Linux and Windows Active Directory (AD) integration has come a long ways since 2000. It is now quite easy to take advantage of Kerberos for managing authentication at the host level (user logins and such). Surprisingly, it’s just as easy to the same in Apache now.
This posting will walk you through the steps needed to configure and test authentication against a valid AD user.
Prerequisites
It is assumed the following prerequisites are in place:
- CentOS 5.2 Server – fully updated
- Apache, Kerberos, and supporting packages installed
- Samba configured as member server (net ads join has been successfully performed)
- Windows Server 2003 R2 or 2008 SP1 with UNIX Identity Management extensions installed
- Kerberos working (kinit from a AD user properly authenticates and klist shows tickets)
If possible, test this from a freshly installed machine. In this example, the following servers and realms will be referenced:
AD Server dc01.example.com Linux Server www.example.com Computer Object www Kerberos Realm EXAMPLE.COM
Creating the SPN
Kerberos uses a service principal name for each service available on the host. For a server that can authenticate against AD, this would include at least the HOST principal. From the AD server, issue the setspn command to view the current SPN’s assigned to www.example.com (use the canonical name for www, not the FQDN):
C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
HOST/www
HOST/www.example.com
Now as root on www issue the command to create the HTTP SPN (the net ads command is provided by the samba packages–make sure these are installed even if they are not used):
[root@www /]# net ads keytab add HTTP -U administrator Processing principals to add... administrator's password: *******
The -U is used to provide an administrator account with Domain Admin privileges. This step has added the SPN which we’ll see in AD, and it has also updated the local keytab file /etc/krb5.keytab with the SPN bits.
To verify the SPN has been created properly, issue the same setspn command and verify there are entries for HTTP. It should look something like this:
C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
HTTP/www
HTTP/www.example.com
HOST/www
HOST/www.example.com
Configure Apache
Make sure the package mod_auth_kerb is installed. This should create the configuration file in /etc/httpd/conf.d/auth_kerb.conf which will load the Kerberos module and provide a commented out example (which we’ll use). First, because httpd runs as apache, we need to copy the keytab file and change permissions so that apache can read it. I’ve placed it in the default specified in the auth_kerb.conf file:
[root@www /]# cp /etc/krb5.keytab /etc/httpd/conf/keytab2 [root@www /]# ls -l /etc/httpd/conf total 64 -rw-r--r-- 1 root root 33760 Mar 25 14:01 httpd.conf ---------- 1 root root 1321 Mar 25 15:06 keytab -rw-r--r-- 1 root root 12958 Nov 12 10:43 magic [root@www /]# chown apache.apache /etc/httpd/conf/keytab2 [root@www /]# chmod 400 /etc/httpd/conf/keytab2 [root@www /]# ls -l /etc/httpd/conf total 64 -rw-r--r-- 1 root root 33760 Mar 25 14:01 httpd.conf -r-------- 1 apache apache 1321 Mar 25 15:06 keytab -rw-r--r-- 1 root root 12958 Nov 12 10:43 magic
Create an Apache Location for Testing
Now modify the “private” location and uncomment the directives and set them for the realm (changes from defaults in bold):
[root@www /]# vi /etc/http/conf.d/auth_kerb.conf# The mod_auth_kerb module implements Kerberos authentication over # HTTP, following the "Negotiate" protocol. # LoadModule auth_kerb_module modules/mod_auth_kerb.so # # Sample configuration: Kerberos authentication must only be # used over SSL to prevent replay attacks. The keytab file # configured must be readable only by the "apache" user, and # must contain service keys for "HTTP/www.example.com", where # "www.example.com" is the FQDN of this server. # #<Location /private> # SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
Create the directory (/var/www/html/private) and a test HTML file in the directory (index.html). Restart httpd and navigate to the URL (http://www.example.com/private/index.html). You should be prompted for credentials. Using a valid AD user and password should get you in. A side benefit is that if logged into a workstation within the domain (e.g., Windows XP, Vista, etc), using Internet Explorer should use your Kerberos credentials to authenticate.
Uses
For production use, any application or web service that can use Apache’s authentication mechanisms should work. Take care to understand that even if you enter a short username, the realm will be appended onto the end. In this example, the username gadams would appear as gadams@EXAMPLE.COM in the log files, and probably be presented to the referenced application.
Credit
I’d like to Scott Lowe for all the articles he has done on Linux / AD / Kerberos integration, and this article, which was where I started my CentOS / Apache / Kerberos / AD journey. His article covers all the basics, but a lot has changed (for the better) since 2006. Thanks Scott!
Great! I was looking for this since christmas. Nice work and kudos for you and Scott Lowe. I’ll bookmark this site in order to enjoy such a valuable effort. Thanks!
How do you restrict group access – I want to make sure that only certain people in AD access the site and not ALL user since the example described above grant access to all user with “require valid-user”. I know with ldap you can use “require ldap-group”, but what is the equivalent for Kerberos.