422 lines
17 KiB
HTML
422 lines
17 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en" dir="ltr">
|
|
<head>
|
|
<meta charset="utf-8" />
|
|
<title>documentation:2.0:kerberos</title>
|
|
<meta name="generator" content="DokuWiki"/>
|
|
<meta name="robots" content="index,follow"/>
|
|
<meta name="keywords" content="documentation,2.0,kerberos"/>
|
|
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
|
|
<link rel="start" href="kerberos.html"/>
|
|
<link rel="contents" href="kerberos.html" title="Sitemap"/>
|
|
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
|
|
<!-- //if:usedebianlibs
|
|
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
|
|
//elsif:useexternallibs
|
|
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
|
|
//elsif:cssminified
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
|
|
//else -->
|
|
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
|
|
<!-- //endif -->
|
|
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:kerberos","namespace":"documentation:2.0"};
|
|
/*!]]>*/</script>
|
|
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
|
|
<!-- //endif -->
|
|
<!-- //if:usedebianlibs
|
|
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
|
|
//elsif:useexternallibs
|
|
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
|
|
//elsif:jsminified
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
|
|
//else -->
|
|
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
|
|
<!-- //endif -->
|
|
</head>
|
|
<body>
|
|
<div class="dokuwiki export container">
|
|
<!-- TOC START -->
|
|
<div id="dw__toc">
|
|
<h3 class="toggle">Table of Contents</h3>
|
|
<div>
|
|
|
|
<ul class="toc">
|
|
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
|
|
<li class="level1"><div class="li"><a href="#prerequisites">Prerequisites</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#example_values">Example values</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#server_time">Server time</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#dns">DNS</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#ssl">SSL</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#web_browser_configuration">Web browser configuration</a></div>
|
|
<ul class="toc">
|
|
<li class="level3"><div class="li"><a href="#firefox">Firefox</a></div></li>
|
|
<li class="level3"><div class="li"><a href="#internet_explorer">Internet Explorer</a></div></li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#single_ad_domain">Single AD domain</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#client_kerberos_configuration">Client Kerberos configuration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#obtain_keytab_file">Obtain keytab file</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#multiple_ad_domains">Multiple AD domains</a></div>
|
|
<ul class="toc">
|
|
<li class="level2"><div class="li"><a href="#client_kerberos_configuration1">Client Kerberos configuration</a></div></li>
|
|
<li class="level2"><div class="li"><a href="#obtain_keytab_file1">Obtain keytab file</a></div></li>
|
|
</ul>
|
|
</li>
|
|
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<!-- TOC END -->
|
|
|
|
<h1 class="sectionedit1" id="kerberos">Kerberos</h1>
|
|
<div class="level1">
|
|
|
|
</div>
|
|
<!-- EDIT1 SECTION "Kerberos" [1-24] -->
|
|
<h2 class="sectionedit2" id="presentation">Presentation</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
|
|
</p>
|
|
|
|
<p>
|
|
You can use Kerberos in <abbr title="LemonLDAP::NG">LL::NG</abbr> with the following authentication modules:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> (recommended): use Perl GSSAPI module, compatible with Apache and Nginx</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache</a>: use mod_auth_kerb or mod_auth_gssapi in Apache</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT2 SECTION "Presentation" [25-454] -->
|
|
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT3 SECTION "Prerequisites" [455-481] -->
|
|
<h3 class="sectionedit4" id="example_values">Example values</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
We will use the following values in our examples
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: First AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>ACME.COM</strong>: Second AD domain</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbr title="LemonLDAP::NG">LL::NG</abbr> server</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT4 SECTION "Example values" [482-751] -->
|
|
<h3 class="sectionedit5" id="server_time">Server time</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
It is mandatory that <abbr title="LemonLDAP::NG">LL::NG</abbr> servers and AD servers have the same time. It is recommended to use NTP to do this.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT5 SECTION "Server time" [752-887] -->
|
|
<h3 class="sectionedit6" id="dns">DNS</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The auth.example.com must be registered in the <abbr title="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbr title="Domain Name System">DNS</abbr> of auth.example.com <strong>must</strong> return the portal <abbr title="Internet Protocol">IP</abbr>.
|
|
</p>
|
|
<div class="notetip">If you have a <abbr title="Single Sign On">SSO</abbr> cluster, you must setup a Virtual <abbr title="Internet Protocol">IP</abbr> in cluster and register this <abbr title="Internet Protocol">IP</abbr> in <abbr title="Domain Name System">DNS</abbr>.
|
|
</div>
|
|
</div>
|
|
<!-- EDIT6 SECTION "DNS" [888-1170] -->
|
|
<h3 class="sectionedit7" id="ssl">SSL</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
SSL is not mandatory, but it is strongly recommended. Your portal <abbr title="Uniform Resource Locator">URL</abbr> should be <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a>.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT7 SECTION "SSL" [1171-1292] -->
|
|
<h3 class="sectionedit8" id="web_browser_configuration">Web browser configuration</h3>
|
|
<div class="level3">
|
|
|
|
</div>
|
|
|
|
<h4 id="firefox">Firefox</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Type <code>about:config</code> in a tab and search for <code>trusted</code>. Then edit the property <code>network.negotiate-auth.trusted-uris</code> and set value <code>example.com</code>.
|
|
</p>
|
|
|
|
</div>
|
|
|
|
<h4 id="internet_explorer">Internet Explorer</h4>
|
|
<div class="level4">
|
|
|
|
<p>
|
|
Add <code><a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a></code> as trusted site.
|
|
</p>
|
|
|
|
<p>
|
|
Check into security parameters that Kerberos authentication is allowed.
|
|
</p>
|
|
|
|
</div>
|
|
<!-- EDIT8 SECTION "Web browser configuration" [1293-1652] -->
|
|
<h2 class="sectionedit9" id="single_ad_domain">Single AD domain</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT9 SECTION "Single AD domain" [1653-1682] -->
|
|
<h3 class="sectionedit10" id="client_kerberos_configuration">Client Kerberos configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
On <abbr title="LemonLDAP::NG">LL::NG</abbr> server, edit <code>/etc/krb5.conf</code>:
|
|
</p>
|
|
<pre class="code file ini"><span class="re0"><span class="br0">[</span>libdefaults<span class="br0">]</span></span>
|
|
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
|
|
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
|
|
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
|
|
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
|
|
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>realms<span class="br0">]</span></span>
|
|
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="br0">}</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>domain_realm<span class="br0">]</span></span>
|
|
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span></pre>
|
|
|
|
<p>
|
|
You can check that Kerberos is working by trying to get a ticket for a user of the domain (for example coudot):
|
|
</p>
|
|
<pre class="code">kinit coudot@EXAMPLE.COM</pre>
|
|
|
|
<p>
|
|
You should be prompted to enter password. Then list the tickets:
|
|
</p>
|
|
<pre class="code">klist -e</pre>
|
|
|
|
<p>
|
|
You should see a krbtgt ticket:
|
|
</p>
|
|
<pre class="code">Valid starting Expires Service principal
|
|
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
|
|
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96</pre>
|
|
|
|
<p>
|
|
You can then close the Kerberos session:
|
|
</p>
|
|
<pre class="code">kdestroy</pre>
|
|
|
|
</div>
|
|
<!-- EDIT10 SECTION "Client Kerberos configuration" [1683-2684] -->
|
|
<h3 class="sectionedit11" id="obtain_keytab_file">Obtain keytab file</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You have to run this command on Active Directory:
|
|
</p>
|
|
<pre class="code">ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass <PASSWORD> -out c:\auth.keytab</pre>
|
|
<div class="noteimportant">The values passed in -crypto and -ptype depend on the Active Directory version and the windows version of the workstations. You can for example use RC4-HMAC-NT as crypto protocol if DES is not supported by workstations (this the case by default for Window 8 for example).
|
|
|
|
</div>
|
|
<p>
|
|
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
|
|
</p>
|
|
|
|
<p>
|
|
Change rights on keytab file:
|
|
</p>
|
|
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
|
|
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
<p>
|
|
You can check the validity of the keytab file by trying to request a service ticket, and compare the result with the keytab content.
|
|
</p>
|
|
|
|
<p>
|
|
Open a Kerberos session (like done in the previous step):
|
|
</p>
|
|
<pre class="code">kinit coudot@example.com</pre>
|
|
|
|
<p>
|
|
Request a service ticket:
|
|
</p>
|
|
<pre class="code">kvno HTTP/auth.example.com@EXAMPLE.COM</pre>
|
|
|
|
<p>
|
|
The result of the command should be:
|
|
</p>
|
|
<pre class="code">HTTP/auth.example.com@EXAMPLE.COM: kvno = 3</pre>
|
|
|
|
<p>
|
|
Read the service ticket:
|
|
</p>
|
|
<pre class="code">klist -e</pre>
|
|
|
|
<p>
|
|
You should see this kind of ticket:
|
|
</p>
|
|
<pre class="code">06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
|
|
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac</pre>
|
|
|
|
<p>
|
|
You can close the Kerberos session:
|
|
</p>
|
|
<pre class="code">kdestroy</pre>
|
|
|
|
<p>
|
|
Now you can compare the above result with the same request done trough the keytab file:
|
|
</p>
|
|
<pre class="code">klist -e -k -t /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
<p>
|
|
The result of the command should be:
|
|
</p>
|
|
<pre class="code">Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
|
|
KVNO Timestamp Principal
|
|
---- ----------------- --------------------------------------------------------
|
|
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)</pre>
|
|
|
|
<p>
|
|
The important things to check are:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> KVNO must be the same</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Principal names must be the same</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> Encryption types must be the same</div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT11 SECTION "Obtain keytab file" [2685-4814] -->
|
|
<h2 class="sectionedit12" id="multiple_ad_domains">Multiple AD domains</h2>
|
|
<div class="level2">
|
|
|
|
</div>
|
|
<!-- EDIT12 SECTION "Multiple AD domains" [4815-4847] -->
|
|
<h3 class="sectionedit13" id="client_kerberos_configuration1">Client Kerberos configuration</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
The two domains must be defined in <code>/etc/krb5.conf</code>:
|
|
</p>
|
|
<pre class="code file ini"><span class="re0"><span class="br0">[</span>libdefaults<span class="br0">]</span></span>
|
|
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
|
|
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
|
|
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
|
|
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
|
|
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>realms<span class="br0">]</span></span>
|
|
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
|
|
<span class="re1">default_domain</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
<span class="br0">}</span>
|
|
ACME.COM <span class="sy0">=</span><span class="re2"> <span class="br0">{</span></span>
|
|
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
|
|
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
|
|
<span class="br0">}</span>
|
|
|
|
<span class="re0"><span class="br0">[</span>domain_realm<span class="br0">]</span></span>
|
|
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
|
|
.acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span>
|
|
acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span></pre>
|
|
|
|
<p>
|
|
You should then be able to open a Kerberos session on each domain:
|
|
</p>
|
|
<pre class="code">kinit coudot@EXAMPLE.COM
|
|
klist -e
|
|
kdestroy</pre>
|
|
<pre class="code">kinit coudot@ACME.COM
|
|
klist -e
|
|
kdestroy</pre>
|
|
|
|
</div>
|
|
<!-- EDIT13 SECTION "Client Kerberos configuration" [4848-5592] -->
|
|
<h3 class="sectionedit14" id="obtain_keytab_file1">Obtain keytab file</h3>
|
|
<div class="level3">
|
|
|
|
<p>
|
|
You need to obtain a keytab for each node on each domain. This means the ktpass commands should be run on both AD.
|
|
</p>
|
|
|
|
<p>
|
|
Then you will have 2 keytab files for each node, for example:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> node1-example.keytab</div>
|
|
</li>
|
|
<li class="level1"><div class="li"> node1-acme.keytab</div>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
You need to concatenate the keytab files, thanks to <code>ktutil</code> command:
|
|
</p>
|
|
<pre class="code">ktutil
|
|
ktutil: read_kt node1-example.keytab
|
|
ktutil: read_kt node1-acme.keytab
|
|
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
|
|
ktutil: quit</pre>
|
|
|
|
<p>
|
|
You can then remove the original keytab files and protect the final keytab file:
|
|
</p>
|
|
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
|
|
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
|
|
|
|
</div>
|
|
<!-- EDIT14 SECTION "Obtain keytab file" [5593-6254] -->
|
|
<h2 class="sectionedit15" id="other_resources">Other resources</h2>
|
|
<div class="level2">
|
|
|
|
<p>
|
|
You can check these documentations to get more information:
|
|
</p>
|
|
<ul>
|
|
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/configure.html" class="urlextern" title="http://modauthkerb.sourceforge.net/configure.html" rel="nofollow">http://modauthkerb.sourceforge.net/configure.html</a></div>
|
|
</li>
|
|
<li class="level1"><div class="li"> <a href="http://www.grolmsnet.de/kerbtut/" class="urlextern" title="http://www.grolmsnet.de/kerbtut/" rel="nofollow">http://www.grolmsnet.de/kerbtut/</a></div>
|
|
</li>
|
|
</ul>
|
|
|
|
</div>
|
|
<!-- EDIT15 SECTION "Other resources" [6255-] --></div>
|
|
</body>
|
|
</html>
|