Configuring Fedora Core 3

 

Resources:

  1. Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability (www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp)
  2. Red Hat Enterprise Linux 4: Reference Guide. Chapter 19. Kerberos (www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-kerberos.html)

 

 

Prerequisite: time synchronization. Configure your Windows DC to enable LocalNTP in Windows Time Service (registry). Configure the client to use the DC as the NTP server. Synchronise time.

Create a DNS entry for the Linux host – “lx1.internal.example.net”.

 

Follow the instruction from the Red Hat Admin reference

RPM packages: krb5-libs, krb5-workstation

 

Create the keytab. On the Windows DC (this is from Microsoft Kerberos step by step):

 

Create a user account for the Linux Kerberos client: “lx1”/”lx1”

Install Windows 2000/2003 Support Tools. From the command line, run:

 

 

c:\Program Files\Support Tools>ktpass -princ host/lx1.internal.example.net@internal.example.net -mapuser lx1 -pass lx1 -out c:\temp\lx1.keytab

 

 

The output:

 

Successfully mapped host/lx1.internal.example.net to lx1.

Key created.

Output keytab to c:\temp\lx1.keytab:

 

Keytab version: 0x502

keysize 69 host/lx1.internal.example.net@internal.example.net ptype 1 (KRB5_NT_PRINCIPAL

) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x34effe75d6e616bc)

Account has been set for DES-only encryption.

 

Now move the lx1.keytab to the Linux host as /etc/krb5.keytab

 

 

In Linux, there’s a way to use “wizard” to configure Kerberos client. From the shell prompt, type setup

Select Authentication configuration, Run Tool

Check Use Kerberos under  Authentication, Next

 

Kerberos Settings

 

REALM: internal.example.net

KDC: dc1.internal.example.net:88

Admin Server: /blank/

[*] Use DNS to resolve hosts to realms

[ ] Use DNS to locate KDCs

 

Ok

 

Review /etc/krb5.conf to include the information about the realm. Make sure you make no typos, and put the full and correct principal name in the ktpass command line, to avoid frustration troubleshooting the setup.

 

Verify Kerberos functionality. On the Linux console:

 

[root@lx1 ~]# kinit host/lx1.internal.example.net

Password for host/lx1.internal.example.net@internal.example.net:

 

Put the password (as created earlier). No error message is success – a TGT is received.  Further verification:

 

[root@lx1 ~]# klist

Ticket cache: FILE:/tmp/krb5cc_0

Default principal: host/lx1.internal.example.net@internal.example.net

 

Valid starting     Expires            Service principal

04/04/05 10:13:46  04/04/05 20:14:04  krbtgt/internal.example.net@internal.example.net

        renew until 04/05/05 10:13:46

 

 

Kerberos 4 ticket cache: /tmp/tkt0

klist: You have no tickets cached

 

[root@lx1 ~]# kinit AD_user_name

- this will return error if you put wrong password and will not if you don't.

 

To see communication b/ween the Linux host and the KDC, use tethereal –f “host dc1.internal.example.net. That may be required for troubleshooting.

 

The system is ready to grant Kerberos tickets and authenticate interactive users with Kerberos if the PAM is enabled.

 

Configuring Apache

 

Resources:

  1. Providing Active Directory authentication via Kerberos protocol in Apache (http://support.microsoft.com/?id=555092)
  2. Kerberos Module for Apache (http://modauthkerb.sourceforge.net)

 

Prerequisite RPMs: Kerberos subsystem (as above), mod_auth_kerb

 

Loading the Kerberos authentication module (together with a virtual directory configuration example) is specified in /etc/httpd/conf.d/auth_kerb.conf

 

Create keytab for mod_auth_kerb. On the KDC:

 

c:\Program Files\Support Tools>ktpass -princ HTTP/lx1.internal.example.net@internal.example.net -mapuser lx1 -pass lx1 -out c:\temp\lx1http.keytab

Successfully mapped HTTP/lx1.internal.example.net to lx1.

Key created.

Output keytab to c:\temp\lx1http.keytab:

 

Keytab version: 0x502

keysize 69 HTTP/lx1.internal.example.net@internal.example.net ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x1 (DES-CBC-CRC) keylength 8 (0x7f0b01ad4940f876)

Account has been set for DES-only encryption.

 

Transfer lx1http to lx1:/etc/, rename to mod_auth_kerb.keytab

 

Make sure the file is readable by anybody (who actually reads the file?)

 

[root@lx1 conf]# chmod 644 /etc/mod_auth_kerb.keytab

 

Configure Apache document root. Create /var/www/html/index.html. Specify the following directory configuration:

 

<Directory />

    Options FollowSymLinks

    AllowOverride None

 

AuthType Kerberos

AuthName "Kerberos Login"

KrbMethodNegotiate On

KrbMethodK5Passwd Off

KrbAuthRealms internal.example.net

Krb5KeyTab /etc/mod_auth_kerb.keytab

require valid-user

 

</Directory>

 

Leaving SSL out for now – change for production.

 

Troubleshooting HTTP error 500 see Apache error log (tail /etc/httpd/logs/error_log).

 

Errors:

 

[Mon Apr 04 12:06:05 2005] [error] [client 192.168.0.76] gss_acquire_cred() failed: Miscellaneous failure (Unsupported key table format version number) – improper keytab (as in the Alex’s KB article)

[Mon Apr 04 12:34:47 2005] [error] [client 192.168.0.76] gss_acquire_cred() failed: Miscellaneous failure (Permission denied) – no read permission on the keytab

 

Note that this is authentication only - you must verify authorisations in the Web application code.

 

The configuration works for both password and smart card Windows users.