Authenticating Apache HTTPServer 2.4.x with mod_auth_gssapi using Microsoft Active directory
Solution 1:
I managed to make GSSAPI work using the following tutorial: http://www.jfcarter.net/~jimc/documents/bugfix/41-auth-kerb.html
What I did (I'm on Debian)
Join the domain
Install packages:
apt-get install --no-install-recommends winbind smbclient krb5-config krb5-user libldap-common
In /etc/krb5.conf:
[libdefaults]
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
### My changes ###
default_realm = MY-DOMAIN.FR
default_keytab_name = FILE:/etc/krb5.keytab
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
# AD in 2008+? Using AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
### end ###
[realms]
MY-DOMAIN.FR = {
kdc = ad1.my-domain.fr
kdc = ad2.my-domain.fr
master_kdc = ad1.my-domain.fr
admin_server = ad1.my-domain.fr
default_domain = my-domain.fr
# Hack to remove the '@my-domain.fr' part of the user login, to only keep the prefix (facultative. Used to simplify my PHP auth mechanism)
# Source: http://comp.protocols.kerberos.narkive.com/57JV8mmf/libapache2-mod-auth-kerb-and-cross-realm
# (Greg Hudson)
auth_to_local = RULE:[1:$1@$0](.*@my-domain.fr)s/@my-domain.fr$//
auth_to_local = DEFAULT
}
[domain_realm]
.my-domain.fr = MY-DOMAIN.FR
my-domain.fr = MY-DOMAIN.FR
In /etc/samba/smb.conf:
[global]
workgroup = MY-DOMAIN
realm = MY-DOMAIN.FR
security = ADS
encrypt passwords = yes
password server = ad1.my-domain.fr
kerberos method = system keytab
(the rest of the file is unmodified)
Disable referrals for LDAP calls:
/bin/echo 'REFERRALS off' >> /etc/ldap/ldap.conf
Join the domain:
kinit administrateur
# (use an admin AD account)
net ads join -U administrateur createcomputer=OU=Member\ servers,DC=my-domain,DC=fr
# (specify where you want to store the object in your AD.
# I translated the name in English, so 'Member Servers' is just an example
Keytab for http
Create a keytab in /etc/krb5.keytab:
net ads keytab add HTTP -U administrateur
Protect it: (in my case, www-data is the Unix user used for serving web pages)
chmod 640 /etc/krb5.keytab
chown root:www-data /etc/krb5.keytab
I added a script in the crontab to renew this keytab once a day. Not sure it is still needed, but on previous versions of Debian I had some bugs when the file was outdated. So I made a script in Expect calling net ads keytab add HTTP -U my-linux.ad-account for me. And it is still there :)
Configure Apache
Get GSSAPI for Apache:
apt-get install --no-install-recommends libapache2-mod-auth-gssapi
Activating session cookies (to avoid reauthenticate user on each page) - facultative
a2enmod session
a2enmod session_cookie
In your Apache site config (eg. /etc/apache2/sites-available/000-default.conf)
<VirtualHost *:443>
SSLEngine on
DocumentRoot /your/web/root
<Directory /your/web/root>
AuthType GSSAPI
AuthName "My Domain"
GssapiCredStore keytab:/etc/krb5.keytab
GssapiAcceptorName HTTP
GssapiBasicAuth On
GssapiNegotiateOnce On
GssapiSSLonly On
GssapiLocalName On
# Use a cookie to keep the session, avoid reauthenticate user on each page
# (facultative)
GssapiUseSessions On
GssapiDelegCcacheDir /run/apache2/clientcaches
<IfModule mod_session.c>
Session on
</IfModule>
<IfModule mod_session_cookie.c>
SessionCookieName gssapi_session path=/;httponly;secure;
</IfModule>
Require valid-user
</Directory>
....
</VirtualHost>
Restart Apache and pray
service apache2 restart
I hope I didn't forget anything.
Footing notes: the web clients won't delegate their credentials (and the SSO will not work) if:
- your webserver is not in TLS (
SSLEngine on) - your webserver is not in the clients trusted sites ("Intranet Sites" of your Internet settings, for example)