Systems/Services/Kerberos: Difference between revisions

From Pumping Station One
Browse history interactively
← Older editNewer edit →
VisualWikitext
Line 36: Line 36:
         ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
         ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
         .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
         .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
</pre>
== Apache SSO ==
Setting up the keytab:
<pre>
msktutil -u -s HTTP --server bob
cp  /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org
chown www /usr/local/etc/apache24/krb5.keytab
<pre>
Configure Auth:
<pre>
            Authtype Kerberos
            AuthName "AD.PUMPINGSTATIONONE.ORG"
            KrbAuthoritative on
            KrbServiceName  HTTP/rack.ad.pumpingstationone.org
            Krb5Keytab /usr/local/etc/apache24/krb5.keytab
            KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
            KrbMethodk5Passwd on
            KrbMethodNegotiate on
            Require valid-user
</pre>
</pre>

Revision as of 13:25, 20 September 2014

Kerberos

The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.



PS1 Kerberos Client config:

/etc/krb5.conf 

[libdefaults]
        default_realm = AD.PUMPINGSTATIONONE.ORG
        ticket_lifetime = 24h
        forwardable = yes
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        verify_ap_req_nofail = false
        check_pac = no
        kdc_timeout = 2
        max_retries = 1
        dns_lookup_realm = false

[realms]
        AD.PUMPINGSTATIONONE.ORG = {
                default_domain = ad.pumpingstationone.org
                kdc = bob.ad.pumpingstationone.org
                kdc = dc01.ad.pumpingstationone.org
                admin = bob.pumpingstationone.org
        }

[domain_realms]
        ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
        .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG

Apache SSO

Setting up the keytab: 

msktutil -u -s HTTP --server bob
cp  /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org
chown www /usr/local/etc/apache24/krb5.keytab
<pre>

Configure Auth:
<pre>
            Authtype Kerberos
            AuthName "AD.PUMPINGSTATIONONE.ORG"
            KrbAuthoritative on
            KrbServiceName  HTTP/rack.ad.pumpingstationone.org
            Krb5Keytab /usr/local/etc/apache24/krb5.keytab
            KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
            KrbMethodk5Passwd on
            KrbMethodNegotiate on
            Require valid-user
Retrieved from "https://ps1.mywikis.net/w/index.php?title=Systems/Services/Kerberos&oldid=19389"
Powered by MediaWiki
Powered by Semantic MediaWiki