13.3.3. Configuring Direct AD Integration with GSS-proxy

In the Satellite CLI, configure the direct Active Directory integration with GSS-proxy.

Prerequisite

Procedure

  1. Create the /etc/ipa/ directory and the default.conf file:

    # mkdir /etc/ipa
    # touch /etc/ipa/default.conf
  2. To the default.conf file, add the following content:

    [global]
    server = unused
    realm = EXAMPLE.ORG
  3. Create the /etc/net-keytab.conf file with the following content:

    [global]
    workgroup = EXAMPLE
    realm = EXAMPLE.ORG
    kerberos method = system keytab
    security = ads
  4. Determine the effective user ID of the Apache user:

    # id apache

    Apache user must not have access to the keytab file.

  5. Create the /etc/gssproxy/00-http.conf file with the following content:

    [service/HTTP]
    mechs = krb5
    cred_store = keytab:/etc/krb5.keytab
    cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
    euid = ID_of_Apache_User
  6. Create a keytab entry:

    # KRB5_KTNAME=FILE:/etc/httpd/conf/http.keytab net ads keytab add HTTP -U administrator -d3 -s /etc/net-keytab.conf
    # chown root.apache /etc/httpd/conf/http.keytab
    # chmod 640 /etc/httpd/conf/http.keytab
  7. Enable IPA authenication in Satellite:

    # satellite-installer --foreman-ipa-authentication=true
  8. Start and enable the gssproxy service:

    # systemctl restart gssproxy.service
    # systemctl enable gssproxy.service
  9. Configure the Apache server to use the gssproxy service:

    1. Create the /etc/systemd/system/httpd.service file with the following content:

      .include /lib/systemd/system/httpd.service
      [Service]
      Environment=GSS_USE_PROXY=1
    2. Apply changes to the service:

      # systemctl daemon-reload
  10. Start and enable the httpd service:

    # systemctl restart httpd.service
  11. Verify that SSO is working as expected.

    With a running Apache server, users making HTTP requests against the server are authenticated if the client has a valid Kerberos ticket.

    1. Retrieve the Kerberos ticket of the LDAP user, using the following command:

      # kinit ldapuser
    2. View the Kerberos ticket, using the following command:

      # klist
    3. View output from successful SSO-based authentication, using the following command:

      # curl -k -u : --negotiate https://satellite.example.com/users/extlogin

      This returns the following response:

      <html><body>You are being <a href="https://satellite.example.com/users/4-ldapuserexample-com/edit">redirected</a>.</body></html>