View previous topic :: View next topic |
Author |
Message |
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Tue Aug 03, 2004 8:49 pm Post subject: [HOWTO] Apache2 and mod_auth_kerb |
|
|
About
Having setup samba to authenticate to an existing Windows 2000 Active Directory, and then Squid proxy authentication via NTLM/Samba... i found there wasn't anything really documented for Apache/Active Directory authentication.
This guide it to allow Apache2 authentication against an existing Windows 2000 Domain Controller using Kerberos (mod_auth_kerb)
It was hard work, I'm a n00b too.. so please feel free to correct/update my first ever how to.
Prerequisites
You should have already followed this guide on how to integrate Samba into Active Directory or have Kerberos working. If you do:
Code: |
jupiter# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@DOMAIN
Valid starting Expires Service principal
07/06/04 13:32:14 07/06/04 23:32:17
krbtgt/DOMAIN@DOMAIN
renew until 07/07/04 13:32:14
| You should see something like this. If this is the case, Kerberos is working on your system enough for this howto (I think!)
I. emerge mod_auth_kerb
Since mod_auth_kerb is broken in portage, you will need to follow these instructions from this thread: (many thanks!)
Quote: |
From the /root dir
1. emerge -f mod_auth_kerb
2. cp /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz /root/
3. tar -xvzf mod_auth_kerb-4.11.tar.gz
4. cd src/modules/kerberos
5. vi mod_auth_kerb.c
6. Remove the extra newline at/around line 380
7. :wq
8. cd
9. tar cvzf mod_auth_kerb-4.11.tar.gz src/*
10. cp mod_auth_kerb-4.11.tar.gz /usr/portage/distfiles/
11. md5sum -b /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz >
/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11
12. ls -lta /usr/portage/distfiles/mod_auth_kerb-4.11.tar.gz
13. Record the file size (in bytes)
14. vi
/usr/portage/net-www/mod_auth_kerb/files/digest-mod_auth_kerb-4.11
15. Format the line in the following manner:
MD5 96be90c0e037571a57298d23c73f3ddf mod_auth_kerb-4.11.tar.gz 14025
"MD5" is static, "mod_auth_kerb-4.11.tar.gz" is the name of the file,
and "14025" is the file size (in bytes)
16. emerge --resume mod_auth_kerb
|
For me, .16 didn't work. I just did emerge mod_auth_kerb again and it properly compiled and installed.
II. Config apache
You should now be able to see an extra module config file:
Code: | /etc/apache2/conf/modules.d/11_mod_auth_kerb.conf |
You don't really need to edit this file. First edit:
Code: | /etc/conf.d/apache2 |
Make sure the line:
Code: | APACHE2_OPTS="-D SSL" |
is uncommented and then add or change it to look like:
Code: | APACHE2_OPTS="-D SSL -D AUTH_KERB" |
III. Enable AllowOverride
Make sure that for your directory you have the AllowOverride option in your /etc/apache2/conf/commonapache2.conf set to at least AllowOverride AuthConfig but I tested mine using AllowOverride All
Without the above option the directives below won't work.
IV. Restart apache
/etc/init.d/apache2 restart
Check /var/log/apache2/error_log to make sure that it isn't complaining about anything
V. Create keytab file
For some reason, we need to make a file with some stuff in it.
Code: | nano -w /etc/apache2/conf/apache2.keytab |
Put into this new file:
Code: |
HTTP/www.webserver.com@DOMAIN
|
www.webserver.com = should be the URL of the server we are protecting
DOMAIN = the DOMAIN you currently have set as your default_realm in /etc/krb5.conf
This also needs to be readable by apache. I did chmod 755 /etc/apache2/conf/apache2.keytab
VI. Create the .htaccess
Create a .htaccess file as below in the directory you want to protect:
Code: |
AuthType KerberosV5
AuthName "Kerberos protected web directory!
KrbAuthRealm DOMAIN.COM
Krb5SaveCredentials off
KrbAuthAuthoritative on
Krb5KeyTab /etc/apache2/conf/apache2.keytab
<limit GET POST>
require valid-user
</limit>
|
When you visit the directory with the .htaccess in it, you should be prompted for a username and password which will authenticate against Activate Directory. If you are on a workstation which is already in that domain and authenticated, it should be transparant. But I haven't been able to test this just yet.
Also, there is some extra work to be done to get this working over SSL to protect kerberos even more. If you have any input, please let me know and I'll try and build this HOWTO up a bit more.
Last edited by Martz on Sat Jun 18, 2005 11:24 am; edited 1 time in total |
|
Back to top |
|
|
endu n00b
Joined: 03 Jul 2003 Posts: 18 Location: CH
|
Posted: Thu Sep 09, 2004 9:15 am Post subject: mod_auth_kerb 5.0-rc6 or 4.13 |
|
|
anybody runs recent versions of mod_auth_kerb?
i need an authentication- mechanism to authenticate users against a Windows 2003 Domain.
It's working with mod_auth_ntlm, but i want to switch to kerberos.
i got some problems to get 4.13 (see also bug 25124) or 5.0-rc6 installed. With 4.11, authentication works but not transparent (with IE6).
I wonder if anybody has transparent authentication with kerberos working (against w2k3 server).
I didn't have the time to work out the install issues i have with 4.13 and 5.0 till now.
Here are some resources related to this:
http://modauthkerb.sourceforge.net/
http://www.grolmsnet.de/kerbtut/ |
|
Back to top |
|
|
aman Apprentice
Joined: 07 Sep 2003 Posts: 198 Location: Bay Area, California
|
Posted: Wed Feb 09, 2005 10:04 pm Post subject: |
|
|
Does anyone know how I can specify Active Directory groups that have permission to login using this method? I have it working fine, but it would be awesome if I could restrict access via groups in Active Directory. _________________ Yes, I do run Gentoo on production servers... |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Thu Feb 10, 2005 9:50 am Post subject: |
|
|
I think so. Wherever you would normally set rights for a user, you can set them in the user format:
DOMAIN+Username
I assume
DOMAIN+Group
would also work. You could try it |
|
Back to top |
|
|
gsurbey Apprentice
Joined: 24 Mar 2003 Posts: 212 Location: Nashua, NH
|
Posted: Tue May 03, 2005 9:44 pm Post subject: |
|
|
I found an alternative to doing all this workaround stuff as discussed above to get mod_auth_kerb to work.
I'm not sure about this but I think for Mozilla GSS-API Negotiation Mechanism (SPNEGO) you need the KrbMethodNegotiate option on your Apache server that seems to be only availble in version 5 of mod_auth_kerb. However you'll notice that that package is masked at the moment. So what you should do now is follow the Gentoo Apache Package Refresh instructions (don't worry things like mod_php are fully supported now). You'll also have to read up on the different newer config options for version 5 of mod_auth_kerb.
BTW I had some trouble when I wanted to change my service ticket name from HTTP to apache instead. I had to debug to figure out that it looks like the HTTP service ticket name is hardcoded somewhere in the browser. The following is how to get a log of the kerberos transactions with the browser.
Code: | export NSPR_LOG_MODULES=negotiateauth:5
export NSPR_LOG_FILE=/tmp/negotiateauth.log
mozilla |
_________________ -Greg Surbey |
|
Back to top |
|
|
Martz n00b
Joined: 04 Mar 2004 Posts: 72
|
Posted: Sat Jun 18, 2005 11:23 am Post subject: |
|
|
mod_auth_kerb 5.0 r6 is in portage, if you mask it ~x86
Code: | echo "net-www/mod_auth_kerb ~x86" >> /etc/portage/package.keywords"
|
Has anyone tested this? I will be giving it a try in a couple of weeks when I am back from holiday
Quote: | jupiter ~ # emerge -pv mod_auth_kerb
Calculating dependencies ...done!
[ebuild R ] net-www/mod_auth_kerb-4.11 0 kB
Total size of downloads: 0 kB
jupiter ~ # ACCEPT_KEYWORDS="~x86" emerge -pv mod_auth_kerb
These are the packages that I would merge, in order:
Calculating dependencies ...done!
[ebuild N ] net-www/gentoo-webroot-default-0.2 -no-htdocs 64 kB
[ebuild N ] dev-libs/apr-0.9.6-r3 -debug +ipv6 1,001 kB
[ebuild N ] app-misc/mime-types-3 5 kB
[ebuild N ] dev-libs/apr-util-0.9.6-r2 +berkdb +gdbm +ldap 707 kB
[ebuild U ] net-www/apache-2.0.54-r11 [2.0.54-r7] +apache2 -debug -doc +ldap -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec +ssl -static-modules -threads 49 kB
[ebuild U ] net-www/mod_auth_kerb-5.0_rc6 [4.11] +apache2* 67 kB
|
gsurbey: Nice to know that Firefox/Mozilla support for transparent authentication is on its way |
|
Back to top |
|
|
taylorg6 n00b
Joined: 26 Feb 2004 Posts: 6 Location: Reno, NV USA
|
Posted: Thu Sep 01, 2005 3:07 pm Post subject: |
|
|
I followed the steps here (except using mod_auth_kerb-5.0-r6) and got gss_acquire_cred() failed: Miscellaneous failure (Unsupported key table format version number).
So I found a document on how to create my KeyTab using ktpass from Windows. Now I get gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name).
The only thing I can think is that maybe I'm using the wrong name for a principal, but I've tried a bunch of different things. Does the DNS have to match up with what I'm using? Do I use the server's name or do I use the alias (virtual host) name? |
|
Back to top |
|
|
taylorg6 n00b
Joined: 26 Feb 2004 Posts: 6 Location: Reno, NV USA
|
Posted: Fri Sep 02, 2005 8:41 pm Post subject: |
|
|
OK, more on this...
I'm using DOMAIN.LOCAL for internal stuff, but we also own domain.net for everything Internet. So websites are all .net for dns.
The site in question is virtual host on my web server. I finally turned on debug level logging on the web server and it was looking for a principal called HTTP/lyonrec.DOMAIN.net@DOMAIN.NET. I created my keytab to use HTTP/lyonrec.DOMAIN.net@DOMAIN.LOCAL. Why is it changing DOMAIN.LOCAL to .NET? |
|
Back to top |
|
|
gtfx123 n00b
Joined: 17 Apr 2005 Posts: 23
|
Posted: Sat Sep 24, 2005 5:56 am Post subject: |
|
|
Anyone running Mod_auth_kerb (~x86) with latest mit_krb5? does single sign on still work? I just keep on getting "request is replay!" seems like an issues with mit-krb5! there are few hecks around, but just wondering if there is a better way!
thanks. |
|
Back to top |
|
|
converter Apprentice
Joined: 24 Dec 2002 Posts: 163
|
Posted: Sun Nov 13, 2005 1:56 pm Post subject: |
|
|
taylorg6 wrote: | OK, more on this...
I'm using DOMAIN.LOCAL for internal stuff, but we also own domain.net for everything Internet. So websites are all .net for dns.
The site in question is virtual host on my web server. I finally turned on debug level logging on the web server and it was looking for a principal called HTTP/lyonrec.DOMAIN.net@DOMAIN.NET. I created my keytab to use HTTP/lyonrec.DOMAIN.net@DOMAIN.LOCAL. Why is it changing DOMAIN.LOCAL to .NET? |
Kerberos is very particular about hostname resolution. You must use a canonical hostname and the A record IP address must reverse to the same hostname, and ONLY one hostname (host -i <ip address> will do a reverse lookup on the IP address for you).
Does /etc/krb5.conf have a domain->realm mapping for DOMAIN.LOCAL? _________________ converter |
|
Back to top |
|
|
gtfx123 n00b
Joined: 17 Apr 2005 Posts: 23
|
|
Back to top |
|
|
|