Apache2, mod-auth-kerb, Active Directory, Windows 2003, single signon problems, help needed
Ben
bendummymail at yahoo.com
Thu Dec 13 10:43:54 EST 2007
Hello Everybody,
i'm facing the same problem as most of you, i need to have SSO (single
sign on) to a Windows 2003 AD server from an Apache2 webserver, i only
need to obtain REMOTE_USER var at this moment, my steps maybe can help
someone like me, gurus can advice what i did wrong.
Let's start from my machine:
Debian 4.0r1 (etch), fully updated, net install, very easy to do (name
"service").
Installed:
i apache2 - Next generation, scalable,
extendable web
i apache2-mpm-prefork - Traditional model for Apache
HTTPD 2.1
i apache2-utils - utility programs for
webservers
i apache2.2-common - Next generation, scalable,
extendable web
i libapache2-mod-auth-kerb - apache2 module for Kerberos
authentication
i libapache2-mod-php5 - server-side, HTML-embedded
scripting langu
i krb5-clients - Secure replacements for ftp,
telnet and rs
i krb5-config - Configuration files for Kerberos
Version 5
i krb5-user - Basic programs to authenticate
using MIT K
i libkrb53 - MIT Kerberos runtime
libraries
i libpam-krb5 - PAM module for MIT
Kerberos
Apache is up and running (the easy part)
Kerberos is configured as: (cat /etc/krb5.conf)
[libdefaults]
default_realm = DOMAIN.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.COM = {
kdc = server3.domain.com
admin_server = server3.domain.com
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
domain.com = DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
I've created an user under Windows 2003 Server (new user, name:
"service_service")
tried it in my Linux box with:
kinit service_service (issued right password)
klist
Worked fine, great.
now i need to create a keytab file with my Windows 2003 machine: name
"server3", PDC and AD controller
Issued command:
ktpass -princ HTTP/service.domain.com at DOMAIN.COM -mapuser
service_service -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set +desonly pass mypasswordiscool -out kerberos.keytab
C:\Documents and Settings\Administrator.DOMAIN\Desktop>ktpass -princ
HTTP/service.pluriservice.it at PLURISERVICE.IT -mapuser
service_webservice -crypto DES-CBC-MD5 -ptype KRB5_NT_PRINCIPAL -mapop
set +desonly pass mypasswordiscool -out kerberos.keytab<enter>
Targeting domain controller: SERVER3.domain.com
Successfully mapped HTTP/service.domain.com to service_service.
Key created.
Output keytab to kerberos.keytab:
Keytab version: 0x502
keysize 74 HTTP/service.domain.com at DOMAIN.COM ptype 1
(KRB5_NT_PRINCIPAL) vno 3 etype 0
x3 (DES-CBC-MD5) keylength 8 (0xa840985480753e23)
Account service_service has been set for DES-only encryption.
Copied my kerberos.keytab file (with scp) on my linux etch machine
(named: service)
cat /etc/apache2/apache2.conf
...
User www-data
Group www-data
...
so i've kerberos.keytab (chmod 644, chown www-data:www-data) in my
machine,
then under user www-data
www-data at service:~/kerberos$ kinit -k -t kerberos.keytab HTTP/
service.domain.com
klist gives me:
Ticket cache: FILE:/tmp/krb5cc_33
Default principal: HTTP/service.pluriservice.it at DOMAIN.COM
Valid starting Expires Service principal
12/13/07 16:18:01 12/14/07 02:21:29 krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 12/14/07 16:18:01
Kerberos 4 ticket cache: /tmp/tkt33
klist: You have no tickets cached
so i think i'm set now... checked my apache virtualhost config:
ScriptAlias /cgi-bin/ /var/www/cgi-bin/
<Directory "/var/www/cgi-bin">
AuthName "My funny test"
AuthType Kerberos
KrbAuthRealms DOMAIN.COM
Krb5Keytab /var/www/kerberos/kerberos.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
require valid-user
# KrbSaveCredentials on
# KrbVerifyKDC off
Options ExecCGI
</Directory>
inside this dir i've a script telling me all exported vars, nothing
more...
my /etc/hosts reports:
10.0.0.23 webservice.pluriservice.it webservice
127.0.0.1 localhost.localdomain localhost
my /etc/resolv.conf reports:
search domain.com
nameserver 10.0.0.1
Restarted apache and finally my test:
....guess what ? .... it doesn't work....
log files are telling me:
(/var/log/apache2/error.log)
[Thu Dec 13 16:33:08 2007] [notice] Apache/2.2.3 (Debian)
mod_auth_kerb/5.3 PHP/5.2.0-8+etch7 configured -- resuming normal
operations
[Thu Dec 13 16:33:08 2007] [info] Server built: Jun 17 2007 20:24:06
[Thu Dec 13 16:33:08 2007] [debug] prefork.c(991): AcceptMutex:
sysvsem (default: sysvsem)
[Thu Dec 13 16:33:50 2007] [error] [client 10.0.0.130]
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
Firefox is already in the trusted domain (about:config,
network.negotiate-auth.trusted-uris "domain.com")
when i try to access my url http://service.domain.com/cgi-bin/printenv.cgi
i cannot automatically login, i see the dialog box (username/password)
and even if i enter the correct credentials i cannot enter, additional
log from error log here reported:
[Thu Dec 13 16:38:12 2007] [error] [client 10.0.0.130] failed to
verify krb5 credentials: Server not found in Kerberos database
Explorer give the same result
what i did wrong ? I only need to achieve Single Sign On, users only
need to visit that page with their credentials, nothing more...
i'm in this problem since Monday and i don't know how to solve it, can
you please tell me what i've done wrong ? I've even tried to:
- reinstall Linux OS (machine : service)
- remove, add Windows User
- issed ktpass command from window command prompt
- rebooted linux machine, ...
after googoling around i really don't know how to solve it, any
ideas ?
Regards
Andrea (Ben) Benini
More information about the Kerberos
mailing list