User Tools

Site Tools


Sidebar

software:kerberos:kerberized_apache

What is it?

Notes for setup of kerberized apache, using 2 virtual machines here.

note: Nowadays you might want to consider to use the more modern mod_auth_gssapi instead of mod_auth_kerb.

Great overview about current authorization/authentication on the web: Jan Pazdziora:External and Federated Identities on the Web

MIT kerberos / httpd

yum -y install krb5-server.x86_64 krb5-workstation.x86_64
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /var/kerberos/krb5kdc/kdc.conf
sed -i 's,EXAMPLE\.COM,FLUXCOIL.NET,' /etc/krb5.conf

vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = FLUXCOIL.NET
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 FLUXCOIL.NET = {
  kdc = rhel6b.site
  admin_server = rhel6b.site
 }

[domain_realm]
 .site = FLUXCOIL.NET
 site = FLUXCOIL.NET
----------------------------------

# create the kerberos db
/usr/sbin/kdb5_util create -s
# if you execute this in a VM and get stuck because of missing entropy:
# login with an additional session and execute 'find /'

echo '*/admin@FLUXCOIL.NET  *' >/var/kerberos/krb5kdc/kadm5.acl
/usr/sbin/kadmin.local -q "addprinc chorn/admin"
service krb5kdc start
service kadmin start
chkconfig krb5kdc on
chkconfig kadmin on

# check if obtaining the tgt works
kinit chorn/admin


yum install -y httpd mod_auth_kerb.x86_64
mkdir -p /var/www/html/private /etc/httpd/keytabs
echo 'welcome to public section' >/var/www/html/index.html
echo 'welcome to private section' >/var/www/html/private/index.html
cat >/etc/httpd/conf.d/private.conf <<EOT
<Location /private>
#  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd Off
  KrbAuthRealms FLUXCOIL.NET
  KrbServiceName HTTP/rhel6u1b.fluxcoil.net
  Krb5KeyTab /etc/httpd/keytabs/keytab1
  require valid-user
</Location>
EOT

kadmin
> addprinc -randkey HTTP/rhel6u1b.fluxcoil.net
> ktadd -k /etc/httpd/keytabs/keytab1 HTTP/rhel6u1b.fluxcoil.net

chown apache /etc/httpd/keytabs/keytab1
service httpd start
# the serverside is ready now.

kerberos client / browser

yum -y install krb5-workstation
scp rhel6u1b:/etc/krb5.conf /etc

# setup firefox
yum -y install firefox xauth $(yum search xorg-x11-font|grep ^xorg-x11-font|sed -e 's,:.*,,')

# logout - and login again, to get x-forwarding

klist # get ticket if needed
firefox # start kerberized firefox
> in URL-line type 'about:config'
> in filter-line type 'network.nego'
> 'network.negotiate-auth.delegation-uris' and 'network.negotiate-auth.gsslib' should be empty
> 'network.negotiate-auth.trusted-uris' should be set to 'fluxcoil.net' or other domains where automatic signon is wanted for

Now try to access http://rhel6u1b.fluxcoil.net/ and http://rhel6u1b.fluxcoil.net/private . 
Latter one should automatically sign you on.

errors

[debug] src/mod_auth_kerb.c(1578): [client 192.168.4.16] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1213): [client 192.168.4.16] Acquiring creds for HTTP/site3.fluxcoil.net
[debug] src/mod_auth_kerb.c(1335): [client 192.168.4.16] Verifying client data using KRB5 GSS-API 
[debug] src/mod_auth_kerb.c(1351): [client 192.168.4.16] Client didn't delegate us their credential
[debug] src/mod_auth_kerb.c(1370): [client 192.168.4.16] GSS-API token of length 9 bytes will be sent back
[debug] src/mod_auth_kerb.c(1074): [client 192.168.4.16] GSS-API major_status:000d0000, minor_status:000186a4
[error] [client 192.168.4.16] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, )

This appeared when name virtual hosts were about to be used.
Changing "KrbServiceName" to HTTP/<hostname>.fluxcoil.net and having Krb5Keytab point
at the correct keytab fixed the issue.
[debug] src/mod_auth_kerb.c(1939): [client 192.168.4.21] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[debug] src/mod_auth_kerb.c(1031): [client 192.168.4.21] Using HTTP/rhel6u2b.fluxcoil.net@FLUXCOIL.NET as server principal for password verification
[debug] src/mod_auth_kerb.c(735): [client 192.168.4.21] Trying to get TGT for user chorn@FLUXCOIL.NET
[debug] src/mod_auth_kerb.c(645): [client 192.168.4.21] Trying to verify authenticity of KDC using principal HTTP/rhel6u2b.fluxcoil.net@FLUXCOIL.NET
[debug] src/mod_auth_kerb.c(660): [client 192.168.4.21] krb5_get_credentials() failed when verifying KDC
[error] [client 192.168.4.21] failed to verify krb5 credentials: KDC has no support for encryption type
[debug] src/mod_auth_kerb.c(1110): [client 192.168.4.21] kerb_authenticate_user_krb5pwd ret=401 user=(NULL) authtype=(NULL)

This appears if the KDC does not support the encryption type of the principal, i.e. if 
des-cbc-md5 encryption type is to be used and in the KDC's /etc/krb5.conf the entry 
'allow_weak_crypto = true' in the [libdefaults] section is missing.

activating debugging for mozilla/firefox

export NSPR_LOG_MODULES="negotiateauth:5"
export NSPR_LOG_FILE="/tmp/negotiateauth.log"
touch /tmp/negotiateauth.log
tail -f /tmp/negotiateauth.log &

firefox
software/kerberos/kerberized_apache.txt ยท Last modified: 2021/03/23 12:22 (external edit)