Apache kerberos authentication to Active Directory not happening. (Is KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN related?)

apache-2.2 active-directory centos windows-server-2008-r2 kerberos

Solution 1:

I have used the instructions on http://www.grolmsnet.de/kerbtut/ many times because they work. For the record, you do not need to join the linux host to the AD domain, it's ok to do it but not necessary.

First of all, ensure you can kinit from the centos host to your AD realm. You can use your normal user credentials like this:

$ kinit [email protected]

(kinit is part of the krb5-workstation package in centos, by the way)

Enter your password and no news is good news. Run klist and you should see a kerberos ticket there as your AD username. If this step is not successful go back and fix your krb5.conf until it is.

Get rid of that ticket with kdestroy.

Once that works you can create a user account in AD. Ensure that it does not have to change its password and that the password does not expire.

Then we bind the service principal name (spn) HTTP/host.adrealm.tld to that useraccount using setspn.exe on a windows hosts with the management tools or in a domain controller as an admin or account with sufficient privileges:

setspn -A HTTP/host.adrealm.tld username [enter]
Registering ServicePrincipalNames for CN=username,OU=service_accounts,dc=adrealm,DC=tld
        HTTP/host.adrealm.tld
Updated object

Now we can generate the keytab for this object using ktpass.exe (still in the windows management host or domain controller):

ktpass -princ HTTP/[email protected] -pass xxxxx -mapuser username -Ptype KRB5_NT_PRINCIPAL -out host_adrealm_tld.keytab [enter]
Targeting domain controller: DCname.Adrealm.tld
Successfully mapped HTTP/host.adrealm.tld to username.
Password succesfully set!
Key created.
Output keytab to host_adrealm_tld.keytab:
Keytab version: 0x502
keysize 75 HTTP/[email protected] ptype 1 (KRB5_NT_PRINCIPAL)
vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x037da0f7493b97966e4a19636304064d)

Transport that file to the centos host and place it with 640 permissions (root:apache) in /etc/httpd/conf.d/ . If selinux is enabled, run restorecon -rv /etc to eventually fix selinux contexts there.

You can verify the keytab file with:

$ klist -k -t host_adrealm_tld.keytab 
Keytab name: FILE:host_adrealm_tld.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 01/01/70 01:00:00 HTTP/[email protected]

And you could even go one step further by using it to log on:

# kinit -k -t host_adrealm_tld.keytab -p HTTP/[email protected]
# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/[email protected]

Valid starting     Expires            Service principal
11/04/14 21:45:41  11/05/14 07:45:41  krbtgt/[email protected]
    renew until 11/05/14 21:45:41

In your dns infrastructure (probably in AD dns as well), create an A host.realm.tld pointing to the centos host (if you use samba to join the host it should have created it for you, ensure it is correct).

Ensure your centos hosts has the mod_auth_kerb installed.

Whant that is in place you edit one of the apache conf files of your (virtual) hosts for apache.

In this case, let's protect the folder http://host.adrealm.tld/topsecret:

Alias /topsecret/ "/path/to/topsecret/"

<Directory "/path/to/topsecret/">

    AuthType  Kerberos
    KrbAuthRealms YOURAD.TLD
    KrbServiceName HTTP
    Krb5Keytab /etc/httpd/conf.d/host_adrealm_tld.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd off
    require valid-user

</Directory>

Create the topsecret folder in the filesystem of the centos host. Set a couple of dummy files in there. If you run with selinux enable, ensure that folder has the right security context for apache (if the folder is in /var/www/html it should be righ an running restorecon -rv /var/www/html will eventually fix any selinux problems).

Verify the apache2 syntax passes:

apachectl -t

If you get 'Syntax OK' with warnings about not being able to reliably determine the host fqdn, then you are good to go (you can fix that later if you want, it is not critical). Reload apache:

apachectl graceful

Verify your local firewall allows httpd connexxions.

This should be it. Now you need to configure the clients. If you already have webservers with 'Windows Authentication' in your network then you are set, go to the topsecret url and if you have a valid kerberos ticket you should see the files, otherwise you will get access denied.

Related

Fibre Optic Cabling - Where to start?
Central Authentication For Windows, Linux, Network Devices
Prevent brute force attacks in Microsoft FTP Server (IIS6/7)
UFW/IPTables: how to securely allow authenticated git access with github
HAProxy - ssl client ca chain cannot be verified
MySQL is VERY slow on my ext4 file system [closed]
How to reinstall broken mysql package
StrongSwan ipsec ubuntu "ignoring informational payload, type NO_PROPOSAL_CHOSEN"
Recovering a specific job definition from an MSDB backup?
Windows file explorer using port 80 (webdav) instead of 445 (samba smb cifs) for UNC path
'More details' button pushes row of images out of line
Extract an array from a postgres json column and map it