Installation#
To install Kerberos client:
$ dnf install krb5-workstation
Authentication#
$ kinit <username>@<realm>
Tomcat#
Instance Configuration#
krb5.ini:
[logging]
default = FILE:/var/lib/tomcat/logs/krb5libs.log
kdc = FILE:/var/lib/tomcat/logs/krb5kdc.log
admin_server = FILE:/var/lib/tomcat/logs/kadmind.log
[libdefaults]
default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = server.example.com:88
default_domain = EXAMPLE.COM
}
[domain_realm]
.EXAMPLE.COM = EXAMPLE.COM
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
jaas.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/server.example.com@EXAMPLE.COM"
useKeyTab=true
keyTab="/var/lib/tomcat/conf/tomcat.keytab"
storeKey=true
debug=true;
};
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
principal="HTTP/server.example.com@EXAMPLE.COM"
useKeyTab=true
keyTab="/var/lib/tomcat/conf/tomcat.keytab"
storeKey=true
debug=true;
};
Subsystem Configuration#
context.xml:
<Valve
className="org.apache.catalina.authenticator.SpnegoAuthenticator"
storeDelegatedCredential="true"
/>
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="9"
connectionURL="ldap://server.example.com:389"
connectionName="cn=Directory Manager"
connectionPassword="Secret123"
userBase="dc=example,dc=com"
userSearch="(&(objectClass=user)(userPrincipalName={0}))"
userRoleName="memberOf"
userSubtree="true"
roleBase="***"
roleName="name"
roleSubtree="true"
roleSearch="(&(objectClass=group)(member={0}))"
referrals="follow"
authentication="none"
useDelegatedCredential="true"
spnegoDelegationQop="auth"
stripRealmForGss="false"
/>
</Realm>
web.xml:
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
Client#
$ curl -v -u : --negotiate -c cookies.txt -L <URL>
Troubleshooting#
$ KRB5_TRACE=/dev/stderr <command>
$ KRB5_TRACE=/dev/stderr kvno -S HTTP <hostname>