0

I'm considering to switch my intranet apps to Kerberos authentication.(currently NTLM but modules required are not maintained anymore and will in not work anymore once the web server is updated to newest release (Ubuntu)).

I'm completely new to this plus I'm not directly in my corporations IT department. It's a huge corporation and dealing with IT is a PITA. So my question also revolves around the fact if I need IT do something for me to make this work.

I can see on my company laptop using klist I have 3 tickets:

krbtgt/MYCOMPANY.COM@MYCOMPANY.COM

ldap/ldap.mycompany.com@MYCOMPANY.COM

and last one is for my laptop (eg. server = my laptop)

I alos already have a generic ldap user for querying ldap for authorization.

My question is if I can configure my web server to reuse the existing ldap ticket for authentication? And if yes how I would do that?

beginner_
  • 191
  • 1
  • 8

1 Answers1

1

You cannot share LDAP/... ticket to authenticate in httpd. Neither you can share keytab file, even within the same host, as it has to provide credentials for HTTP/... principal. There is an option in httpd's mod_auth_kerb (named KrbServiceName) to "rename" principal used, but I haven't tried and I doubt it can work, as the clients will try to use standard names.

There are many howtos on how to configure Apache httpd with AD + Kerberos-based single sign-on. Start from reading mod_auth_kerb manual. Things to remember include: reverse DNS entries matching forward DNS, time synchronization, default realm name in /etc/krb5.conf file, KVNO in ktpass command. In case of problems, try (temporarily!) set KrbVerifyKDC off and LogLevel debug in Apache config.

sam_pan_mariusz
  • 2,053
  • 1
  • 12
  • 15
  • Thanks for your reply. So as far as I have informed myself I need to create a service principal and that probably has to be done by the IT department (eg. Active Directory management)? I'm not even at the stage of configuring it before I don't know what I actually need to make it work. – beginner_ Nov 24 '15 at 08:30
  • Yes, *ktpass.exe* needs to be run from domain controller, by a domain administrator and with elevated privileges. It should map principal to an already existing service AD user with no specific group membership (*Domain Guests* is enough). There are FOSS utils that can be used to get keytab file from Windows domain, but I've never used them. – sam_pan_mariusz Nov 24 '15 at 12:30