Find the answer to your Linux question:
Results 1 to 2 of 2
Dear All: I had integrated my Linux(use for host web app) with MS AD, which i can login with window AD acct, and i also configure APACHE authorized using KerBeros. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 04-03-2012 #1
    chusoon
    chusoon is offline
    Just Joined!
    Join Date
    Feb 2007
    Posts
    23

    RHEL5 Integrated with MS AD for Apache web server

    Dear All:

    I had integrated my Linux(use for host web app) with MS AD, which i can login with window AD acct, and i also configure APACHE authorized using KerBeros.

    Every things work fine, not problem encounter. Now every user access to my web app with their AD/Window acct (but require to enter window ID and password).

    But isn't possible to configure the Apache automatic authorized with the MS AD with Window Login.

    My Apache Conf:
    Code:
    <Directory "/var/www/html">
        AuthType Kerberos
        KrbAuthRealms DOMAIN.COM
        KrbServiceName HTTP/ssi3500.domain.com
        Krb5Keytab /etc/httpd/conf/apache.keytab5 
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbAuthoritative off
        require valid-user
</Directory>
    My Kbr5.conf
    Code:
    [logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAIN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 default_tgs_enctypes = rc4-hmac
 default_tkt_enctypes = rc4-hmac
 permitted_enctypes = rc4-hmac
 kdc_timesync = 1
 ccache_type = 4
 forwardable = false
 proxiable = false
 default_keytab_name = /etc/httpd/conf/apache.keytab5

[realms]
 DOMAIN.COM = {
  kdc = domain.com
  admin_server = domain.com
 }

domain.com={
 kdc = domain.com
 admin_server = domain.com
}

[domain_realm]
 .sg = domain.com
 sg = domain.com

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
    Here the error msg from APACHE web server:
    Code:
    [Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1432): [client 10.8.1.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1432): [client 10.8.1.10] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1147): [client 10.8.1.10] Acquiring creds for HTTP/ssi3500.domain.com
[Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1266): [client 10.8.1.10] Verifying client data using KRB5 GSS-API
[Fri Mar 30 18:24:25 2012] [debug] src/mod_auth_kerb.c(1282): [client 10.8.1.10] Verification returned code 851968
[Fri Mar 30 18:24:25 2012] [error] [client 10.8.1.10] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (Unknown code krb5 230
    Any ideas how to achieve it?


    Thank you.
    chusoon
    Reply With Quote Reply With Quote
  2. 04-11-2012 #2
    chusoon
    chusoon is offline
    Just Joined!
    Join Date
    Feb 2007
    Posts
    23
    In fact my configuration was correct. I was mistyped the server name on the apache configuration.

    For more information, Please fine URL link below:
    Apache w/ Windows AD SSO and LDAP Group Authorization | Scott Hughes
    http://www.redhat.com/summit/2011/pr...perability.pdf

    Thank you.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules