Systems/Services/Kerberos: Difference between revisions
From Pumping Station One
Amishhammer (talk | contribs) m Amishhammer moved page Kerberos to Systems/Services/Kerberos |
No edit summary |
||
| (7 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
{{mbox |type=warning |text=This information is out of date. [[IT Infrastructure|Up-to-date IT information can be found here]] }} | |||
= Kerberos = | |||
The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG. | |||
PS1 Kerberos Client config: | PS1 Kerberos Client config: | ||
| Line 4: | Line 13: | ||
<pre> | <pre> | ||
[libdefaults] | |||
default_realm = AD.PUMPINGSTATIONONE.ORG | |||
ticket_lifetime = 24h | |||
forwardable = yes | |||
kdc_timesync = 1 | |||
ccache_type = 4 | |||
forwardable = true | |||
proxiable = true | |||
verify_ap_req_nofail = false | |||
check_pac = no | |||
kdc_timeout = 2 | |||
max_retries = 1 | |||
dns_lookup_realm = false | |||
[realms] | |||
AD.PUMPINGSTATIONONE.ORG = { | |||
default_domain = ad.pumpingstationone.org | |||
kdc = bob.ad.pumpingstationone.org | |||
kdc = dc01.ad.pumpingstationone.org | |||
admin = bob.pumpingstationone.org | |||
} | |||
[domain_realms] | |||
ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG | |||
.ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG | |||
</pre> | |||
== Apache SSO == | |||
Note: Replace 'rack' with host name of server. | |||
Setting up the keytab: | |||
<pre> | |||
msktutil -u -s HTTP --server bob | |||
cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab | |||
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ | |||
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org | |||
chown www /usr/local/etc/apache24/krb5.keytab | |||
</pre> | |||
Configure Auth: | |||
<pre> | |||
<Location /> | |||
Authtype Kerberos | |||
AuthName "AD.PUMPINGSTATIONONE.ORG" | |||
KrbAuthoritative on | |||
KrbServiceName HTTP/rack.ad.pumpingstationone.org | |||
Krb5Keytab /usr/local/etc/apache24/krb5.keytab | |||
KrbAuthRealms AD.PUMPINGSTATIONONE.ORG | |||
KrbMethodk5Passwd on | |||
KrbMethodNegotiate on | |||
Require valid-user | |||
</Location> | |||
</pre> | |||
== SSH SSO == | |||
To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config | |||
<pre> | |||
GSSAPIAuthentication yes | |||
GSSAPIDelegateCredentials yes | |||
PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password | |||
</pre> | </pre> | ||
Latest revision as of 16:20, 13 September 2020
 | This information is out of date. Up-to-date IT information can be found here |
Kerberos
The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.
PS1 Kerberos Client config:
/etc/krb5.conf
[libdefaults]
default_realm = AD.PUMPINGSTATIONONE.ORG
ticket_lifetime = 24h
forwardable = yes
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
verify_ap_req_nofail = false
check_pac = no
kdc_timeout = 2
max_retries = 1
dns_lookup_realm = false
[realms]
AD.PUMPINGSTATIONONE.ORG = {
default_domain = ad.pumpingstationone.org
kdc = bob.ad.pumpingstationone.org
kdc = dc01.ad.pumpingstationone.org
admin = bob.pumpingstationone.org
}
[domain_realms]
ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
.ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
Apache SSO
Note: Replace 'rack' with host name of server.
Setting up the keytab:
msktutil -u -s HTTP --server bob cp /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$ ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org chown www /usr/local/etc/apache24/krb5.keytab
Configure Auth:
<Location />
Authtype Kerberos
AuthName "AD.PUMPINGSTATIONONE.ORG"
KrbAuthoritative on
KrbServiceName HTTP/rack.ad.pumpingstationone.org
Krb5Keytab /usr/local/etc/apache24/krb5.keytab
KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
KrbMethodk5Passwd on
KrbMethodNegotiate on
Require valid-user
</Location>
SSH SSO
To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password
