First, create a user account for your Apache in the Active Directory. Let’s assume the AD Kerberos realm is KOO.FI, and the user name we have created is “apache”. Also create a computer account, let’s call that “apachesrv”.
Next, create two keytab files on the Windows server. One host keytab file and one service keytab file (long lines have been split):
1 2 3 |
C:>ktpass -princ HOST/www.koo.fi@KOO.FI -mapuser apachesrv@KOO.FI -crypto DES-CBC-MD5 -DesOnly -pass XXXCHOOSEXAXSECRETXWORDXXX -ptype KRB5_NT_SRV_HST -out krb5.keytab |
1 2 |
C:>ktpass -princ HTTP/www.koo.fi@KOO.FI -mapuser apache@KOO.FI -pass XXXSECRETXXX -out keytab.HTTP |
Make sure that the principal name you are using (HTTP/your.server.com) has the actual domain name that is being requested from Apache by the web browser. If they differ, you will end up having error messages saying “failed to verify krb5 credentials: Server not found in Kerberos database” in you Apache error log.
You should now have binary files called krb5.keytab and keytab.HTTP in your current directory. Copy those files over to your Apache server into /etc.
Edit /etc/krb5.conf:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[libdefaults] default_realm = KOO.FI default_keytab_file = /etc/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true [realms] KOO.FI = { kdc = dc1.koo.fi kdc = dc2.koo.fi admin_server = dc1.koo.fi } [domain_realm] .koo.fi = KOO.FI koo.fi = KOO.FI |
Test that your authentication works:
1 2 |
root@apachesrv:/etc# kinit HOST/www.koo.fi Password for HOSTt/www.koo.fi@KOO.FI: |
Enter the secret string you used earlier to create the machine account. If everything went correctly, you should be able to list the ticket:
1 2 3 4 5 6 7 8 9 10 |
root@apachesrv:/etc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HOST/www.koo.fi@KOO.FI Valid starting Expires Service principal 06/11/08 15:26:55 06/12/08 01:25:16 krbtgt/KOO.FI@KOO.FI renew until 06/12/08 15:26:55 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached |
Lastly, let’s configure Apache. My Apache server happened to be an Ubuntu box with Apache 2.2 installed. The Apache module mod_auth_kerb will take care of the authentication, so let’s install that:
1 |
root@apachesrv:/etc# aptitude install libapache2-mod-auth-kerb |
Add a directory directive in your Apache configuration file:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
<Directory /var/www/www.koo.fi/protected> AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd on KrbAuthoritative on KrbAuthRealms KOO.FI KrbVerifyKDC on KrbServiceName HTTP Krb5Keytab /etc/keytab.HTTP KrbSaveCredentials off AuthName "This url is protected. Keep your unauthorized hands off!" Require Valid-user </Directory> |
Reload the changes to Apache, and you’re all set!
1 |
root@apachesrv:/etc# /etc/init.d/apache2 force-reload |
Some links:
http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
http://modauthkerb.sourceforge.net/configure.html