mooby's blog - kerberos

apache vhost and kerberos authentification

blindaue — Fri, 10 Nov 2006 10:20:31 +0000

Using kerberos (Active Directory or classical Unix kerberos) is easy to deply for transparent authentication of users, with apache: The mod_auth_kreb do most of the job. But using vhost, some problems arise....

first, the module complain against "failed to verify krb5 credentials: Server not found in Kerberos database"

I've tried to use adsiedit on a DC, and add HTTP/vhost.domain.com as another servicePrincipalName for the mapped user which already contain the SPN for the real host.
The next error which raise up is "gss_acquire_cred() failed: Miscellaneous failure (No principal in keytab matches desired name)"
This is normal, your keytab hasn't been updated to contain the new SPN. But It seems that ktpass.exe cannot export two principals in a keytab, nor, using ktutil on linux to get two keytab in ony works, as the kvno is increased. The question is: Does windows really use the servicePrincipalName or does it use userPrincipalName? The doc says that only one mapping can be done, so I think it uses the UPN...

So there is no way to use vhost as easely. You have to use another dummy account, and map HTTP/dummyuser2 to the vhost, and store two keytab on apache...

What jabber server for kerberos integration ?

blindaue — Sat, 19 Aug 2006 17:40:20 +0000

It seems that the only server which support real kerberos authentication ...

... is wildfire. And it is GPL. Now, you wil need a kerberos-capable client, and pandion or spark are the two interesting clients. For a setup I found this page, which I'll test this week probably

kadmin and Active Directory, Microsoft Interoperability

blindaue — Fri, 07 Jul 2006 16:13:11 +0000

I was missing the kadmin equivalent MIT kerberos, under Active Directory...

but I've found one! Certified Security Solutions have a tool named css_adkadmin which does exactly what you want!

One other information: Microsoft is making some documentation about interoperability with theirs systems, and with open source tools too. Have a look at the two first documentations

what's next for nfs v4 and AD?

blindaue — Sat, 17 Jun 2006 08:44:19 +0000

In the effort to easily deploy nfs v4 with AD, here my following steps

Take a computer, alone just installed :)!!

install samba and kerberos
urpmi samba-client samba-winbind krb5-workstation pam_krb5
configure
1. /etc/samba/smb.conf:
  workgroup = DPTINFO
  realm = DPTINFO.URS.LOCAL
  security = ads
  password server = *
  use kerberos keytab = yes
2. /etc/krb5.conf:
  [libdefaults
  default_realm = DPTINFO.URS.LOCAL
  [realms
  DPTINFO.URS.LOCAL = {
  kdc = myad.u-strasbg.fr:88
  admin_server = myad.u-strasbg.fr:749
  default_domain = u-strasbg.fr
  }
  [domain_realm
  .u-strasbg.fr = DPTINFO.URS.LOCAL
Join the AD domain:
1. Do it:
  $ su -
  Password: ******
  # kinit Administrator
  Password for Administrator@DPTINFO.URS.LOCAL: ******
  # net ads join
  #
2. Verify :
  # net ads status
  ... Lot of stuff...
  You should see several //servicePrincipalName//, with HOST/FQDN, HOST/hostname, CIFS/FQDN and CIFS/hostname. If your domain name (DNS) isn't your REALM (AD), you should see two FQDN, I see for my example: HOST/ibis.u-strasbg.fr and HOST/ibis.dptinfo.urs.local
On a DC computer with installed supports tools, verify that your linux box is ready, in a cmd.exe box:
$ setspn -L ibis
HOST/ibis.u-strasbg.fr
HOST/ibis
HOST/ibis.dptinfo.urs.local
CIFS/ibis.u-strasbg.fr
CIFS/ibis
CIFS/ibis.dptinfo.urs.local
Add the SPN for nfs:
$ setspn -A nfs/ibis ibis
Registering ServicePrincipalNames for CN=ibis,CN=Computers,DC=DPTINFO,DC=URS,DC=LOCAL
nfs/ibis.u-strasbg.fr
Updated object
(add nfs/fqdn too)
You can verify with setspn -L ibis that the SPN has been added
Try to you your new SPN on the linux box:
# kvno nfs/ibis.u-strasbg.fr
nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL: kvno = 0
and after that, verify that the ticket is valid:
# klist |grep nfs
06/17/06 06:48:07 06/17/06 13:09:35 nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL

Here come the problem: it seems that we can't use this SPN for rpc.gssd. What seems to be more confusing is that the keytab which can be generated on windows doesn't seem to be valid:

# kinit -k
kinit(v5): Client not found in Kerberos database while getting initial credentials

# klist -k -e
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
1 nfs/ibis.u-strasbg.fr@DPTINFO.URS.LOCAL (DES cbc mode with CRC-32)

Authentification: logguer

blindaue — Mon, 22 May 2006 09:13:33 +0000

Plus facile à chercher qu'à trouver: l'equivalent du bonvieux /var/log/auth.log sous Windows 2K/2K3

Comment logguer les evenements lié au login, reussi ou pas, avec les differents types d'erreur:

http://support.microsoft.com/kb/326985/en-us