dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cc79680b89
lemonldap-ng/doc/pages/documentation/current/kerberos.html
Xavier Guimard 8af300995c Update doc
2018-03-08 13:29:31 +01:00

422 lines
17 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:kerberos</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,kerberos"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="kerberos.html"/>
<link rel="contents" href="kerberos.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:kerberos","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#prerequisites">Prerequisites</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#example_values">Example values</a></div></li>
<li class="level2"><div class="li"><a href="#server_time">Server time</a></div></li>
<li class="level2"><div class="li"><a href="#dns">DNS</a></div></li>
<li class="level2"><div class="li"><a href="#ssl">SSL</a></div></li>
<li class="level2"><div class="li"><a href="#web_browser_configuration">Web browser configuration</a></div>
<ul class="toc">
<li class="level3"><div class="li"><a href="#firefox">Firefox</a></div></li>
<li class="level3"><div class="li"><a href="#internet_explorer">Internet Explorer</a></div></li>
</ul>
</li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#single_ad_domain">Single AD domain</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#client_kerberos_configuration">Client Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#obtain_keytab_file">Obtain keytab file</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#multiple_ad_domains">Multiple AD domains</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#client_kerberos_configuration1">Client Kerberos configuration</a></div></li>
<li class="level2"><div class="li"><a href="#obtain_keytab_file1">Obtain keytab file</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#other_resources">Other resources</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="kerberos">Kerberos</h1>
<div class="level1">
</div>
<!-- EDIT1 SECTION "Kerberos" [1-24] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">
<p>
This documentation will explain how to use Active Directory as Kerberos server, and provide transparent authentication for one or multiple AD domains.
</p>
<p>
You can use Kerberos in <abbr title="LemonLDAP::NG">LL::NG</abbr> with the following authentication modules:
</p>
<ul>
<li class="level1"><div class="li"> <a href="authkerberos.html" class="wikilink1" title="documentation:2.0:authkerberos">Kerberos</a> (recommended): use Perl GSSAPI module, compatible with Apache and Nginx</div>
</li>
<li class="level1"><div class="li"> <a href="authapache.html" class="wikilink1" title="documentation:2.0:authapache">Apache</a>: use mod_auth_kerb or mod_auth_gssapi in Apache</div>
</li>
</ul>
</div>
<!-- EDIT2 SECTION "Presentation" [25-454] -->
<h2 class="sectionedit3" id="prerequisites">Prerequisites</h2>
<div class="level2">
</div>
<!-- EDIT3 SECTION "Prerequisites" [455-481] -->
<h3 class="sectionedit4" id="example_values">Example values</h3>
<div class="level3">
<p>
We will use the following values in our examples
</p>
<ul>
<li class="level1"><div class="li"> <strong>EXAMPLE.COM</strong>: First AD domain</div>
</li>
<li class="level1"><div class="li"> <strong>ACME.COM</strong>: Second AD domain</div>
</li>
<li class="level1"><div class="li"> <strong>auth.example.com</strong>: <abbr title="Domain Name System">DNS</abbr> of the <abbr title="LemonLDAP::NG">LL::NG</abbr> portal</div>
</li>
<li class="level1"><div class="li"> <strong>KERB_AUTH</strong>: AD account to generate the keytab for <abbr title="LemonLDAP::NG">LL::NG</abbr> server</div>
</li>
</ul>
</div>
<!-- EDIT4 SECTION "Example values" [482-751] -->
<h3 class="sectionedit5" id="server_time">Server time</h3>
<div class="level3">
<p>
It is mandatory that <abbr title="LemonLDAP::NG">LL::NG</abbr> servers and AD servers have the same time. It is recommended to use NTP to do this.
</p>
</div>
<!-- EDIT5 SECTION "Server time" [752-887] -->
<h3 class="sectionedit6" id="dns">DNS</h3>
<div class="level3">
<p>
The auth.example.com must be registered in the <abbr title="Domain Name System">DNS</abbr> server (which is Active Directory). The reverse <abbr title="Domain Name System">DNS</abbr> of auth.example.com <strong>must</strong> return the portal <abbr title="Internet Protocol">IP</abbr>.
</p>
<div class="notetip">If you have a <abbr title="Single Sign On">SSO</abbr> cluster, you must setup a Virtual <abbr title="Internet Protocol">IP</abbr> in cluster and register this <abbr title="Internet Protocol">IP</abbr> in <abbr title="Domain Name System">DNS</abbr>.
</div>
</div>
<!-- EDIT6 SECTION "DNS" [888-1170] -->
<h3 class="sectionedit7" id="ssl">SSL</h3>
<div class="level3">
<p>
SSL is not mandatory, but it is strongly recommended. Your portal <abbr title="Uniform Resource Locator">URL</abbr> should be <a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a>.
</p>
</div>
<!-- EDIT7 SECTION "SSL" [1171-1292] -->
<h3 class="sectionedit8" id="web_browser_configuration">Web browser configuration</h3>
<div class="level3">
</div>
<h4 id="firefox">Firefox</h4>
<div class="level4">
<p>
Type <code>about:config</code> in a tab and search for <code>trusted</code>. Then edit the property <code>network.negotiate-auth.trusted-uris</code> and set value <code>example.com</code>.
</p>
</div>
<h4 id="internet_explorer">Internet Explorer</h4>
<div class="level4">
<p>
Add <code><a href="https://auth.example.com" class="urlextern" title="https://auth.example.com" rel="nofollow">https://auth.example.com</a></code> as trusted site.
</p>
<p>
Check into security parameters that Kerberos authentication is allowed.
</p>
</div>
<!-- EDIT8 SECTION "Web browser configuration" [1293-1652] -->
<h2 class="sectionedit9" id="single_ad_domain">Single AD domain</h2>
<div class="level2">
</div>
<!-- EDIT9 SECTION "Single AD domain" [1653-1682] -->
<h3 class="sectionedit10" id="client_kerberos_configuration">Client Kerberos configuration</h3>
<div class="level3">
<p>
On <abbr title="LemonLDAP::NG">LL::NG</abbr> server, edit <code>/etc/krb5.conf</code>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>libdefaults<span class="br0">&#93;</span></span>
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
&nbsp;
<span class="re0"><span class="br0">&#91;</span>realms<span class="br0">&#93;</span></span>
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span></span>
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
<span class="br0">&#125;</span>
&nbsp;
<span class="re0"><span class="br0">&#91;</span>domain_realm<span class="br0">&#93;</span></span>
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span></pre>
<p>
You can check that Kerberos is working by trying to get a ticket for a user of the domain (for example coudot):
</p>
<pre class="code">kinit coudot@EXAMPLE.COM</pre>
<p>
You should be prompted to enter password. Then list the tickets:
</p>
<pre class="code">klist -e</pre>
<p>
You should see a krbtgt ticket:
</p>
<pre class="code">Valid starting Expires Service principal
06/04/15 15:43:24 06/05/15 01:43:29 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 06/05/15 15:43:24, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96</pre>
<p>
You can then close the Kerberos session:
</p>
<pre class="code">kdestroy</pre>
</div>
<!-- EDIT10 SECTION "Client Kerberos configuration" [1683-2684] -->
<h3 class="sectionedit11" id="obtain_keytab_file">Obtain keytab file</h3>
<div class="level3">
<p>
You have to run this command on Active Directory:
</p>
<pre class="code">ktpass -princ HTTP/auth.example.com@EXAMPLE.COM -mapuser KERB_AUTH@EXAMPLE.COM -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapOp set -pass &lt;PASSWORD&gt; -out c:\auth.keytab</pre>
<div class="noteimportant">The values passed in -crypto and -ptype depend on the Active Directory version and the windows version of the workstations. You can for example use RC4-HMAC-NT as crypto protocol if DES is not supported by workstations (this the case by default for Window 8 for example).
</div>
<p>
The file <code>auth.keytab</code> should then be copied (with a secure media) to the Linux server (for example in <code>/etc/lemonldap-ng</code>).
</p>
<p>
Change rights on keytab file:
</p>
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
<p>
You can check the validity of the keytab file by trying to request a service ticket, and compare the result with the keytab content.
</p>
<p>
Open a Kerberos session (like done in the previous step):
</p>
<pre class="code">kinit coudot@example.com</pre>
<p>
Request a service ticket:
</p>
<pre class="code">kvno HTTP/auth.example.com@EXAMPLE.COM</pre>
<p>
The result of the command should be:
</p>
<pre class="code">HTTP/auth.example.com@EXAMPLE.COM: kvno = 3</pre>
<p>
Read the service ticket:
</p>
<pre class="code">klist -e</pre>
<p>
You should see this kind of ticket:
</p>
<pre class="code">06/04/15 16:28:49 06/05/15 02:28:11 HTTP/auth.example.com@EXAMPLE.COM
renew until 06/05/15 16:28:07, Etype (skey, tkt): arcfour-hmac, arcfour-hmac</pre>
<p>
You can close the Kerberos session:
</p>
<pre class="code">kdestroy</pre>
<p>
Now you can compare the above result with the same request done trough the keytab file:
</p>
<pre class="code">klist -e -k -t /etc/lemonldap-ng/auth.keytab</pre>
<p>
The result of the command should be:
</p>
<pre class="code">Keytab name: FILE:/etc/lemonldap-ng/auth.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/auth.example.com@EXAMPLE.COM (arcfour-hmac)</pre>
<p>
The important things to check are:
</p>
<ul>
<li class="level1"><div class="li"> KVNO must be the same</div>
</li>
<li class="level1"><div class="li"> Principal names must be the same</div>
</li>
<li class="level1"><div class="li"> Encryption types must be the same</div>
</li>
</ul>
</div>
<!-- EDIT11 SECTION "Obtain keytab file" [2685-4814] -->
<h2 class="sectionedit12" id="multiple_ad_domains">Multiple AD domains</h2>
<div class="level2">
</div>
<!-- EDIT12 SECTION "Multiple AD domains" [4815-4847] -->
<h3 class="sectionedit13" id="client_kerberos_configuration1">Client Kerberos configuration</h3>
<div class="level3">
<p>
The two domains must be defined in <code>/etc/krb5.conf</code>:
</p>
<pre class="code file ini"><span class="re0"><span class="br0">&#91;</span>libdefaults<span class="br0">&#93;</span></span>
<span class="re1">default_realm</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
<span class="re1">dns_lookup_kdc</span> <span class="sy0">=</span><span class="re2"> false</span>
<span class="re1">dns_lookup_realm</span> <span class="sy0">=</span><span class="re2"> no</span>
<span class="re1">ticket_lifetime</span> <span class="sy0">=</span><span class="re2"> 24h</span>
<span class="re1">forwardable</span> <span class="sy0">=</span><span class="re2"> yes</span>
<span class="re1">renewable</span> <span class="sy0">=</span><span class="re2"> true</span>
&nbsp;
<span class="re0"><span class="br0">&#91;</span>realms<span class="br0">&#93;</span></span>
EXAMPLE.COM <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span></span>
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.example.com</span>
<span class="re1">default_domain</span> <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
<span class="br0">&#125;</span>
ACME.COM <span class="sy0">=</span><span class="re2"> <span class="br0">&#123;</span></span>
<span class="re1">kdc</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
<span class="re1">admin_server</span> <span class="sy0">=</span><span class="re2"> ad.acme.com</span>
<span class="br0">&#125;</span>
&nbsp;
<span class="re0"><span class="br0">&#91;</span>domain_realm<span class="br0">&#93;</span></span>
.example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
example.com <span class="sy0">=</span><span class="re2"> EXAMPLE.COM</span>
.acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span>
acme.com <span class="sy0">=</span><span class="re2"> ACME.COM</span></pre>
<p>
You should then be able to open a Kerberos session on each domain:
</p>
<pre class="code">kinit coudot@EXAMPLE.COM
klist -e
kdestroy</pre>
<pre class="code">kinit coudot@ACME.COM
klist -e
kdestroy</pre>
</div>
<!-- EDIT13 SECTION "Client Kerberos configuration" [4848-5592] -->
<h3 class="sectionedit14" id="obtain_keytab_file1">Obtain keytab file</h3>
<div class="level3">
<p>
You need to obtain a keytab for each node on each domain. This means the ktpass commands should be run on both AD.
</p>
<p>
Then you will have 2 keytab files for each node, for example:
</p>
<ul>
<li class="level1"><div class="li"> node1-example.keytab</div>
</li>
<li class="level1"><div class="li"> node1-acme.keytab</div>
</li>
</ul>
<p>
You need to concatenate the keytab files, thanks to <code>ktutil</code> command:
</p>
<pre class="code">ktutil
ktutil: read_kt node1-example.keytab
ktutil: read_kt node1-acme.keytab
ktutil: write_kt /etc/lemonldap-ng/auth.keytab
ktutil: quit</pre>
<p>
You can then remove the original keytab files and protect the final keytab file:
</p>
<pre class="code">chown apache /etc/lemonldap-ng/auth.keytab
chmod 600 /etc/lemonldap-ng/auth.keytab</pre>
</div>
<!-- EDIT14 SECTION "Obtain keytab file" [5593-6254] -->
<h2 class="sectionedit15" id="other_resources">Other resources</h2>
<div class="level2">
<p>
You can check these documentations to get more information:
</p>
<ul>
<li class="level1"><div class="li"> <a href="http://modauthkerb.sourceforge.net/configure.html" class="urlextern" title="http://modauthkerb.sourceforge.net/configure.html" rel="nofollow">http://modauthkerb.sourceforge.net/configure.html</a></div>
</li>
<li class="level1"><div class="li"> <a href="http://www.grolmsnet.de/kerbtut/" class="urlextern" title="http://www.grolmsnet.de/kerbtut/" rel="nofollow">http://www.grolmsnet.de/kerbtut/</a></div>
</li>
</ul>
</div>
<!-- EDIT15 SECTION "Other resources" [6255-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink