===== What is it? =====
Notes for setup of kerberized apache, using 2 virtual machines here.
**note:** Nowadays you might want to consider to use the more modern mod_auth_gssapi instead of mod_auth_kerb.
===== MIT kerberos / httpd =====
yum -y install krb5-server.x86_64 krb5-workstation.x86_64
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /var/kerberos/krb5kdc/kdc.conf
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /etc/krb5.conf
vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FLUXCOIL.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
FLUXCOIL.NET = {
kdc = rhel6b.site
admin_server = rhel6b.site
}
[domain_realm]
.site = FLUXCOIL.NET
site = FLUXCOIL.NET
----------------------------------
# create the kerberos db
/usr/sbin/kdb5_util create -s
# if you execute this in a VM and get stuck because of missing entropy:
# login with an additional session and execute 'find /'
echo '*/admin@FLUXCOIL.NET *' >/var/kerberos/krb5kdc/kadm5.acl
/usr/sbin/kadmin.local -q "addprinc chorn/admin"
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on
# check if obtaining the tgt works
kinit chorn/admin
yum install -y httpd mod_auth_kerb.x86_64
mkdir -p /var/www/html/private /etc/httpd/keytabs
echo 'welcome to public section' >/var/www/html/index.html
echo 'welcome to private section' >/var/www/html/private/index.html
cat >/etc/httpd/conf.d/private.conf <
# SSLRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms FLUXCOIL.NET
KrbServiceName HTTP/rhel6u1b.fluxcoil.net
Krb5KeyTab /etc/httpd/keytabs/keytab1
require valid-user
EOT
kadmin
> addprinc -randkey HTTP/rhel6u1b.fluxcoil.net
> ktadd -k /etc/httpd/keytabs/keytab1 HTTP/rhel6u1b.fluxcoil.net
chown apache /etc/httpd/keytabs/keytab1
service httpd start
# the serverside is ready now.
===== kerberos client / browser =====
yum -y install krb5-workstation
scp rhel6u1b:/etc/krb5.conf /etc
# setup firefox
yum -y install firefox xauth $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')
# logout - and login again, to get x-forwarding
klist # get ticket if needed
firefox # start kerberized firefox
> in URL-line type 'about:config'
> in filter-line type 'network.nego'
> 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.gsslib' should be empty
> 'network.negotiate-auth.trusted-uris' should be set to 'fluxcoil.net' or other domains where automatic signon is wanted for
Now try to access http://rhel6u1b.fluxcoil.net/ and http://rhel6u1b.fluxcoil.net/private .
Latter one should automatically sign you on.
===== errors ======
[debug] src/mod_auth_kerb.c(1578): [client 192.168.4.16] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1213): [client 192.168.4.16] Acquiring creds for HTTP/site3.fluxcoil.net
[debug] src/mod_auth_kerb.c(1335): [client 192.168.4.16] Verifying client data using KRB5 GSS-API
[debug] src/mod_auth_kerb.c(1351): [client 192.168.4.16] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1370): [client 192.168.4.16] GSS-API token of length 9 bytes will be sent back
[debug] src/mod_auth_kerb.c(1074): [client 192.168.4.16] GSS-API major_status:000d0000, minor_status:000186a4
[error] [client 192.168.4.16] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )
This appeared when name virtual hosts were about to be used.
Changing "KrbServiceName" to HTTP/.fluxcoil.net and having Krb5Keytab point
at the correct keytab fixed the issue.
[debug] src/mod_auth_kerb.c(1939): [client 192.168.4.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1031): [client 192.168.4.21] Using HTTP/rhel6u2b.fluxcoil.net@FLUXCOIL.NET as server principal for password verification
[debug] src/mod_auth_kerb.c(735): [client 192.168.4.21] Trying to get TGT for user chorn@FLUXCOIL.NET
[debug] src/mod_auth_kerb.c(645): [client 192.168.4.21] Trying to verify authenticity of KDC using principal HTTP/rhel6u2b.fluxcoil.net@FLUXCOIL.NET
[debug] src/mod_auth_kerb.c(660): [client 192.168.4.21] krb5_get_credentials() failed when verifying KDC
[error] [client 192.168.4.21] failed to verify krb5 credentials: KDC has no support for encryption type
[debug] src/mod_auth_kerb.c(1110): [client 192.168.4.21] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)
This appears if the KDC does not support the encryption type of the principal, i.e. if
des-cbc-md5 encryption type is to be used and in the KDC's /etc/krb5.conf the entry
'allow_weak_crypto = true' in the [libdefaults] section is missing.
===== activating debugging for mozilla/firefox =====
export NSPR_LOG_MODULES="negotiateauth:5"
export NSPR_LOG_FILE="/tmp/negotiateauth.log"
touch /tmp/negotiateauth.log
tail -f /tmp/negotiateauth.log &
firefox