Kerberos

From Dogtag
Revision as of 15:59, 26 July 2022 by Edewata (talk | contribs) (Troubleshooting)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Installation

To install Kerberos client:

$ dnf install krb5-workstation

Authentication

$ kinit <username>@<realm>

Tomcat

Instance Configuration

krb5.ini:

[logging]
    default = FILE:/var/lib/tomcat/logs/krb5libs.log
    kdc = FILE:/var/lib/tomcat/logs/krb5kdc.log
    admin_server = FILE:/var/lib/tomcat/logs/kadmind.log

[libdefaults]
    default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
    default_realm = EXAMPLE.COM

[realms]
    EXAMPLE.COM = {
        kdc = server.example.com:88
        default_domain = EXAMPLE.COM
    }

[domain_realm]
    .EXAMPLE.COM = EXAMPLE.COM
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM

jaas.conf:

com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/server.example.com@EXAMPLE.COM"
    useKeyTab=true
    keyTab="/var/lib/tomcat/conf/tomcat.keytab"
    storeKey=true
    debug=true;
};

com.sun.security.jgss.krb5.accept {
    com.sun.security.auth.module.Krb5LoginModule required
    doNotPrompt=true
    principal="HTTP/server.example.com@EXAMPLE.COM"
    useKeyTab=true
    keyTab="/var/lib/tomcat/conf/tomcat.keytab"
    storeKey=true
    debug=true;
};

Subsystem Configuration

context.xml:

<Valve 
    className="org.apache.catalina.authenticator.SpnegoAuthenticator"
    storeDelegatedCredential="true"
/>

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="9"
    connectionURL="ldap://server.example.com:389"
    connectionName="cn=Directory Manager"
    connectionPassword="Secret123"
    userBase="dc=example,dc=com"
    userSearch="(&(objectClass=user)(userPrincipalName={0}))"
    userRoleName="memberOf"
    userSubtree="true"
    roleBase="***"
    roleName="name"
    roleSubtree="true"
    roleSearch="(&(objectClass=group)(member={0}))"
    referrals="follow"
    authentication="none"
    useDelegatedCredential="true"
    spnegoDelegationQop="auth"
    stripRealmForGss="false"
/>
</Realm>

web.xml:

<login-config>
    <auth-method>SPNEGO</auth-method>
</login-config>

Client

$ curl -v -u : --negotiate -c cookies.txt -L <URL>

Troubleshooting

$ KRB5_TRACE=/dev/stderr <command>
$ KRB5_TRACE=/dev/stderr kvno -S HTTP <hostname>

References