kadmin -p admin@REALM -r REALM ank -r HTTP/servername@REALM
kadmin -p admin@REALM -r REALM ext -k /etc/httpd/keytab HTTP/servername@REALM
chown nobody /etc/httpd/keytab
- chmod 600 /etc/httpd/keytab
+ chmod 400 /etc/httpd/keytab
Windows 2000 Domain Controler
-----------------------------
the user account has "Password never expires" set and write down the password
you set for the account (you will need it later).
+When using ticket based authentication (KrbMethodNegotiate) and also wanting
+to save the ticket (KrbSaveCredentials), the user account for the Kerberos
+principal must have the option "Account is trusted for delegation" set. This
+enables to user account to delegate the tickets to the server for further
+authentication.
+
If you want to kerberize additional hosts you need to create one user account
per each kerberized host.
at http://support.microsoft.com/default.aspx?scid=kb;en-us;324144.
ktpass -out c:\apache.ktab -princ HTTP/server.name@REALM.NAME
- -pass account_password -mapuser httpd_servername
+ -pass account_password -mapuser httpd_servername -crypto DES-CBC-MD5
In the above the c:\apache.ktab is the name of the created keytab file,
account_passwored is the password you set for the user account and
-httpd_servername is the name of the user account.
+httpd_servername is the name of the user account. The DES-CBC-MD5 encryption
+is needed to get Heimdal to work with Microsoft KDC, MIT Kerberos does not
+seem to need it but it does not hurt either. In fact, RFC1510 discourages
+using DES-CBC-CRC (default in Win2k ktpass.exe) so it's probably better to
+use DES-CBC-MD5 in all cases.
You need to copy the keytab file to your web server in a secure way to avoid
-revealing the server key(s). Make sure that the keytab file is owned by the
-apache user and only readable to this user (i.e. the permissions are 600).
+revealing the server key(s). Note that the copy needs to be done in binary
+mode to avoid corrupting the file. Make sure that the keytab file is owned by
+the apache user and only readable to this user (i.e. the permissions are 400).
After copying the keytab verify the content using the ktutil tool.
+See http://www.grolmsnet.de/kerbtut for more information about using
+mod_auth_kerb with Windows KDC.
+
4. Verifying krb5 on the server host
------------------------------------
Before starting configuring the module make sure your Kerberos enviroment on
For password based authentication any browser supporting the Basic HTTP
authentication method can be used without any changes. In order to use
ticket based authentication (Negotiate) you will need either MS Internet
-Explorer 5.0+ running on Win2000 SP2 (or greater) or Mozilla with the
-Negotiateauth extension (available in 1.7rc2 and greater).
+Explorer 5.0+ running on Win2000 SP2 (or later) or Mozilla with the
+Negotiateauth extension (available in 1.7beta and later).
Internet Explorer
-----------------
in Internet Explorer "Local Intranet" security zone and the "Windows
Integrated Authentication" must be enabled in the IE advanced options.
+See also a guide from Microsoft describing how to configure Windows Machine to
+use Unix KDC available at
+http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
+
Mozilla
-------
-TBD
-(First make sure your Mozilla distribution contains the Negotiateauth component
-check libnegotiate.so
-debugging
-Using with heimdal)
+First make sure your Mozilla distribution contains the Negotiateauth component
+(libnegotiateauth.so on Unix, negotiateauth.dll on Windows). Generally this is
+included in versions 1.7beta and later on Unix platforms including Mac OSX,
+maybe 1.8 and later on Windows.)
+
+If you want to find out what happens in the Negotiateauth component use
+following environment variables:
+ NSPR_LOG_MODULES=negotiateauth:5
+ NSPR_LOG_FILE=/tmp/negotiateauth.log
+before starting Mozilla. You will see debugging messages logged in the file
+specified by NSPR_LOG_FILE (/tmp/negotiateauth.log)
6. Access control
-----------------
projects / mod_auth_kerb.cvs / .git / blobdiff