Apache kerberos authentication to Active Directory not happening. (Is KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN related?)
Solution 1:
I have used the instructions on http://www.grolmsnet.de/kerbtut/ many times because they work. For the record, you do not need to join the linux host to the AD domain, it's ok to do it but not necessary.
First of all, ensure you can kinit from the centos host to your AD realm. You can use your normal user credentials like this:
$ kinit [email protected]
(kinit is part of the krb5-workstation package in centos, by the way)
Enter your password and no news is good news. Run klist and you should see a kerberos ticket there as your AD username. If this step is not successful go back and fix your krb5.conf until it is.
Get rid of that ticket with kdestroy.
Once that works you can create a user account in AD. Ensure that it does not have to change its password and that the password does not expire.
Then we bind the service principal name (spn) HTTP/host.adrealm.tld to that useraccount using setspn.exe on a windows hosts with the management tools or in a domain controller as an admin or account with sufficient privileges:
setspn -A HTTP/host.adrealm.tld username [enter]
Registering ServicePrincipalNames for CN=username,OU=service_accounts,dc=adrealm,DC=tld
HTTP/host.adrealm.tld
Updated object
Now we can generate the keytab for this object using ktpass.exe (still in the windows management host or domain controller):
ktpass -princ HTTP/[email protected] -pass xxxxx -mapuser username -Ptype KRB5_NT_PRINCIPAL -out host_adrealm_tld.keytab [enter]
Targeting domain controller: DCname.Adrealm.tld
Successfully mapped HTTP/host.adrealm.tld to username.
Password succesfully set!
Key created.
Output keytab to host_adrealm_tld.keytab:
Keytab version: 0x502
keysize 75 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL)
vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x037da0f7493b97966e4a19636304064d)
Transport that file to the centos host and place it with 640 permissions (root:apache) in /etc/httpd/conf.d/ . If selinux is enabled, run restorecon -rv /etc to eventually fix selinux contexts there.
You can verify the keytab file with:
$ klist -k -t host_adrealm_tld.keytab
Keytab name: FILE:host_adrealm_tld.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/[email protected]
And you could even go one step further by using it to log on:
# kinit -k -t host_adrealm_tld.keytab -p HTTP/[email protected]
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]
Valid starting Expires Service principal
11/04/14 21:45:41 11/05/14 07:45:41 krbtgt/[email protected]
renew until 11/05/14 21:45:41
In your dns infrastructure (probably in AD dns as well), create an A host.realm.tld pointing to the centos host (if you use samba to join the host it should have created it for you, ensure it is correct).
Ensure your centos hosts has the mod_auth_kerb installed.
Whant that is in place you edit one of the apache conf files of your (virtual) hosts for apache.
In this case, let's protect the folder http://host.adrealm.tld/topsecret:
Alias /topsecret/ "/path/to/topsecret/"
<Directory "/path/to/topsecret/">
AuthType Kerberos
KrbAuthRealms YOURAD.TLD
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf.d/host_adrealm_tld.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
</Directory>
Create the topsecret folder in the filesystem of the centos host. Set a couple of dummy files in there. If you run with selinux enable, ensure that folder has the right security context for apache (if the folder is in /var/www/html it should be righ an running restorecon -rv /var/www/html will eventually fix any selinux problems).
Verify the apache2 syntax passes:
apachectl -t
If you get 'Syntax OK' with warnings about not being able to reliably determine the host fqdn, then you are good to go (you can fix that later if you want, it is not critical). Reload apache:
apachectl graceful
Verify your local firewall allows httpd connexxions.
This should be it. Now you need to configure the clients. If you already have webservers with 'Windows Authentication' in your network then you are set, go to the topsecret url and if you have a valid kerberos ticket you should see the files, otherwise you will get access denied.