HTTP Kerberos user authentication on CentOS 7

Posted on by

13

This is a long story. It all started in 2015…well, let’s forget about the story and get to the practical example. The goal is the next: we want a website that is only visible for selected members of an AD directory.  The scenario, we have already a CentOS 7.X server called web, already a part of a domain, able to identify an AD user through kerberos, with httpd service active and displaying some web pages. Now I’m following a variation of the solution I found on serverworld. Let’s have a look at the kerberos configuration:

[root@web ~]# yum -y install mod_auth_kerb
[root@web ~]# vi /etc/krb5.conf

On the already existing kerberos configuration (krb5.conf) we pay attention to the sections [realms] and [domain_realm]. In our case, it looks like this:

[realms]
RESEARCH.GOV = {
kdc = research.gov
admin_server = research.gov
}

[domain_realm]
 .research.gov = RESEARCH.GOV
research.gov = RESEARCH.GOV

So we will say our “realm” is RESEARCH.GOV instead of SRV.WORLD. The same for the domain. We create the httpd keytab according to this change.

root@web ~ ## > echo "HTTP/web.research.gov@RESEARCH.GOV" 
> /etc/httpd/conf.d/krb5.keytab

As I wrote, our server web.research.gov has already all the kerberos credentials in order, so we simply used them. Otherwise we will need to create a new keytab first. Now we want to password-protect a folder called auth-kerberos. We will need to create a new httpd configuration file. For the given folder it should look like this:

root@web ~ ## > more /etc/httpd/conf.d/auth_kerberos.conf 
<Directory /var/www/html/auth-kerberos>
    AuthType Kerberos
    AuthName "Kerberos Authntication"
    KrbAuthRealms RESEARCH.GOV
    Krb5Keytab /etc/httpd/conf.d/krb5.keytab
    KrbMethodNegotiate Off
    KrbSaveCredentials Off
    KrbVerifyKDC Off
    #All AD users allowed
    #Require valid-user
    #Only listed AD users allowed
    Require user josmith@RESEARCH.GOV kereave@RESEARCH.GOV
</Directory>

The webpage also we create after the example:

[root@web ~]# vi /var/www/html/auth-kerberos/index.html
<html>
<body>
Test Page for RESEARCH.GOV on WEB
</body>
</html>

We only need to restart the httpd service and we will get the picture on the top of the article (taken from serverworld once more). More or less, of course. More or less. Just in case you don’t have enough, here you have another example from easyredmine and another one from a typo3 documentation. An a very detailed one with a lot of technicalities that I don’t need to touch in general. And I think now it’s time to continue with the quarantine posts 🙂

1 thought on “HTTP Kerberos user authentication on CentOS 7

  1. Pingback: Notes for a responsible Dashboard Layout With CSS and html | Bits and Dragons

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s