Chapter 6. Configuration example for Kerberos authentication with mod_auth_kerb
You can configure Kerberos authentication with the JBoss Core Services Apache HTTP Server and the mod_auth_kerb
module on Red Hat Enterprise Linux.
When you want to configure Kerberos authentication, you must perform the following tasks:
6.1. Prerequisites
-
You have installed the
curl
command-line utility with Generic Security Services (GSS)-negotiated support. - You have configured and run a Kerberos or LDAP server, such as ApacheDS, on the same host as JBoss Core Services.
If you are using an LDAP server, you have created LDAP users called
krbtgt
,ldap
,HTTP
, and a test LDAP user calledhnelson
.To create the
krbtgt
user, enter the following details:dn: uid=krbtgt,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: KDC Service sn: Service uid: krbtgt userPassword: secret krb5PrincipalName: krbtgt/EXAMPLE.COM@EXAMPLE.COM krb5KeyVersionNumber: 0
To create the
ldap
user, enter the following details:dn: uid=ldap,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: LDAP sn: Service uid: ldap userPassword: randall krb5PrincipalName: ldap/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0
To create the
HTTP
user, enter the following details:dn: uid=HTTP,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: HTTP sn: Service uid: HTTP userPassword: secretpwd krb5PrincipalName: HTTP/localhost@EXAMPLE.COM krb5KeyVersionNumber: 0
To create the test user,
hnelson
, enter the following details:dn: uid=hnelson,ou=Users,dc=example,dc=com objectClass: top objectClass: person objectClass: inetOrgPerson objectClass: krb5principal objectClass: krb5kdcentry cn: Horatio Nelson sn: Nelson uid: hnelson userPassword: secret krb5PrincipalName: hnelson@EXAMPLE.COM krb5KeyVersionNumber: 0
6.2. Configuring the Kerberos client
When you configure Kerberos authentication, you must configure the Kerberos client by performing the following steps:
-
Specify configuration settings in the
krb5.conf
file. -
Create a key tab in the
JBCS_HOME/httpd/conf
file. - Assign permissions to the key tab.
-
Ensure that
localhost
is included in the/etc/hosts
file.
Prerequisites
- You are compliant with all prerequisites for configuring Kerberos authentication.
Procedure
To specify configuration settings in the
krb5.conf
file:-
Go to the
/etc
directory. -
Create a file named
krb5.conf
. Enter the following configuration details:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM default_tgs_enctypes = des-cbc-md5,des3-cbc-sha1-kd default_tkt_enctypes = des-cbc-md5,des3-cbc-sha1-kd dns_lookup_realm = false dns_lookup_kdc = false allow_weak_crypto = yes ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [realms] EXAMPLE.COM = { kdc = localhost:60088 admin_server = localhost:60088 } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM
-
Go to the
To create a key tab:
-
Open the
JBCS_HOME/httpd/conf
file. Enter the following details:
# ktutil ktutil: addent -password -p HTTP/localhost@EXAMPLE.COM -k 0 -e des-cbc-md5 Password for HTTP/localhost@EXAMPLE.COM: secretpwd ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 0 HTTP/localhost@EXAMPLE.COM ktutil: wkt JBCS_HOME/httpd/conf/krb5.keytab ktutil: quit
ImportantEnvironment variables are not expanded within the
ktutil
prompt. You must substitute the full path for theJBCS_HOME
variable.
-
Open the
To apply the correct group and permissions to the key tab, enter the following commands as the root user:
# chgrp apache JBCS_HOME/httpd/conf/krb5.keytab # chmod 640 JBCS_HOME/httpd/conf/krb5.keytab
Ensure that the following host configuration is included in the
/etc/hosts
file:127.0.0.1 localhost
6.3. Configuring mod_auth_kerb
When you configure Kerberos authentication, you must configure mod_auth_kerb
by specifying settings in the auth_kerb.conf
file.
Prerequisites
- You have configured the Kerberos client.
Procedure
-
Go to the
JBCS_HOME/httpd/conf.d/
directory. -
Create a file named
auth_kerb.conf
. Enter the following configuration details:
# # The mod_auth_kerb module implements Kerberos authentication over HTTP, following the "Negotiate" protocol. # # The LoadModule statement is done in conf.d/10-auth_kerb.conf # LoadModule auth_kerb_module modules/mod_auth_kerb.so <Location /kerberostest> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off KrbAuthRealms EXAMPLE.COM KrbServiceName HTTP Krb5KeyTab $JBCS_HOME/httpd/krb5.keytab require valid-user </Location>
Environment variables are not expanded within the configuration files. In the preceding example, ensure that you substitute the full path for the JBCS_HOME
variable.
6.4. Testing the Kerberos authentication
When you configure Kerberos authentication, you can use a test page to test the Kerberos authentication.
Prerequisites
-
You have configured
mod_auth_kerb
.
Procedure
To create a test page, perform the following steps:
-
Go to the
JBCS_HOME/httpd/www/html/kerberostest
directory. -
Create a test page named
auth_kerb_page.html
. Enter the following details:
<html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html>
-
Go to the
-
Optional: In the
JBCS_HOME/httpd/conf/httpd.conf
file, set the log level to debugging. - Start the Apache HTTP Server. For more information, see the Red Hat JBoss Core Services Apache HTTP Server Installation Guide.
To initiate Kerberos authentication for the test user,
hnelson
, enter the following command:$ kinit hnelson
To view the details for the test user,
hnelson
, enter the following command:$ klist
The
klist
command produces the following type of output:Ticket cache: FILE:/tmp/krb5cc_18602 Default principal: hnelson@EXAMPLE.COM Valid starting Expires Service principal 06/03/13 14:21:13 06/04/13 14:21:13 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 06/10/13 14:21:13
Verification
To test Kerberos authentication, enter the following command:
$ curl --negotiate -u : http://localhost/kerberostest/auth_kerb_page.html
If Kerberos authentication is working correctly, the
curl
command produces the following output:<html> <body> <h1>mod_auth_kerb successfully authenticated!</h1> </body> </html>
6.5. Additional resources (or Next steps)
- Kerberos Module for Apache website.