Difference between revisions of "Apache Kerberos Authentication"
Jump to navigation
Jump to search
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
| Line 19: | Line 19: | ||
The server I am using was enrolled in domain1 using sssd and the "realm join" command many a year ago. We will be editing the krb5.conf file that was created during this process. | The server I am using was enrolled in domain1 using sssd and the "realm join" command many a year ago. We will be editing the krb5.conf file that was created during this process. | ||
<pre> | <pre> | ||
| + | # Configuration snippets may be placed in this directory as well | ||
| + | includedir /etc/krb5.conf.d/ | ||
| + | |||
| + | includedir /var/lib/sss/pubconf/krb5.include.d/ | ||
| + | [logging] | ||
| + | default = FILE:/var/log/krb5libs.log | ||
| + | kdc = FILE:/var/log/krb5kdc.log | ||
| + | admin_server = FILE:/var/log/kadmind.log | ||
| + | |||
| + | [libdefaults] | ||
| + | dns_lookup_realm = true | ||
| + | ticket_lifetime = 24h | ||
| + | renew_lifetime = 7d | ||
| + | forwardable = true | ||
| + | rdns = false | ||
| + | # default_realm = EXAMPLE.COM | ||
| + | default_ccache_name = KEYRING:persistent:%{uid} | ||
| + | |||
| + | default_realm = DOMAIN1.TLD | ||
| + | [realms] | ||
| + | # EXAMPLE.COM = { | ||
| + | # kdc = kerberos.example.com | ||
| + | # admin_server = kerberos.example.com | ||
| + | # } | ||
| + | |||
| + | DOMAIN1.TLD = { | ||
| + | kdc = domain1.tld | ||
| + | admin_server = domain1.tld | ||
| + | |||
| + | } | ||
| + | |||
| + | DOIMAIN2.TLD = { | ||
| + | kdc = domain2.tld | ||
| + | admin_server = domain2.tld | ||
| + | |||
| + | } | ||
| + | |||
| + | |||
| + | [domain_realm] | ||
| + | # .example.com = EXAMPLE.COM | ||
| + | # example.com = EXAMPLE.COM | ||
| + | domain1.tld = DOMAIN1.TLD | ||
| + | .domain1.tld = DOMAIN1.TLD | ||
| + | domain2.tld = DOMAIN2.TLD | ||
| + | .domain2.tld = DOMAIN2.TLD | ||
| + | |||
| + | [capaths] | ||
| + | DOMAIN1.TLD = { | ||
| + | DOMAIN2.TLD = . | ||
| + | } | ||
| + | DOMAIN2.TLD = { | ||
| + | DOMAIN1.TLD = . | ||
| + | } | ||
</pre> | </pre> | ||
Revision as of 10:57, 12 September 2018
Purpose
To allow users to authenticate using seamless SSO via kerberos.[1]
MultiRealm Authentication
In this case I want to authenticate more than one realm (two domains). After following the common instructions online I was unable to log in using the second realm. The first realm logged in without issue.
NOTE 1 : This is a messy post as I have worked on this for several days and am trying to record what I did before I forget.
NOTE 2 : I am not sure if all of this is necessary, but I wanted to track everything I did regardless
Environment
- Domains
Domain1.tld
Domain2.tld
- web server
intranet.tld
krb5.conf
The server I am using was enrolled in domain1 using sssd and the "realm join" command many a year ago. We will be editing the krb5.conf file that was created during this process.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN1.TLD
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
DOMAIN1.TLD = {
kdc = domain1.tld
admin_server = domain1.tld
}
DOIMAIN2.TLD = {
kdc = domain2.tld
admin_server = domain2.tld
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
domain1.tld = DOMAIN1.TLD
.domain1.tld = DOMAIN1.TLD
domain2.tld = DOMAIN2.TLD
.domain2.tld = DOMAIN2.TLD
[capaths]
DOMAIN1.TLD = {
DOMAIN2.TLD = .
}
DOMAIN2.TLD = {
DOMAIN1.TLD = .
}
