Kerberos/Kerberos and Debian
From Authentication Tools for Joomla! (JAuthTools)
(New page: This guide covers Windows Server 2003 and Debian 4.0 configuration. Please note that there are noted issues with 2003 SP1, I suggest upgrading to SP2/R2 where possible to resolve these iss...)
Newer edit →
Revision as of 02:18, 28 October 2008
This guide covers Windows Server 2003 and Debian 4.0 configuration. Please note that there are noted issues with 2003 SP1, I suggest upgrading to SP2/R2 where possible to resolve these issues before you start. Alternateively look at the Kerberos page and view the links mentioning 2003 SP1 issues. If you want to continue with 2003 SP1, consult Microsoft KB 919557. If you have issues you may wish to look at the [Kerberos/Troubleshooting|Kerberos Troubleshooting] page to see if your specific error is listed. Active Directory has a habbit of being case sensitive for some interfaces (typically non-MS ones) and being very forgiving of case in others (typically MS tools). Case is always important, so make sure that this is typed appropriately.
Contents |
Before we begin
Terminology
The following terms are more or less equivalent and may be used interchangeably. Some may also suggest replacements, for reference they are all listed here:
| Kerberos realm | Active Directory Domain, Active Directory Site; typically this means writing the site name in capitals, see below |
| REALM | Your AD realm, typically your DNS site name all in capitals; in this case its SITE3.DIGITALPAPER.HOMELINUX.NET |
| SERVERNAME | Substitute this with the name of your Linux server |
| FQDN | The fully qualified domain name; you may need to fill this in for specific commands |
Where possible, items requiring replacement are marked in bold.
AD Domain Setup
The set up in this case is actually mildly unique. There are two servers, one called "pie" (Debian 4.0) and another called "notpie" (Windows 2003). "notpie" has the AD site "site3.digitalpaper.homelinux.net" assigned to it and its DNS also contains entries for the digitalpaper.homelinux.net domain as well. "pie" is not a member of the domain and not actually in the same subdomain. For reference:
| Server Name | FQDN | IP address |
|---|---|---|
| notpie | notpie.site3.digitalpaper.homelinux.net | 192.168.1.20 |
| pie | pie.digitalpaper.homelinux.net | 192.168.1.10 |
We want to authenticate requests to Apache on pie from clients in the Kerberos realm SITE3.DIGITALPAPER.HOMELINUX.NET (the site name all in caps) in a way that doesn't require a password or uses their domain logins. A noble goal, and for bonus mark we're mixing our domains around a bit.
From this point, I'm going to assume that the above is setup already and working properly.
Linux box setup
I'm assumimg you have a working Debian 4.0 machine with Apache 2 up and running. Some of the instructions use Apache 2, if you are using Apache 1 you will likely need to modify them slightly (possibly removing the "2"). The machine should have some form of an IP address and DNS hostname assigned to it within the Active Directory Domain Controller's DNS server or in a DNS server that both machines can acknowledge. For the purposes of this tutorial we are going to assume that your domain controller is your DNS server and that your Linux server exists in its DNS properly. We only have two machines, the Linux box and the domain controller so if your set up is different, some of the values used may not meet this assumption. You will have to change this where necessary.
No matter where your DNS is located you will need to ensure that forward and reverse lookups for the Linux box are properly working so that you can resolve it appropriately.
System Configuration
Linux Configuration
Our first port of call is to set up the Linux server to look towards the AD domain. You may have done this already, but you may not have. Most of the files referenced exist as full copies at the end of this page for reference.
Installing software
Before we begin, we're going to need some tools installed:
sudo aptitude install krb5-user libapache2-mod-auth-kerb
Please note that this will also install krb5-config which will request information such as your KDC and similar servers as well as the realm. Depending on your debconf configuration, it may automatically detect the realm from the FQDN of the machine. If this assumption is wrong (as it was for mine) then you will have need to reconfigure the package to work properly and enter the appropriate default realm:
sudo dpkg-reconfigure krb5-config
And fill in the values properly.
/etc/resolv.conf
Since we've got two domains we care about (one that "pie" is in and the one for the AD domain and "notpie"). This will configure the Linux machine to search both domains and use AD as the domain controller.
search site3.digitalpaper.homelinux.net digitalpaper.homelinux.net nameserver 192.168.1.20
/etc/hosts
One of the useful tidbits I've picked up is ensuring that your local hosts file is set up with the correct external IP address for the DNS domain name and not pointing back to everyone's favourite IP address 127.0.0.1:
192.168.1.10 pie.digitalpaper.homelinux.net pie
The order is also important, make sure that the FQDN is before the shorter name. Using the external interface address instead of local loopback is also important and will help us to avoid other issues later on with Kerberos.
/etc/krb5.conf
This is the main Kerberos configuration file, Debian will automatically generate this file for you when you installed the krb5-config package. With any luck, it should look like the sample at the end of this document with your values instead of mine and probably a bit more junk. In my due domain situation, I needed to do one more modification in the [domain_realm] section of the document to add the domain for pie. This enables the server to find the correct realm for itself. There should be some lines already but the looks like this when completed fully:
[domain_realm]
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
Files
Apache Configuration
<Location /kerberos> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET Krb5KeyTab /etc/apache2/keytab/http-pie.keytab require valid-user </Location>
.htaccess File
AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms SITE3.DIGITALPAPER.HOMELINUX.NET Krb5KeyTab /etc/apache2/keytab/http-pie.keytab require valid-user
resolv.conf
search digitalpaper.homelinux.net site3.digitalpaper.homelinux.net nameserver 192.168.1.20
krb5.conf
[libdefaults]
default_realm = SITE3.DIGITALPAPER.HOMELINUX.NET
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SITE3.DIGITALPAPER.HOMELINUX.NET = {
kdc = 192.168.1.20
admin_server = 192.168.1.20
}
[domain_realm]
.site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
site3.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
.digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
digitalpaper.homelinux.net = SITE3.DIGITALPAPER.HOMELINUX.NET
[login]
krb4_convert = true
krb4_get_tickets = false
