fluxcoil wiki

Howtos and notes

User Tools

Site Tools

Sidebar

software:kerberos:crossrealm:9b_kerberize_apache

Table of Contents

  • “mit2ms”
  • note: Nowadays you might want to consider to use the more modern mod_auth_gssapi instead of mod_auth_kerb.

configure apache/mod_auth_kerb

cd /opt/src
tar xjf httpd-2.2.4.tar.bz2
cd httpd-2.2.4
./configure --prefix=/opt/soft_httpd-2.2.4
make -j6 && make install && cd ..

tar xzf mod_auth_kerb-5.3.tar.gz 
cd mod_auth_kerb-5.3
./configure --with-krb5=/opt/soft_krb5-1.6.1/ --with-krb4=no --with-apache=/opt/soft_httpd-2.2.4/
make -j6 && make install && cd ..

cd /opt/soft_httpd-2.2.4/conf
echo 'LoadModule      auth_kerb_module    modules/mod_auth_kerb.so' >>httpd.conf

vi /opt/soft_httpd-2.2.4/conf/httpd.conf
>In section <Directory "/opt/soft_httpd-2.2.4/htdocs"> change 'AllowOverride None to 'AllowOverride All'

cd ../htdocs
mkdir authed
echo 'This is in the authed area.'>authed/index.html

cat >authed/.htaccess<<EOT
AuthType Kerberos
AuthName "Kerberos Login realm FLUXCOIL.NET"
KrbAuthRealms FLUXCOIL.NET
require user tester0@FLUXCOIL.NET
Krb5Keytab /opt/soft_httpd-2.2.4/http.keytab
EOT
---------------

kadmin
> addprinc -randkey HTTP/sid64.fluxcoil.net
> ktadd  -k /opt/soft_httpd-2.2.4/http.keytab HTTP/sid64.fluxcoil.net

chmod +r /opt/soft_httpd-2.2.4/http.keytab
/opt/soft_httpd-2.2.4/bin/apachectl restart

# the serverside is ready now.

use from a linuxworkstation

klist # get ticket if needed
firefox # start kerberized firefox
> in URL-line type 'about:config'
> in filter-line type 'network.nego'
> 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.gsslib' should be empty
> 'network.negotiate-auth.trusted-uris' should be set to 'fluxcoil.net' or other domains where automatic signon is wanted for

Now try to access http://sid64.fluxcoil.net/ and http://sid64.fluxcoil.net/authed . Latter one should automatically sign you on.

use from a windows-workplace

start firefox
> in URL-line type 'about:config'
> in filter-line type 'network.nego'
> 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.gsslib' should be empty
> 'network.negotiate-auth.trusted-uris' should be set to 'fluxcoil.net' or other domains where automatic signon is wanted for
> 'network.auth.use-sspi' has to be set to false

Now try to access http://sid64.fluxcoil.net/ and http://sid64.fluxcoil.net/authed . Latter one should automatically sign you on.
software/kerberos/crossrealm/9b_kerberize_apache.txt · Last modified: 2022/11/13 12:06 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Driven by DokuWiki