Ok, so I wanted to do single sign-on on an Apache server which is running Nagios. I have been looking on google and always get patchy results when setting up kerberos AD-integration on apache, so I decided to try and put the solution that worked for me here.
<Create Standard user in Active Directory
logon to “users and computers” on your active directory server and create a standard domain user. This users does not need to have any special permissions.
My installation is on Centos 6.5 but im sure it will work on others.
<Install Apache module
Install Apache module
# yum install libapache2-mod-auth-kerb krb5-user
<Create keytab-file
now you have to log on to the windows domain controller and generate a keytab file. As log as you have the windows support tools installed you should have no problems creating the file.
C:\>ktpass -in C:\Temp\kerberos_hostname.keytab -princ HTTP/<fqdn-cname-in-DNS>@WINDOWSDOMAIN -mapuser <kerberosuser-AD-username>@WINDOWSDOMAIN -pass <kerberosuser-AD-password> -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos_concatenated_hostnames.keytab
replace the following with your environment variables
-
kerberos_hostname.keytab
fqdn-cname-in-DNS@WINDOWSDOMAIN
kerberosuser-AD-username@WINDOWSDOMAIN
kerberosuser-AD-password
kerberos_concatenated_hostnames.keytab
Set up keytab-file
using Winscp Copy over the file you have just generated from the domain controller, to the tmp folder in centos.
copy over the file to it final location and set the permissions.
#cp /tmp/kerbros.keytab /etc/kerbros.keytab #chmod 0644 /etc/kerbros.keytab<
Set-Up Apache
now we need to change the httpd configuration file for the virtual site you are running.
add the following line to the configuration file.
AuthType Kerberos AuthName "Some Name" KrbAuthRealms WINDOWSDOMAIN KrbServiceName HTTP Krb5Keytab /path/to/keytab-file require valid-user
