参照:
http://www.grolmsnet.de/kerbtut/
1. 安装软件包
yum install httpd
yum install php
yum install krb5-devel krb5-libs krb5-workstation mod_auth_kerb
2. 生成keytab文件
On DC:
ktpass /out webserver.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS1.LOCAL /mapuser smallbusiness1webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt
3. 把keytab文件copy到/etc/httpd/
4. DNS建立A记录和PTR记录指向web server
5. In /etc/krb5.conf
[libdefaults]
default_keytab_name = /etc/httpd/webserver.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
default_realm = SMALLBUSINESS1.LOCAL
[realms]
SMALLBUSINESS1.LOCAL = {
kdc = dc.smallbusiness1.local
admin_server = dc.smallbusiness1.local
}
[domain_realm]
.smallbusiness1.local = SMALLBUSINESS1.LOCAL
smallbusiness1.local = SMALLBUSINESS1.LOCAL
(注意:SMALLBUSINESS1.LOCAL需要大写)
6. 测试(注意:SMALLBUSINESS1.LOCAL需要大写):
kinit user@SMALLBUSINESS1.LOCAL
klist
7. Apache配置
In /etc/httpd/conf/httpd.conf:
ServerName web.smallbusiness1.local:80
UseCanonicalName On
In /etc/httpd/conf.modules.d/10-auth_kerb.conf:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms SMALLBUSINESS1.LOCAL
Krb5KeyTab /etc/httpd/webserver.keytab
KrbSaveCredentials On
require valid-user
</Location>
8. IE设置
Internet Option->Security->Local intranet->Sites->Add web.smallbusiness1.local
Internet Option->Security->Local intranet->Custom Level->User Authentication->Logon->Automatic logon only in Intranet zone
9. 打开IE,打开web.smallbusiness1.local/phpinfo.php.(注意,不能用IP地址)
Note:
1. Web server的时间要和DC的时间一致。
2. 如果error_log中看到gss_acquire_cred() ... (, Permission denied),表示apache不能读取keytab文件,检查keytab文件权限,关闭selinux或者restorecon -rv /etc/httpd (keytab所在目录)
Update: 支持多个domain
1. 在每个domain的DC分别生成webserver1.keytab和webserver2.keytab,注意两个命令中HTTP/web.smallbusiness1.local是一样地,对应httpd.conf中的ServerName:
在smallbusiness1.local的DC:
ktpass /out webserver1.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS1.LOCAL /mapuser smallbusiness1webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt
在smallbusiness2.local的DC:
ktpass /out webserver2.keytab /princ HTTP/web.smallbusiness1.local@SMALLBUSINESS2.LOCAL /mapuser smallbusiness2webauth /pass Test1234 /ptype KRB5_NT_PRINCIPAL /crypto rc4-hmac-nt
2. 用ktutil合并keytab文件:
ktutil
rkt webserver1.keytab
rkt webserver2.keytab
wkt webserver.keytab
q
用ktlist -k webserver.keytab 验证webserver.keytab中包含了多个key。
3. 修改krb5.conf中的[realms]和[domain_realm]:
[realms]
SMALLBUSINESS1.LOCAL = {
kdc = dc.smallbusiness1.local
admin_server = dc.smallbusiness1.local
}
SMALLBUSINESS2.LOCAL = {
kdc = dc.smallbusiness2.local
admin_server = dc.smallbusiness2.local
}
[domain_realm]
.smallbusiness1.local = SMALLBUSINESS1.LOCAL
smallbusiness1.local = SMALLBUSINESS1.LOCAL
.smallbusiness2.local = SMALLBUSINESS2.LOCAL
smallbusiness2.local = SMALLBUSINESS2.LOCAL
4.
In /etc/httpd/conf.modules.d/10-auth_kerb.conf:
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Location />
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms SMALLBUSINESS1.LOCAL SMALLBUSINESS2.LOCAL
Krb5KeyTab /etc/httpd/webserver.keytab
KrbSaveCredentials On
require valid-user
</Location>