I have used the instructions on http://www.grolmsnet.de/kerbtut/ many times because they work. For the record, you do not need to join the linux host to the AD domain, it's ok to do it but not necessary.
First of all, ensure you can kinit from the centos host to your AD realm. You can use your normal user credentials like this:
$ kinit yourusername@ADREALM.TLD
(kinit is part of the krb5-workstation package in centos, by the way)
Enter your password and no news is good news. Run klist and you should see a kerberos ticket there as your AD username. If this step is not successful go back and fix your krb5.conf until it is.
Get rid of that ticket with kdestroy.
Once that works you can create a user account in AD. Ensure that it does not have to change its password and that the password does not expire.
Then we bind the service principal name (spn) HTTP/host.adrealm.tld to that useraccount using setspn.exe on a windows hosts with the management tools or in a domain controller as an admin or account with sufficient privileges:
setspn -A HTTP/host.adrealm.tld username [enter]
Registering ServicePrincipalNames for CN=username,OU=service_accounts,dc=adrealm,DC=tld
HTTP/host.adrealm.tld
Updated object
Now we can generate the keytab for this object using ktpass.exe (still in the windows management host or domain controller):
ktpass -princ HTTP/host.adrealm.tld@ADREALM.TLD -pass xxxxx -mapuser username -Ptype KRB5_NT_PRINCIPAL -out host_adrealm_tld.keytab [enter]
Targeting domain controller: DCname.Adrealm.tld
Successfully mapped HTTP/host.adrealm.tld to username.
Password succesfully set!
Key created.
Output keytab to host_adrealm_tld.keytab:
Keytab version: 0x502
keysize 75 HTTP/host.adrealm.tldl@ADREALM.TLD ptype 1 (KRB5_NT_PRINCIPAL)
vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x037da0f7493b97966e4a19636304064d)
Transport that file to the centos host and place it with 640 permissions (root:apache) in /etc/httpd/conf.d/ . If selinux is enabled, run restorecon -rv /etc to eventually fix selinux contexts there.
You can verify the keytab file with:
$ klist -k -t host_adrealm_tld.keytab
Keytab name: FILE:host_adrealm_tld.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 HTTP/host.adrealm.tld@ADREALM.TLD
And you could even go one step further by using it to log on:
# kinit -k -t host_adrealm_tld.keytab -p HTTP/host.adrealm.tld@ADREALM.TLD
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/host.adrealm.tld@ADREALM.TLD
Valid starting Expires Service principal
11/04/14 21:45:41 11/05/14 07:45:41 krbtgt/ADREALM.TLD@ADREALM.TLD
renew until 11/05/14 21:45:41
In your dns infrastructure (probably in AD dns as well), create an A host.realm.tld pointing to the centos host (if you use samba to join the host it should have created it for you, ensure it is correct).
Ensure your centos hosts has the mod_auth_kerb installed.
Whant that is in place you edit one of the apache conf files of your (virtual) hosts for apache.
In this case, let's protect the folder http://host.adrealm.tld/topsecret:
Alias /topsecret/ "/path/to/topsecret/"
<Directory "/path/to/topsecret/">
AuthType Kerberos
KrbAuthRealms YOURAD.TLD
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf.d/host_adrealm_tld.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd off
require valid-user
</Directory>
Create the topsecret folder in the filesystem of the centos host. Set a couple of dummy files in there. If you run with selinux enable, ensure that folder has the right security context for apache (if the folder is in /var/www/html it should be righ an running restorecon -rv /var/www/html will eventually fix any selinux problems).
Verify the apache2 syntax passes:
apachectl -t
If you get 'Syntax OK' with warnings about not being able to reliably determine the host fqdn, then you are good to go (you can fix that later if you want, it is not critical). Reload apache:
apachectl graceful
Verify your local firewall allows httpd connexxions.
This should be it. Now you need to configure the clients. If you already have webservers with 'Windows Authentication' in your network then you are set, go to the topsecret url and if you have a valid kerberos ticket you should see the files, otherwise you will get access denied.
Best Answer
To authenticate with AD, you will be using kerberos authentication regardless of using
ad
orkrb
asauth_provider
. By usingauth_provider = ad
, SSSD will handle everything for you, so you won't need to make specific kerberos or ldap configurations in your sssd.conf.If you didn't use
realm join
as the document describes, I highly recommend it if possible in your scenario. It will create yoursssd.conf
with the correct configurations, and it will create and install your kerberos key on your client. You shouldn't need akrb5.conf
orsmb.conf
(in my experience at least). A couple tweaks may be required depending on your requirements.Check the sssd-ad manpage for details on configuring the AD backend.
In regards to your question about ports, authentication is happening with Kerberos not LDAP/LDAPS (which is what uses ports 389 and 636).