Installation and Maintenance

Kerberos basic configuration

The first step to a single-sign-on solution using Apache authentication and Kerberos is the configurations of the Debian system.
The following benefits can be achieved with such configuration:

  • Login using the same credentials as in the Kerberos Realm (e.g. Microsoft Active Directory ®), like in an LDAP configuration
  • Login with true single sign on and automatical passing of credentials
Some steps of this configuration can cause problems and malfunctions. Specially name resolutuion/DNS, IP- Networking and Firewall are essential and should be tested properly before the installation of Kerberos. Many websites and Documents describe the installation and troubleshooting of Kerberos for Apache, some (used for my installation) are:For your Debian system, first install the Kerberos components:

apt-get install krb5-config krb5-clients krb5-user

Kerberos servers and clients must use syncronized time to function properly (usually time differences must not exceed 5 minutes), so install and configure ntp

apt-get install ntpdate

Using ntptate, you can synchronizie clocs of your ILIAS server to the Kerberos server.  The following shellscript gets the time from the server and gives some information for debugging:

1
2
3
4
#! /bin/bash
date  > timesync.log
ntpdate glasgow.verbund.local >> timesync.log 2>&1
date >> timesync.log

After manual testing of this script, you can hace cron run this job regularly with a crontab entry, e.g.

1
*/5 * * * * root /root/timesync

In my installation timesync is stored in /root, and I included the line above in /etc/crontab.

The Kerberos configuration is kept in the file /etc/krb5.conf. Edit this file corresponding to the settings below.
Take care, Kerberos realm names are case sensitive!
To cooperate with Microsoft Active Directory ®, proper standard encryption types are required (lines 9,10), else the automatic login of the apache service to Kerberos may fail.
Since clients can find the kdc and other servers via DNS in the Microsoft ® environment, the realms section may even be completely omitted. The entries shown in the example are commented out. Use these settings if you suspect DNS problems ore if you use other Kerberos implementations

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[libdefaults]
	default_realm = VERBUND.LOCAL
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
        default_keytab_name = FILE:/etc/apache2/auth_kerb.keytab
        fcc-mit-ticketflags = true
	default_tgs_enctypes = rc4-hmac
        default_tkt_enctypes = rc4-hmac
 
[domain_realm]
        .verbund.local = VERBUND.LOCAL
        verbund.local= VERBUND.LOCAL

For a first test, after editing the krb5.conf, login to kerberos wit user credentials.

kinit Username@VERBUND.LOCAL

There may be some minor error messages running this command. If the configuration is correct, the use of "@REALM" shoud not be neccessary.
The following command should show a valid ticket from the kerberos service:

klist

Delete this ticket:

kdestroy

In case of errors or failure to obtain a valid ticket, check:

  • Typos in krb5.conf
  • Use of UPPERCASE for REALMS in krb5.conf as shown in the example file
  • Check the clocks of the kerberos server and the debian system
  • IP adresses and name resolution (Make sure teh name resolution is done by an A record, no CNAME!)
The basic installation and configuration of Kerberos ist ready now

Additionally. the Kerberos authentication can be extendes to support multiple realms. For that purpose, krb5.conf needs a realm- section for the default realms with the following entries:
 
[realms]
VERBUND.LOCAL= {
auth_to_local = RULE:[1:$1@$0](.*@.*SECOND.REALM)s/@.*//
auth_to_local = DEFAULT
}
 
This entry tells Apache how to strip the realm names from the usernames (depanding on Apache site configuration). The [domain_realm] section must be extended for the domain names to REALM translation, too.



Information Message
No comment has been posted yet.