Systems/Services/Kerberos

From PS:1 Wiki Dev
Revision as of 22:20, 13 September 2020 by Books (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

{{ 

 {{#switch:
 {{#if: 
   | 
   | {{#if: 
     | 
       {{#ifeq:|
       | talk
       |  
       }}
     | 
       {{#ifeq:|talk
       | talk
       |  
       }}
     }}
   }}

| main | = ambox | talk = tmbox | user = ombox | project = ombox | file | image = imbox | mediawiki = ombox | template = ombox | help = ombox | category = cmbox | book = ombox | extension = ombox | other | #default = ombox

}} | type = warning | image = | imageright = | class = | style = | textstyle = | text = This information is out of date. Up-to-date IT information can be found here | small = | smallimage = | smallimageright = | smalltext = | subst = | date = | name = }}

Kerberos

The kerberos realm is a part of the Samba AD implementation, the realm name is AD.PUMPINGSTATIONONE.ORG.



PS1 Kerberos Client config:

/etc/krb5.conf 

[libdefaults]
        default_realm = AD.PUMPINGSTATIONONE.ORG
        ticket_lifetime = 24h
        forwardable = yes
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        verify_ap_req_nofail = false
        check_pac = no
        kdc_timeout = 2
        max_retries = 1
        dns_lookup_realm = false

[realms]
        AD.PUMPINGSTATIONONE.ORG = {
                default_domain = ad.pumpingstationone.org
                kdc = bob.ad.pumpingstationone.org
                kdc = dc01.ad.pumpingstationone.org
                admin = bob.pumpingstationone.org
        }

[domain_realms]
        ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG
        .ad.pumpingstationone.org = AD.PUMPINGSTATIONONE.ORG

Apache SSO

Note: Replace 'rack' with host name of server.


Setting up the keytab: 

msktutil -u -s HTTP --server bob
cp  /etc/krb5.keytab /usr/local/etc/apache24/krb5.keytab
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p rack\$
ktutil -k /usr/local/etc/apache24/krb5.keytab remove -p host/rack.ad.pumpingstationone.org
chown www /usr/local/etc/apache24/krb5.keytab

Configure Auth: 

<Location />
            Authtype Kerberos
            AuthName "AD.PUMPINGSTATIONONE.ORG"
            KrbAuthoritative on
            KrbServiceName  HTTP/rack.ad.pumpingstationone.org
            Krb5Keytab /usr/local/etc/apache24/krb5.keytab
            KrbAuthRealms AD.PUMPINGSTATIONONE.ORG
            KrbMethodk5Passwd on
            KrbMethodNegotiate on
            Require valid-user
</Location>

SSH SSO

To enable kerberos SSO for your SSH client add the following lines to ~/.ssh/config 

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
PreferredAuthentications gssapi-with-mic,publickey,keyboard-interactive,password
Retrieved from "https://wiki-dev.pumpingstationone.org/mediawiki/index.php?title=Systems/Services/Kerberos&oldid=42827"