Today's question is quite difficult, and requires basic knowledge in several objects.
We have the following scenario:
* Windows Active Directory Domain.
* Linux Intranet Web Server
* Active Directory Users
We want:
* Active Directory users to have access to the intranet site that runs on Linux without having to pay again.
There are many websites that provide too much information on this topic, but most are for Windows 2000/2003 and XP, theoretically should not differ at all from 2008 and Vista/W7, isn't it?
Good theory but to see in practice. Let's take a step by step to see that our wake.
Let's start then.
Step 1) Installation of operating in Virtual PC.
* Linux Ubuntu-8.10 (Web Server = linuxwebserver)
* Windows Server 2008 (Domain Controller = 2008dc)
* Vista (Client = Vista1)
Step 2) Active Directory: basic settings
* Regulate static IPs. (DC = 192.168.2.100, Vista = 192.168.2.50)
* Install the DNS Server in 2008
* dcpromo in Windows Server 2008 (FFL 2008)
* Domain join the Vista client
* Create an Active Directory user testing (intuser).
Step 3) Linux: basic settings
Set static IP.
Egkatestisa a DHCP reservation in Linux MAC (IP = 192.168.2.200), also I entered the DNS Server's IP (192.168.2.100) in/etc/resolv.conf.
(I am already in my VMs a Windows 2003 NAT router makes, so I put a DNS forwarder on the AD to show on an external, to resolve the addresses you need to install the packages)
To ping dc2008. acme.com from Linux takes a heartbreaking yet. To see the Network Trace.
Reverse DNS queries. Make a reverse lookup zone in DNS and run an ipconfig/registerdns on the DC and now travel a pleasure.
By networking seems to be okay. Go to the applications and in other settings.
Step 4) installation of Apache
sudo apt-get install apache2
! The following steps require sufficient attention. I spent a day to see that the capital/small play very important role. Case Sensitive.
Step 5) creation of the Web Server account in Active Directory
* Open the DSA.msc – new user – > > apacheuser
* At the command prompt, run:
o Setspn.exe-a HTTP/linuxwebserver.acme.com apacheuser
o Setspn.exe-a HTTP/linuxwebserver apacheuser
* To create the keytab file:
ktpass princ-HTTP/linuxwebserver.acme.com@acme.com-mapuser apacheuser-pass p@ssw0rd-ptype apacheuser.http.keytab KRB5_NT_PRINCIPAL-out c:\
Targeting domain controller: 2008DC. acme.com
Using legacy password setting method
Successfully mapped to HTTP/linuxwebserver.acme.com apacheuser.
Key created.
Output: apacheuser.http.keytab keytab to c:\
0x502 Keytab version:
keysize 72 HTTP/linuxwebserver.acme.com@acme.com ptype 1 (KRB5_NT_PRINCIPAL) vno 20 etype 0x17 (RC4-HMAC) keylength 16 (0xe19ccf75ee54e06b06a5907af13cef42)
* Post a (a) Record in DNS – > linuxwebserver.acme.com 192.168.2.200
Step 6) Kerberos Setting in Web Server
* sudo apt-get install
o krb5-user
o libpam-krb 5 (probably not needed)
o krb5-config
o libkadm55 (probably not needed)
o libapache2-mod-auth-kerb
* Setting/etc/kerb.conf
[libdefaults]
default_realm = acme.com
# The following krb5. conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms Web]
ACME.COM = {
kdc = 2008dc. acme.com: 88
admin_server = 2008dc. acme.com
default_domain = acme.com
}
[domain_realm]
. acme.com = acme.com
acme.com = acme.com
* Copy the keytab apacheuser.http.keytab from DC in/etc/apache2/
* Setting the/etc/apache2/apache2.conf with the following additional entries
ServerName linuxwebserver.acme.com
< Directory "/var/www/" >
AuthName "Kerberos Login"
AuthType Kerberos
Krb5Keytab/etc/apache2/apacheuser.http.keytab
KrbAuthRealm acme.com
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbSaveCredentials off
KrbVerifyKDC off
KrbServiceName HTTP/linuxwebserver.acme.com
Require valid-user
</Directory>
* Do restart Apache: sudo service restart apache2
Until now the settings are the same with Windows 2003, to see if Kerberos authentication is running from the hand of Linux.
Trying first without the keytab:
It seems there's something not quite good, so looking at the network trace in DC where we see the following: KRB Error: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN
Doing a quick search we have obtain hotfix for this issue.
An error code is returned when a client requests a Kerberos TGT against a Windows Server 2008-based domain controller: "KERB5KDC_ERR_C_PRINICPAL_UNKNOWN"
http://support.microsoft.com/?scid=kb%3Ben-us%3B951191&x=13&y=21
A small clarification: the string of the form < name > < > @ domain name according to the RFCs are not accepted UPN. Windows 2008 is more strictly in this topic, but for those who want to use for compatibility reasons, and this format, can install the hotfix.
Let's see the results after the hotfix:
Completed successfully! Here, the network trace:
The last packet it is important that we have received the TGT, we must be careful that we do not use most RC4-HMAC but AES256 to encrypt the TGT and session key.
Let us therefore with dilwthoyme keytab.
Is the Key table entry no found while getting initial credentials ” and here is where do we start the xepsachnizoyme all from scratch, SPNs UPNs conf files etc.
What we understand by the error message is that this record was not found with the key in the keytab file. The record of what constituted? from the principal and the key, make sure that the principal is correct then cannot blame only the key.
Bingo! To key is something that has changed since the 2003. Is no longer RC4-HMAC is AES256.
Let's try the following
ktpass princ-HTTP/linuxwebserver.acme.com@acme.com-mapuser apacheuser-pass p@ssw0rd -crypto AES256-SHA1-ptype apacheuser.http.keytab KRB5_NT_PRINCIPAL – out c:\
We will copy the keytab file in the well-known location/etc/apache2/apacheuser.http.keytab and we try our luck xana.
Do not mistake so we flew.
Let us, therefore, the entire edifice testaroyme. Regulate the security settings of Vista in order to use the Negotiate protocol and the remaining to enter in IE too!
Tzifos!
in the error log of Apache see.:
[client 192.168.2.50] gss_accept_sec_context () failed: Unspecified GSS failure. Minor code may provide more information (Key table entry not found)
Again, we cannot identify the keytab entry.
So we stayed is to test with another encryption.
To see with Des …
ktpass princ-HTTP/linuxwebserver.acme.com@acme.com-mapuser apacheuser-pass p@ssw0rd + Desonly-ptype apacheuser.http.keytab KRB5_NT_PRINCIPAL-out c:\
Targeting domain controller: 2008DC. acme.com
Using legacy password setting method
Successfully mapped to HTTP/linuxwebserver.acme.com apacheuser.
Key created.
Output: apacheuser.http.keytab keytab to c:\
0x502 Keytab version:
keysize 64 HTTP/linuxwebserver.acme.com@acme.com ptype 1 (KRB5_NT_PRINCIPAL) vno
24 etype 0x7 (DES-CBC-MD5) keylength 8 (0x193d7f680845431f)
Account apacheuser has been set for DES-only encryption.
Finally we have succeeded!
In the access file of Apache that the intranet user (intuser) gained access:
192.168.2.50-intuser@acme.com [13/Apr/2009: 23: 10: 34 + 0800] "GET/HTTP/1.1" 200 56 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30618)
And the network trace ... beautiful?
Apparently the reason for not playing the AES256, is that something has gone wrong in the apache module, since the kinit works just fine.
The fact that our solution we use DES instead of very senior AES256 is handicap, but less dangerous than a lost USB stick with keytabia means. Do not say families do not impair:)
Surfing to find solutions to the problems many times koyrastika from an anarchic documentation of Linux, it was a few times but I have disposed in forums like friends Linuxades.
The bottom line is this: the marriage of two different technologies is always difficult, especially if it is for new products, but as we have not impossible.
I hope this article can help.
