Adding a linux server to a windows domain

I already described in an earlier post how I added a linux server to a windows domain. Recently I added a new server to my domain, to replace my existing domain controller. As a consequence I had to update the krb5.conf file to point to the newly added server. Actually this hasn’t been to the first change in domain controllers, and usually users point out, that they cannot authenticate to subversion or apache based applications (which use kerberos authentication as well). OK, so I missed to update the krb5.conf again.

So there must be a more convenient way to configure kerberos. If only I had some way to pull the information of the current KDC from the domain-data. But wait – there is DNS. There are a couple of service-entries in DNS to point to all available kerberos servers in the domain! That sounds promising.

So I changed my krb5.conf file and added

dns_lookup_realm = yes
dns_lookup_kdc = yes

to the libdefaults section. Then I removed the realms and domain_realms section. Now all information about available KDC servers is directly pulled from DNS – sweet.

Kerberos authentication in Apache

First of all the mod_auth_kerb is needed to add kerberos capabilities to Apache. Besides this a working configuration of kerberos 5 is needed on the server running Apache.

Prepare Active Directoy

  1. To enable authentication against Active Directory a dedicated user is needed for each Apache server. The password doesn’t really matter, but the username should use a certain convention and maybe a explaining description. Such a account could be http-linuxserver.
  2. For the newly created account a keytab is needed to use the account from Apache. To create such a keytab the ktpass.exe is needed. The command on a Server running Windows 2003 looks like this:
             ktpass.exe -princ HTTP/linuxserver@ACME.COM
             -mapuser http-linuxserver
             -crypto DES-CBC-MD5 +DesOnly
             -pass myverygoodpass
             -ptype KRB5_NT_PRINCIPAL
             -out linuxxserver.keytab

    For domain-controllers running Windows 2000 the command might be slightly different.

Configuring Apache

After installing the mod_auth_kerb a couple configuration settings need to be made.

  1. First the previously created keytab file needs to be copied to the server (prefferedly using scp or simillar).
  2. Change to owner of the keytab-file to the user running Apache (depending on your distribution that could be apache, www-data or something else).
  3. To secure a directory or using kerberos the following entries need to be added to the appropriate configuration section of apache:
        AuthType Kerberos
        AuthName "Kerberos Login"
        KrbServiceName HTTP
        KrbMethodK5Passwd On
        KrbAuthRealms ACME.COM
        Krb5KeyTab /etc/httpd/conf/linuxserver.keytab
        require valid-user
  4. Restart Apache to apply the changes.

If you now access the secured website using Internet Explorer that supports Integrated Windows Authentication, you can see the content without being prompted for a password as long as you have valid windows-credentials.