Installation and Maintenance

Generate Keytables using Samba

An easy way to create the keytab file and objects in the Kerberos database use Samba.
 
The process described here creates a machine account in Microsoft Active Directory ®. As an advantage of this approach this account cannot be misused for user logins or the password accidentally changed.
 
Make sure, Samba is installed on your ILIAS server:

apt-get install samba

To create a machine account, Samba needs to know about the realm and names to use in the file /etc/samba/smb.conf.
The file below shows a (complete) configuration to access the Micosoft Active Directory ®. If you wish to use Samba for file and printer shares, further configuration lines are neccessary. These are not covered here.

1
2
3
4
5
6
7
[global]

workgroup = VERBUND
encrypt passwords = yes
netbios name = ilias
realm = VERBUND.LOCAL
security = ADS

After editing of this file samba must be restarted or reloaded.

service smbd restart

Now a machine account in the Microsoft Active Directory ® database must be created

net ads join -U username

For easier testing of the authenticaton the command

net ads join -U username createupn=HTTP/server-fqdn@REALM

(with your server's fully qualified DNS name and your realm name of course) can be used. With that you can test the ticket request from your ILIAS server's teminal after creation of the keytab

This command prompts for the password for the useraccount. The useraccount needs the privileges neccessary to create a computer account in the database (e.g. account operator, domain admin).
The command should report a message about the successful creation of a new account,if this doesn't appear, check (again)

  • DNS and Networking
  • Entries in the /etc/hosts file
  • Kerberos Basic configuration
  • Time settings
Now a Kerberos keytab can be generated and extended for the SPN needed:

net ads keytab create -U Benutzername
net ads keytab add HTTP -U Benutzername

On my systems the file /etc/krb5.keytab was created. Copy or move this file to your apache Directory and set ownership and mode.
Since the keytab file contains a complete set of credentials to communicate with the Kerberos database the file must secured like a certificate file containing private keys. Definitively make sure the file (or copies) are not world-readable!
The "net ads keytab create command" creates some key entries in the keytab, but is not really necessary. If the keytab file doesn't exist, teh second command automatically creates it. It the keytab already contains some keys, the "add" command leaves these untouched.

cp /etc/krb5.keytab /etc/apache2/auth_kerb.keytab
chmod 440 /etc/apache2/auth_kerb.keytab
chown www-data:www-data /etc/apache2/auth_kerb.keytab

You can check the file using the commands kinit, ktutil and kvno. Some minor errors may occur, but at least ktutil should show a list of SPNs and kvnos.
 
klist -ke should list the kvnos, Service names, and encryption types in the keytab.
 
A full test of the keytab requires a valid ticked, which can be requested using kinit. To successfully do this, a userprincipalname (UPN) has to be added to the computer object. This can be done using "Active Directory Users and computers" (on 2008 Servers and newer) oder "ADSI edit" (2003 Versions). Add a userPrincipal name like HTTP/yourserver.yourdomain@REALM and use
 
kinit -k UserPrincipalName on the ILIAs server.
 
klist should show up with a kerberos ticket now. Don't forget to kdestroy this ticket.
 
If you added the UPN during the net ads join (see above), you don't need additional configurations for this to work.
 
Now the Apache site can be configured to use Kerberos login.



No comment has been posted yet.