Kerberos with active directory from linux

Question

I have windows stations and a linux server - and I would like to perform SSO using Windows-Kerberos (via Active Directory - the same one all users on the windows station use).

And so - I have searched many examples and ways of acheving this goal: Samba, Winbind, tomcat-spengo (which requires the server process to run on a domain), Waffle (which only runs on Windows server) etc...

I feel awfully frustrated because I wasn't able to find a simple tutorial/example for this case, even though it looks like a simple case.

What am I missing? Is it possible that the solution is really simple?

Thank you.

This should be posted on http://unix.stackexchange.com/ – Robert H May 09 '13 at 20:54 — Robert H, May 09 '13 at 20:54
i'm not sure what this has to do with java. or programming. – Christopher Neylan May 09 '13 at 21:11 — Christopher Neylan, May 09 '13 at 21:11
i answered the question anyway :) – Christopher Neylan May 09 '13 at 21:28 — Christopher Neylan, May 09 '13 at 21:28

score 1 · Answer 1 · answered May 09 '13 at 21:17

1

Don't know how to do that in Java - but: There are ways to have Apache take care of SSO (MIT Kerberos or Winbind), and pass the REMOTE_USER to Tomcat using HTTP or AJP. This has worked for me in the past.

answered May 09 '13 at 21:17

sborsky

305
1
6

score 0 · Answer 2 · edited Oct 07 '21 at 06:58

This is a rough outline of what's necessary. Mileage may vary, but it should give you a solid starting point for study.

The LDAP source doesn't matter. In your case, it's Active Directory. All that matters is that your user and group objects are populated with the correct RFC2307 attributes. RFC2307 defines the standard LDAP attributes for each user and group object that will correspond to the fields in /etc/passwd, /etc/shadow, and /etc/group. When your Linux servers go to look up a user or group, it will assume these specific attributes are populated when it runs its queries.

Depending on your distribution and how old it is, you'll likely be using nss_ldap or nss-pam-ldapd. These libraries are what PAM is going to use to actually make its LDAP queries. Those configuration files are where you'll specify the AD servers, the user/group OUs and filters, attribute mappings (if needed), etc.

Finally, you'll need to actually tell Linux to use LDAP as one of its sources of user and group information. This is handled by /etc/nsswitch.conf. This file is simple mapping of database to information source. In your case, you'll just want to add "ldap" to the lists for the "passwd", "shadow", and "group" databases.

Happy hacking!

Kerberos with active directory from linux

2 Answers2