fluxcoil wiki

• procedure for rhel6 and rhel7

yum -y install krb5-server.x86_64 krb5-workstation.x86_64
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /var/kerberos/krb5kdc/kdc.conf
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /etc/krb5.conf

vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FLUXCOIL.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 FLUXCOIL.NET = {
  kdc = rhel6b.site
  admin_server = rhel6b.site
 }

[domain_realm]
 .site = FLUXCOIL.NET
 site = FLUXCOIL.NET
----------------------------------

# create the kerberos db
/usr/sbin/kdb5_util create -s
# if you execute this in a VM and get stuck because of missing entropy:
# login with an additional session and execute 'find /'

echo '*/admin@FLUXCOIL.NET  *' >/var/kerberos/krb5kdc/kadm5.acl
/usr/sbin/kadmin.local -q "addprinc chorn/admin"
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on

# check if obtaining the tgt works
kinit chorn/admin

• note: Nowadays you might want to consider to use the more modern mod_auth_gssapi instead of mod_auth_kerb.

yum -y install httpd mod_auth_kerb

echo 'welcome to rhel6u2b.fluxcoil.net!' >/var/www/html/index.html
mkdir /var/www/html/private
echo 'welcome to rhel6u2b.fluxcoil.net, private section!' >/var/www/html/private/index.html

vi /etc/httpd/conf.d/private.conf :
--------------------------------
<Location /private>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms FLUXCOIL.NET
  Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>
--------------------------------

kadmin chorn/admin
# addprinc -randkey HTTP/rhel6u2b.fluxcoil.net
# ktadd -k /etc/httpd/conf/keytab HTTP/rhel6u2b.fluxcoil.net

chown apache /etc/http/conf/keytab 
service httpd start