Using Kerberos authentication in apache httpd
If you have a Kerberos or Active Directory installation you might want to use Kerberos for apache httpd authentication and single sign on. This howto assumes you have either a running kerberos server or use winbindd active directory integration as described in TipsAndTricks/WinbindADS.
This howto is for CentOS 5 only. CentOS 4 need slightly different options in the httpd-config.
In order to use kerberos authentication in apache httpd you need a service principal entry in the keytab file on the machine running apache httpd. All descriptions here use the global keytab file in /etc/krb5.keytab. For security reasons you might want to use one keytab file per service, so service A cannot read the keytab information of service B. The default service name used for principal by the apache httpd kerberos module is HTTP.
1.1. vanilla kerberos
To add a service principal using kadmin start kadmin on the machine running apache httpd and use the command
Where $HOST is the FQDN of the machine and $REAL is your kerberos realm. If you intend to use a different service name replace HTTP also.
If you use winbindd use the following commands to create the keytab and add the service principal to your keytab:
net ads keytab create net ads keytab add HTTP
Afterwards you can check your keytab by issuing the command
It should list at least 2 lines with the principals for host/$HOST@$REALM and HTTP/$HOST@$REALM.
2. Configuring apache httpd
Additionally to the krb5-workstation package you will need the package mod_auth_kerb. Once it is installed you can configure authentication in an appropriate apache http stanza (<Directory> or <Location>). The configuration looks like this:
<Location /> AuthName "Restricted Access" AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbAuthRealms $REALM KrbMethodNegotiate On KrbMethodK5Passwd On require valid-user </Location>
Obviously you have to replace $REALM by your kerberos realm. The KrbMethodK5Passwd has to be set to On for password failback if accessed from a non kerberos-system.
3. Single Sign On
3.1. Internet Explorer
Internet explorer will automatically try kerberos logon if the kerberos realm is you Active Directory Domain.
In firefox enter about:config in the addressbar and edit the entry network.negotiate-auth.trusted-uris as value enter the hostname of the apache httpd server or .domain.tld to allow kerberos for all servers in the domain.
In case things are not working check that you have a valid kerberos ticket on the client using klist. Turn on debug logs on the apache httpd server by setting the LogLevel to debug, output can be found in the apache httpd error logfiles.