code" > Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)< / pre >
< p >
The important things to check are:
< / p >
< ul >
< li class = "level1" > < div class = "li" > KVNO must be the same< / div >
< / li >
< li class = "level1" > < div class = "li" > Principal names must be the same< / div >
< / li >
< li class = "level1" > < div class = "li" > Encryption types must be the same< / div >
< / li >
< / ul >
< / div >
<!-- EDIT12 SECTION "Obtain keytab file" [3553 - 5681] -->
< h3 class = "sectionedit13" id = "configuration_of_lemonldapng" > Configuration of LemonLDAP::NG< / h3 >
< div class = "level3" >
< p >
2017-04-13 19:00:28 +02:00
See < a href = "authkerberos.html" class = "wikilink1" title = "documentation:2.0:authkerberos" > Kerberos authentication module< / a > < em > or < a href = "authapache.html#llng" class = "wikilink1" title = "documentation:2.0:authapache" > Apache authentication module configuration< / a > (deprecated)< / em > .
2016-10-15 19:57:04 +02:00
< / p >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT13 SECTION "Configuration of LemonLDAP::NG" [5682 - 5861] -->
< h2 class = "sectionedit14" id = "llng_clustersingle_ad_domain" > LL::NG Cluster / Single AD domain< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT14 SECTION "LL::NG Cluster / Single AD domain" [5862 - 5908] -->
< h3 class = "sectionedit15" id = "client_kerberos_configuration1" > Client Kerberos configuration< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The client Kerberos configuration is the same as a single < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server.
< / p >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT15 SECTION "Client Kerberos configuration" [5909 - 6023] -->
< h3 class = "sectionedit16" id = "obtain_keytab_file1" > Obtain keytab file< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< div class = "noteimportant" > You need to get a keytab for each < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > node.
< / div >
< p >
Commands on Active Directory will be:
< / p >
< pre class = "code" > ktpass -princ HTTP/node1.example.com@EXAMPLE.COM -mapuser KERB_NODE1@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\authnode1.keytab
ktpass -princ HTTP/node2.example.com@EXAMPLE.COM -mapuser KERB_NODE2@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass < PASSWORD> -out c:\authnode2.keytab< / pre >
< p >
Copy the generated keytab on each node (rename it as auth.keytab to have the same Apache configuration on each node).
< / p >
< p >
Change rights on keytab file:
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< div class = "notetip" > You can do the same check for the keytab as with the single < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server. Just use node1.example.com and node2.example.com instead of auth.example.com.
< / div >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT16 SECTION "Obtain keytab file" [6024 - 6957] -->
< h3 class = "sectionedit17" id = "configuration_of_lemonldapng1" > Configuration of LemonLDAP::NG< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The configuration is the same as a single < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server.
< / p >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT17 SECTION "Configuration of LemonLDAP::NG" [6958 - 7058] -->
< h3 class = "sectionedit18" id = "configuration_of_portal_virtual_host" > Configuration of portal virtual host< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The only change in Apache configuration is in the < code > KrbServiceName< / code > , it should be set to Any:
< / p >
< pre class = "code file apache" > KrbServiceName Any< / pre >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT18 SECTION "Configuration of portal virtual host" [7059 - 7247] -->
< h2 class = "sectionedit19" id = "llng_clustertwo_ad_domains" > LL::NG Cluster / Two AD domains< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT19 SECTION "LL::NG Cluster / Two AD domains" [7248 - 7292] -->
< h3 class = "sectionedit20" id = "client_kerberos_configuration2" > Client Kerberos configuration< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The two domains must be defined in < code > /etc/krb5.conf< / code > :
< / p >
< pre class = "code file ini" > < span class = "re0" > < span class = "br0" > [ < / span > libdefaults< span class = "br0" > ] < / span > < / span >
< span class = "re1" > default_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "re1" > dns_lookup_kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > false< / span >
< span class = "re1" > dns_lookup_realm< / span > < span class = "sy0" > =< / span > < span class = "re2" > no< / span >
< span class = "re1" > ticket_lifetime< / span > < span class = "sy0" > =< / span > < span class = "re2" > 24h< / span >
< span class = "re1" > forwardable< / span > < span class = "sy0" > =< / span > < span class = "re2" > yes< / span >
< span class = "re1" > renewable< / span > < span class = "sy0" > =< / span > < span class = "re2" > true< / span >
< span class = "re0" > < span class = "br0" > [ < / span > realms< span class = "br0" > ] < / span > < / span >
EXAMPLE.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.example.com< / span >
< span class = "re1" > default_domain< / span > < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
< span class = "br0" > } < / span >
ACME.COM < span class = "sy0" > =< / span > < span class = "re2" > < span class = "br0" > { < / span > < / span >
< span class = "re1" > kdc< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "re1" > admin_server< / span > < span class = "sy0" > =< / span > < span class = "re2" > ad.acme.com< / span >
< span class = "br0" > } < / span >
< span class = "re0" > < span class = "br0" > [ < / span > domain_realm< span class = "br0" > ] < / span > < / span >
.example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
example.com < span class = "sy0" > =< / span > < span class = "re2" > EXAMPLE.COM< / span >
.acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span >
acme.com < span class = "sy0" > =< / span > < span class = "re2" > ACME.COM< / span > < / pre >
< p >
You should then be able to open a Kerberos session on each domain:
< / p >
< pre class = "code" > kinit coudot@EXAMPLE.COM
klist -e
kdestroy< / pre >
< pre class = "code" > kinit coudot@ACME.COM
klist -e
kdestroy< / pre >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT20 SECTION "Client Kerberos configuration" [7293 - 8037] -->
< h3 class = "sectionedit21" id = "obtain_keytab_file2" > Obtain keytab file< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
You need to obtain a keytab for each node on each domain. This means the ktpass commands should be run on both AD.
< / p >
< p >
Then you will have 2 keytab files for each node, for example:
< / p >
< ul >
< li class = "level1" > < div class = "li" > node1-example.keytab< / div >
< / li >
< li class = "level1" > < div class = "li" > node1-acme.keytab< / div >
< / li >
< / ul >
< p >
You need to concatenate the keytab files, thanks to < code > ktutil< / code > command:
< / p >
< pre class = "code" > ktutil
ktutil: read_kt node1-example.keytab
ktutil: read_kt node1-acme.keytab
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
ktutil: quit< / pre >
< p >
You can then remove the original keytab files and protect the final keytab file:
< / p >
< pre class = "code" > chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab< / pre >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT21 SECTION "Obtain keytab file" [8038 - 8699] -->
< h3 class = "sectionedit22" id = "configuration_of_lemonldapng2" > Configuration of LemonLDAP::NG< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The configuration is the same as a single < abbr title = "LemonLDAP::NG" > LL::NG< / abbr > server.
< / p >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT22 SECTION "Configuration of LemonLDAP::NG" [8700 - 8800] -->
< h3 class = "sectionedit23" id = "configuration_of_portal_virtual_host1" > Configuration of portal virtual host< / h3 >
2016-10-15 19:57:04 +02:00
< div class = "level3" >
< p >
The configuration is the same as with a single AD domain.
< / p >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT23 SECTION "Configuration of portal virtual host" [8801 - 8907] -->
< h2 class = "sectionedit24" id = "other_resources" > Other resources< / h2 >
2016-10-15 19:57:04 +02:00
< div class = "level2" >
< p >
You can check these documentations to get more information:
< / p >
< ul >
< li class = "level1" > < div class = "li" > < a href = "http://modauthkerb.sourceforge.net/configure.html" class = "urlextern" title = "http://modauthkerb.sourceforge.net/configure.html" rel = "nofollow" > http://modauthkerb.sourceforge.net/configure.html< / a > < / div >
< / li >
< li class = "level1" > < div class = "li" > < a href = "http://www.grolmsnet.de/kerbtut/" class = "urlextern" title = "http://www.grolmsnet.de/kerbtut/" rel = "nofollow" > http://www.grolmsnet.de/kerbtut/< / a > < / div >
< / li >
< / ul >
< / div >
2017-04-13 19:00:28 +02:00
<!-- EDIT24 SECTION "Other resources" [8908 - ] --> < / div >
2016-10-15 19:57:04 +02:00
< / body >
< / html >