Find the answer to your Linux question:
Results 1 to 2 of 2
Dear All: I had integrated my Linux(use for host web app) with MS AD, which i can login with window AD acct, and i also configure APACHE authorized using KerBeros. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2007
    Posts
    24

    RHEL5 Integrated with MS AD for Apache web server


    Dear All:

    I had integrated my Linux(use for host web app) with MS AD, which i can login with window AD acct, and i also configure APACHE authorized using KerBeros.

    Every things work fine, not problem encounter. Now every user access to my web app with their AD/Window acct (but require to enter window ID and password).

    But isn't possible to configure the Apache automatic authorized with the MS AD with Window Login.

    My Apache Conf:
    Code:
    <Directory "/var/www/html">
            AuthType Kerberos
            KrbAuthRealms DOMAIN.COM
            KrbServiceName HTTP/ssi3500.domain.com
            Krb5Keytab /etc/httpd/conf/apache.keytab5 
            KrbMethodNegotiate on
            KrbMethodK5Passwd on
            KrbAuthoritative off
            require valid-user
    </Directory>
    My Kbr5.conf
    Code:
    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = DOMAIN.COM
     dns_lookup_realm = false
     dns_lookup_kdc = false
     ticket_lifetime = 24h
     default_tgs_enctypes = rc4-hmac
     default_tkt_enctypes = rc4-hmac
     permitted_enctypes = rc4-hmac
     kdc_timesync = 1
     ccache_type = 4
     forwardable = false
     proxiable = false
     default_keytab_name = /etc/httpd/conf/apache.keytab5
    
    [realms]
     DOMAIN.COM = {
      kdc = domain.com
      admin_server = domain.com
     }
    
    domain.com={
     kdc = domain.com
     admin_server = domain.com
    }
    
    [domain_realm]
     .sg = domain.com
     sg = domain.com
    
    [appdefaults]
     pam = {
       debug = false
       ticket_lifetime = 36000
       renew_lifetime = 36000
       forwardable = true
       krb4_convert = false
     }
    Here the error msg from APACHE web server:
    Code:
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1432): [client 10.8.1.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1432): [client 10.8.1.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1147): [client 10.8.1.10] Acquiring creds for HTTP/ssi3500.domain.com
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1266): [client 10.8.1.10] Verifying client data using KRB5 GSS-API
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1282): [client 10.8.1.10] Verification returned code 851968
    [Fri Mar 30 18:24:25 2012] [error] [client 10.8.1.10] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (Unknown code krb5 230
    Any ideas how to achieve it?


    Thank you.
    chusoon

  2. #2
    Just Joined!
    Join Date
    Feb 2007
    Posts
    24
    In fact my configuration was correct. I was mistyped the server name on the apache configuration.

    For more information, Please fine URL link below:
    Apache w/ Windows AD SSO and LDAP Group Authorization | Scott Hughes
    http://www.redhat.com/summit/2011/pr...perability.pdf

    Thank you.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •