Minimum setup for Apache+AD SSO

參照：

http://www.grolmsnet.de/kerbtut/

https://docs.typo3.org/typo3cms/extensions/ig_ldap_sso_auth/2.1.1/AdministratorManual/ConfigureApacheKerberos.html

 1. 安裝軟件包

yum install httpd
yum install php
yum install krb5-devel krb5-libs krb5-workstation mod_auth_kerb

2. 生成keytab文件

On DC:
ktpass /out webserver.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS1.LOCAL /mapuser smallbusiness1\webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt

3. 把keytab文件copy到/etc/httpd/

4. DNS創建A記錄和PTR記錄指向web server

5. In /etc/krb5.conf

[libdefaults]
default_keytab_name = /etc/httpd/webserver.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
default_realm = SMALLBUSINESS1.LOCAL

[realms]
SMALLBUSINESS1.LOCAL = {
kdc = dc.smallbusiness1.local
admin_server = dc.smallbusiness1.local
}

[domain_realm]
.smallbusiness1.local = SMALLBUSINESS1.LOCAL
smallbusiness1.local = SMALLBUSINESS1.LOCAL

 （注意：SMALLBUSINESS1.LOCAL須要大寫）

6. 測試（注意：SMALLBUSINESS1.LOCAL須要大寫）：

kinit user@SMALLBUSINESS1.LOCAL

klist

7. Apache配置

In /etc/httpd/conf/httpd.conf:

ServerName web.smallbusiness1.local:80
UseCanonicalName On

In /etc/httpd/conf.modules.d/10-auth_kerb.conf:

LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms SMALLBUSINESS1.LOCAL
Krb5KeyTab /etc/httpd/webserver.keytab
KrbSaveCredentials On
require valid-user
</Location>

8. IE設置

Internet Option->Security->Local intranet->Sites->Add web.smallbusiness1.local

Internet Option->Security->Local intranet->Custom Level->User Authentication->Logon->Automatic logon only in Intranet zone

9. 打開IE，打開web.smallbusiness1.local/phpinfo.php.（注意，不能用IP地址）

Note:

1. Web server的時間要和DC的時間一致。

2. 若是error_log中看到gss_acquire_cred() ... (, Permission denied)，表示apache不能讀取keytab文件，檢查keytab文件權限，關閉selinux或者restorecon -rv /etc/httpd （keytab所在目錄）

 

Update: 支持多個domain

1. 在每一個domain的DC分別生成webserver1.keytab和webserver2.keytab，注意兩個命令中HTTP/web.smallbusiness1.local是同樣地，對應httpd.conf中的ServerName:

在smallbusiness1.local的DC:
ktpass /out webserver1.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS1.LOCAL /mapuser smallbusiness1\webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt

在smallbusiness2.local的DC:
ktpass /out webserver2.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS2.LOCAL /mapuser smallbusiness2\webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt

 

2. 用ktutil合併keytab文件：

ktutil
rkt webserver1.keytab
rkt webserver2.keytab
wkt webserver.keytab
q

用ktlist -k webserver.keytab 驗證webserver.keytab中包含了多個key。

3. 修改krb5.conf中的[realms]和[domain_realm]：

[realms]
SMALLBUSINESS1.LOCAL = {
kdc = dc.smallbusiness1.local
admin_server = dc.smallbusiness1.local
}

SMALLBUSINESS2.LOCAL = {
kdc = dc.smallbusiness2.local
admin_server = dc.smallbusiness2.local
}

[domain_realm]
.smallbusiness1.local = SMALLBUSINESS1.LOCAL
smallbusiness1.local = SMALLBUSINESS1.LOCAL

.smallbusiness2.local = SMALLBUSINESS2.LOCAL
smallbusiness2.local = SMALLBUSINESS2.LOCAL

4. 

In /etc/httpd/conf.modules.d/10-auth_kerb.conf:

LoadModule auth_kerb_module modules/mod_auth_kerb.so<Location />AuthType KerberosAuthName "Kerberos Login"KrbMethodNegotiate OnKrbMethodK5Passwd OnKrbAuthRealms SMALLBUSINESS1.LOCAL SMALLBUSINESS2.LOCALKrb5KeyTab /etc/httpd/webserver.keytabKrbSaveCredentials Onrequire valid-user</Location>