Centos 6 Apache Kerberos AD SSO

14
by on May 21, 2013 at 7:22 pm

I recently setup a RHEL / Centos 6 Apache websever at work that integrates with Active Directory (AD) and Kerberos for a single sign on (SSO) web resource.  This took me a lot more time than I thought it would, but that’s because the tutorials I was reading were either wrong, or didn’t apply to my situation.  I am outlining the steps I took below to help others who may wish to have a similar setup.

For my setup, I also added the Red Hat VM to the Windows 2008 r2 Active Directory Domain.  You may choose not to do this, but your steps may be different that what I outline here.  I have NOT setup any UNIX schema in Active Directory or installed any 3rd party software on the Domain Controllers.  The AD schema is how it comes out of the box (for the purposes of this article)

Please note, this tutorial assumes you have root privileges and that SELinux is NOT in enforcing mode.

Packages

Here are the packages that I installed during this process.  I am not 100% sure they are all required, but I’m pretty sure they are ;)  Feel free to test.  This setup is currently in testing, and if I move it to production, I will definitely outline which packages are actually required.

  • httpd-2.2.15-15.el6_2.1.x86_64
  • mod_auth_kerb-5.4-9.el6.x86_64
  • mod_authz_ldap-0.26-15.el6.x86_64
  • openldap-clients-2.4.23-26.el6_3.2.x86_64
  • openldap-2.4.23-26.el6_3.2.x86_64
  • samba-winbind-clients-3.5.10-125.el6.x86_64
  • samba-client-3.5.10-125.el6.x86_64
  • samba-common-3.5.10-125.el6.x86_64
  • samba-winbind-3.5.10-125.el6.x86_64
  • samba-3.5.10-125.el6.x86_64
  • krb5-libs
  • pam_krb5
  • krb5-workstation

Step 1

After we have all of our packages install, we need to update the [globalsection of /etc/samba/smb.conf

client ntlmv2 auth = yes
client use spnego principal = no
kerberos method = dedicated keytab
dedicated keytab file = /etc/krb5.keytab

The first two lines are for Network Level Authentication, which is the more secure / modern way of connection to Windows 2008 server systems.  This is required for adding the webserver to the domain.  If your domain does not implement ntlvm2 authentication, then you should probably leave this line out.

The second two lines are for designating a keytab file for kerberos.  I’m not 100% sure this step is required, or is the best setup, but seems to work.

Also, we want to add the following to /etc/openldap/ldap.conf


REFERRALS off

This is required to ignore referral results from our ldap searches, which is how Apache will determine if a user is authorized or not.

Step 2

Next, let’s add our system to Active Directory using the authconfig-tui command.  Be mindful of the choices and how they may affect your setup.  Naturally, you must have an account on the domain that has permissions to add hosts.  Also, DNS must be setup properly on your CentOS / RHEL 6 machine.

Options:
  1. User Information
    1. Use Winbind
  2. Authentication
    1. Use Shadow Passwords
    2. Use Winbind Authentication
    3. Local Authorization is sufficient
  3. Security Model: ads
  4. Domain: EXAMPLE
  5. Domain Controllers: DC1.EXAMPLE.COM
  6. ADS Realm: EXAMPLE.COM
  7. Template Shell: /sbin/nologin
  8. Select Join Domain
    1. Enter just username, no domain
    2. Enter Password
    3. Save
    4. Select OK

You can and should enter more than one domain controller if available.  Unlike a Windows machine, Linux will only use whichever Domain Controller(s) you specify.  Please note the ALL CAPS for steps 4-6.

After the machine has been added to the domain, you should run the following command to tell winbind to use our default domain for identify / authenticating AD users:

authconfig –update –enablewinbindusedefaultdomain

Step 3

Setup Kerberos keytab for Apache’s user.

Here’s the deal:  Apache will need an AD user that has read access to directory structure in order to use the LDAP search function to limit users by id or group (or whatever else).  So, we must setup a new (or use an existing) user in AD.  I’m going to leave that part up to you to figure out, as I write Linux tutorials, not Windows ;).  Anyway, note the new username and password.

Now, we need get a kerberos ticket for our AD user:

kinit mydomainuser

Next, create the keytab entry:

net ads keytab add HTTP -U mydomainuser

And finally, let’s give our apache user read privileges to our keytab file:

chmod g+r /etc/krb5.keytab && chgrp apache /etc/krb5.keytab

Step 4

Finally, it’s time to setup our Apache config.  This is the trickiest part, and may take some patience to get nailed down correctly.

Add the following to a VirtualHost or your default config for Apache:


LogLevel debug
 <Directory />
 AuthType Kerberos
 KrbMethodNegotiate On
 AuthName "EXAMPLE.COM Domain Login"
 KrbMethodK5Passwd On
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/krb5.keytab
 KrbLocalUserMapping on
 require valid-user

 AuthLDAPURL "ldap://dc1.example.com/dc=example,dc=com?sAMAccountName?sub?(objectClass=*)"
 AuthLDAPBindDN mydomainuser@example.com
 AuthLDAPBindPassword myPassW0rd
 require ldap-group CN=Domain Users,CN=Users,DC=example,DC=com
 </Directory>

Okay, a little about this section.  The first line LogLevel debug is an apache directive that will give us more useful information in our error log for troubleshooting.  I recommend using this as it will tell you where the problem may be during this ironing-out process.

Next, the Directory / line in html brackets tells us which directory our authentication statements apply to.  ”/” is equal to the document root of the webserver, default /var/www/html or of the virtual host.

The next section is our Kerberos section.  This are the settings for EXAMPLE.COM (note the CAPS).  Of special note, the KrbLocalUserMapping on line tells apache that we’re going to trim the @EXAMPLE.COM portion of the name Kerberos gives us, which is important for the next section.

Finally, we have our LDAP section.  This is where things get sticky.  The first line is our ldap search string.  Here, we’re connecting to our domain controller, and searching for sAMAccountName in the specified location.  To the best of my knowledge, sAMAccountName is what our Kerberos section above gives us.

The next two lines should be self explanatory.

The last line tells Apache that we need to require a group from the ldap search output.  In our example, we want only users that are part of the “Domain Users” group to be able to access the webpage.  This can be any group, but it must be the exact dn from AD.  Note, spaces don’t seem to affect this line.  How do you get this line?  We’ll, that’s the tricky part.

I recommond using the following command

ldapsearch -H ldap://dc1.example.com -b “dc=example,dc=com” -W “domain users” > /root/ldapsearch.out

The console will appear to just sit there after entering that command, but it’s actually waiting for the password of the domain user we requested the ticket for earlier.  After you enter your password, press return.  The search should return all objects that have a reference of domain users.  Then, you should be able to search the output results (using vi  or less) for Domain Users, using the ‘/’ key :)

Want to have Apache use LDAP over TLS?  Check here:  http://people.adams.edu/~cdmiller/posts/Apache2-mod-authnz-ldap-TLS/

Sources:

Big thank you to the following pages that I used to sort through this madness:

http://blogs.freebsdish.org/tmclaugh/2010/07/15/mod_auth_kerb-ad-and-ldap-authorization/

http://www.tuxevara.de/2012/06/apache-authnz_ldap-and-active-directory/

http://www.microhowto.info/howto/configure_apache_to_use_kerberos_authentication.html

http://acksyn.org/?p=460

http://sl.mvps.org/docs/LinuxApacheKerberosAD.htm

Resources:

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-install/The-Keytab-File.html

http://kb.iu.edu/data/aumh.html

in CentOS, How-To, Red Hat

, , , , , , ,

You can skip to the end and leave a response. Pinging is currently not allowed.

  • Marcel

    Hi Mike,

    really nice howto! Thanks a lot. I’m trying to SSO OTRS.

    This command
    ldapsearch -H ldap://dc1.example.com -b “dc=example,dc=com” -W “domain users”
    didn’t bring a result.

    ldapsearch -H dc01.domain.local -b “dc=domain,dc=local” -W “domain users”
    Enter LDAP Password:
    SASL/EXTERNAL authentication started
    ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:

    If I add a
    -D ldapuser@domain.local
    this query will work.

    Is this a problem for using SSO on apache?

    • http://www.zipref.com Mike

      I may have simply omitted that switch from the command. It shouldn’t affect the Apache setup because you specifically declare which user you’re binding as: “AuthLDAPBindDN mydomainuser@example.com

  • Sulman

    Hi Mike,
    It was a great write up which helped me to setup my centos with win2008r2 AD. but i am having a problem with my drupal site with following setup under HTTPD.conf when i enter your said information it gives me 500 internal error and when i take them out it brings up login page. When i run klist in centos it shows me following result:
    [root@centos ~]# klist
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: user1@EXAMPLE.ORG.LOCAL
    Valid starting Expires Service principal
    01/03/14 12:17:17 01/03/14 22:21:20 krbtgt/EXAMPLE.ORG.LOCAL@EXAMPLE.ORG.LOCAL
    renew until 01/10/14 12:17:17
    01/03/14 12:42:45 01/03/14 22:21:20 ldap/dc1.example.org.local@EXAMPLE.ORG.LOCAL
    renew until 01/10/14 12:17:17
    [root@centos ~]#
    Having said that i dont have LDAP_integration and LDAP_SSO module installd and configured in drupal 6.
    Can you please kind enough to assist me to resolve this.
    *************************************************************************
    NameVirtualHost *:80
    DocumentRoot /var/www/html
    ServerName centos.example.org.local
    RewriteEngine On
    RewriteOptions
    DocumentRoot /var/www/sulman
    ServerName sulman.example.org.uk
    RewriteEngine On
    RewriteOptions Inherit
    ErrorLog /var/www/sulman/error.log
    CustomLog /var/www/sulman/requests.log common
    LogLevel debug
    AuthType Kerberos
    KrbMethodNegotiate On
    AuthName “EXAMPLE.ORG.LOCAL Domain Login”
    KrbMethodK5Passwd On
    KrbAuthRealms EXAMPLE.ORG.LOCAL
    Krb5KeyTab /etc/krb5.keytab
    KrbLocalUserMapping on
    require valid-user
    AuthLDAPURL “ldap://dc1.example.org.local:389/CN=Configuration,
    DC=example,DC=org,DC=local
    ?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN user1@example.org.local
    AuthLDAPBindPassword p4SSw0RD
    require ldap-group CN=USER,OU=EXAMPLE OU,DC=EXAMPLE,DC=org,DC=local
    *********************************************************************

    • http://www.zipref.com Mike

      Those lines should not be entered into your httpd.conf file. Ideally, they would be entered in a .conf file in /etc/httpd/conf.d/

      Also, please note that you have to include the statement. That tells Apache which directories for your virtual host you want behind the LDAP/KRB authentication.

      You might try just commenting out the last four lines (LDAP stuff) to test to see if Kerberos only login is working first. That will tell you whether or not you have successfully registered and created an SPN for Kerberos.

      Definitely check your error logs for apache. Lots of useful information can be found there.

      • sulman

        Hi Mike,
        Much appreciated for your response to my post. I am a fresh new bee on centos and learning from scratch, so please bear with me.
        do i have a create a new file under /etc/httpd/conf.d for step 4 or choose from already .conf files under conf.d ( auth_kerb, authz_ldap, manual, perl, php, ssl, webalizer, welcome, wsgi).

        I am sure i’ll have more questions to ask but want to take one step forward with your great assistance.
        Many thanks.

        • sulman

          Ok i guess i need to enter info under /etc/httpd/conf.d/auth_kerb.conf Please correct me if i am wrong. but how do i define this:
          “include the statement that tells Apache which directories for your virtual host you want behind the LDAP/KRB authentication”

          regards

          • Sulman

            Mike,
            here’s the outcome after adding STEP 4 under /etc/httpd/conf.d/auth_kerb.conf
            [root@CentOS ~]# tail /var/www/sulman/error.log /var/log/httpd/error_log
            ==> /var/www/sulman/error.log /var/log/httpd/error_log <==
            [Tue Jan 14 12:35:32 2014] [warn-phpd] The ionCube PHP Loader is disabled because of startup problems. (pid 9703)
            [Tue Jan 14 13:04:57 2014] [notice] caught SIGTERM, shutting down
            [Tue Jan 14 12:35:32 2014] [warn-phpd] The ionCube PHP Loader is disabled because of startup problems. (pid 9703)
            [Tue Jan 14 13:04:58 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
            [Tue Jan 14 13:04:58 2014] [notice] Digest: generating secret for digest authentication …
            [Tue Jan 14 13:04:58 2014] [notice] Digest: done
            PHP Warning: Module 'apc' already loaded in Unknown on line 0
            PHP Warning: Module 'ldap' already loaded in Unknown on line 0
            PHP Warning: Module 'ionCube Loader' already loaded in Unknown on line 0
            [Tue Jan 14 13:04:58 2014] [notice] Apache/2.2.15 (Unix) DAV/2 mod_auth_kerb/5.4 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1 configured — resuming normal operations

  • Sulman

    When i make some changes under /etc/httpd/conf.d/auth_kerb.conf:
    #LogLevel debug
    #

    AuthType Kerberos
    KrbMethodNegotiate On
    AuthName “SULMAN.ORG.LOCAL Domain Login”
    # AuthName “Kerberos Login”
    # KrbMethodK5Passwd On
    KrbMethodNegotiate Off
    KrbAuthRealms SULMAN.ORG.LOCAL
    Krb5KeyTab /etc/krb5.keytab
    KrbLocalUserMapping on
    require valid-user

    AuthLDAPURL “ldap://dc01.sulman.org.local:389/CN=Configuration,dc=sulman,dc=org,dc=local?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN user1@sulman.org.local
    AuthLDAPBindPassword P4ssw0rd
    require ldap-group CN=Users,DC=sulman,DC=org,DC=local
    #

    when i goto link : test.sulman.org.uk, prompt me Windows Security pop-up window
    “The server test.sulman.org.uk at SULMAN.ORG.LOCAL Domain Login requires a username and password.
    Warning: This server is requesting that your username and password be sent in an insure manner (basic authentication without a secure connection).”
    Username is already filled with user1@SULMAN.ORG.LOCAL but when i enter domain password fot this user it gives me 401 error message. “This server could not verify that you are authorized to access the document requested. Either you suplloed the wrong credentials (e.g, bad password), or your browser doesnt understand how to supply the credentials required.”

    If i do the following:

    #LogLevel debug
    #

    AuthType Kerberos
    # KrbMethodNegotiate On
    # AuthName “SULMAN.ORG.LOCAL Domain Login”
    AuthName “Kerberos Login”
    KrbMethodK5Passwd Off
    KrbMethodNegotiate Off
    KrbAuthRealms SULMAN.ORG.LOCAL
    Krb5KeyTab /etc/krb5.keytab
    KrbLocalUserMapping on
    require valid-user

    AuthLDAPURL “ldap://dc01.sulman.org.local:389/CN=Configuration,dc=sulman,dc=org,dc=local?sAMAccountName?sub?(objectClass=*)”
    AuthLDAPBindDN user1@sulman.org.local
    AuthLDAPBindPassword ***********
    require ldap-group CN=Users,DC=sulman,DC=org,DC=local
    #

    In IE it does not prompt for password anymore but gives 401 error.

    Logs are as follow:
    [Tue Jan 14 13:53:42 2014] [error] [client 192.168.100.133] failed to verify krb5 credentials: Server not found in Kerberos database

    Please help.

    • http://www.zipref.com Mike

      Did you follow steps 1, 2, and 3? Also, I don’t see the tags in your .conf file.

      • Sulman

        I did followed all the above steps you have mentioned in this walkthrough but no joy :(

  • Hariharan

    You need to first create the keytab entry with this command

    #net ads keytab create

    and only then you can join with

    net ads keytab add HTTP -U mydomainuser

    • http://www.zipref.com Mike

      I did not have to do this, but thank you for sharing.

  • Guybrush

    Excellent guide, thank you so much for helping me get this sorted!
    Just a couple of tips for others that I found along my journey:
    * Step 2, in authconfig-tui, enter your DC names in lower case
    * Last part of Step 2, the following command line worked for me:
    authconfig –enablewinbindusedefaultdomain –-update
    * Step 4, Apache conf, in newer versions of Apache use <Location> rather than <Directory>

    Good luck and best wishes to all…

    • http://www.zipref.com Mike

      Thank you for commenting and sharing your tips. I’m glad the article helped you.

Categories