Прозрачная авторизация в Апаче через AD, дистр REHL5

Линки

Пакеты

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.DOMAIN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
  MY.DOMAIN = {
  kdc = dc1.MY.DOMAIN
  kdc = dc2.MY.DOMAIN
  kdc = dc3.MY.DOMAIN
  admin_server = dc1.MY.DOMAIN
  admin_server = dc2.MY.DOMAIN
  admin_server = dc3.MY.DOMAIN
 }

[domain_realm]
 .MY.DOMAIN = MY.DOMAIN
 MY.DOMAIN = MY.DOMAIN

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

/etc/samba/smb.conf

[global]

       workgroup = MY
       realm = MY.DOMAIN
       server string = Samba Server Version %v
       security = ADS
       passdb backend = tdbsam
       use kerberos keytab = Yes
       local master = No
       cups options = raw

Порядок действий

# net ads join -U Administrator
# net ads testjoin
# service smb start
# service winbind start
# wbinfo -t
# net ads keytab add HTTP -U Administrator
# klist -ek /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   5 host/msk-www-test.MY.DOMAIN@MY.DOMAIN (DES cbc mode with CRC-32)
   5 host/msk-www-test.MY.DOMAIN@MY.DOMAIN (DES cbc mode with RSA-MD5)
   5 host/msk-www-test.MY.DOMAIN@MY.DOMAIN (ArcFour with HMAC/md5)
   5 host/msk-www-test@MY.DOMAIN (DES cbc mode with CRC-32)
   5 host/msk-www-test@MY.DOMAIN (DES cbc mode with RSA-MD5)
   5 host/msk-www-test@MY.DOMAIN(ArcFour with HMAC/md5)
   5 MSK-WWW-TEST$@MY.DOMAIN (DES cbc mode with CRC-32)
   5 MSK-WWW-TEST$@MY.DOMAIN (DES cbc mode with RSA-MD5)
   5 MSK-WWW-TEST$@MY.DOMAIN (ArcFour with HMAC/md5)
   5 HTTP/msk-www-test.MY.DOMAIN@MY.DOMAIN (DES cbc mode with CRC-32)
   5 HTTP/msk-www-test.MY.DOMAIN@MY.DOMAIN (DES cbc mode with RSA-MD5)
   5 HTTP/msk-www-test.MY.DOMAIN@MY.DOMAIN (ArcFour with HMAC/md5)
   5 HTTP/msk-www-test@MY.DOMAIN (DES cbc mode with CRC-32)
   5 HTTP/msk-www-test@MY.DOMAIN (DES cbc mode with RSA-MD5)
   5 HTTP/msk-www-test@MY.DOMAIN (ArcFour with HMAC/md5)

# cp /etc/krb5.keytab /etc/httpd/httpd.keytab
# chown apache:apache /etc/httpd/httpd.keytab
# chmod 0440 /etc/httpd/httpd.keytab

.htaccess

AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms MY.DOMAIN
Krb5KeyTab /etc/httpd/httpd.keytab
KrbServiceName HTTP
require valid-user