Single Sign On with Kerberos using Debian and Windows Server 2008 R2

URL dieses Beitrags: http://blog.stefan-macke.com/2011/04/19/single-sign-on-with-kerberos-using-debian-and-windows-server-2008-r2/

Recently, I wanted to add single sign on (SSO) functionality to our intranet server, which runs a Debian Linux. Users should be automatically logged in to the website using their Windows user accounts, which are stored in an Active Directory on a Windows Server 2008 R2, without entering their credentials again. To make this work in the described Linux/Windows environment, Kerberos is the method of choice.

Now, after looking at the small bit of configuration that is actually needed to get SSO working, the complete day I spent figuring it out seems like a waste of time :-) But while searching the web for answers to all the problems I faced during the initial configuration, I got a feeling that many others had to struggle with Kerberos, too.

Anyway, here is how to make SSO run on Debian Linux against Windows Server 2008 R2, started from scratch:

Make sure to use only the latest packages available, especially the ones regarding Samba and Kerberos. Otherwise Kerberos may not work due to changes in Windows Server 2008. I used the following configuration in /etc/apt/sources.list:

deb http://ftp.de.debian.org/debian/ squeeze main
deb-src http://ftp.de.debian.org/debian/ squeeze main

These are the packages’ versions on my Debian machine:

ii  samba                             2:3.5.6~dfsg-3squeeze2       SMB/CIFS file, print, and login server for Unix
ii  samba-common                      2:3.5.6~dfsg-3squeeze2       common files used by both the Samba server and client
ii  samba-common-bin                  2:3.5.6~dfsg-3squeeze2       common files used by both the Samba server and client
ii  krb5-config                       2.2                          Configuration files for Kerberos Version 5
ii  krb5-multidev                     1.8.3+dfsg-4                 Development files for MIT Kerberos without Heimdal conflict
ii  krb5-user                         1.8.3+dfsg-4                 Basic programs to authenticate using MIT Kerberos
ii  libgssapi-krb5-2                  1.8.3+dfsg-4                 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3                         1.8.3+dfsg-4                 MIT Kerberos runtime libraries
ii  libkrb5-dev                       1.8.3+dfsg-4                 Headers and development libraries for MIT Kerberos
ii  libkrb53                          1.8.3+dfsg-4                 transitional package for MIT Kerberos libraries
ii  libkrb5support0                   1.8.3+dfsg-4                 MIT Kerberos runtime libraries - Support library

Install the needed packages and go through the basic configuration as described here:

In my case the basic needed configuration looks like this:

  • /etc/krb5.conf
    [libdefaults]
        default_realm = YOURDOMAIN.COM
    [realms]
        YOURDOMAIN.COM = {
            kdc = DOMAINCONTROLLER.YOURDOMAIN.COM
            master_kdc = DOMAINCONTROLLER.YOURDOMAIN.COM
            admin_server = DOMAINCONTROLLER.YOURDOMAIN.COM
            default_domain = YOURDOMAIN.COM
        }
    [login]
        krb4_convert = true
        krb4_get_tickets = false
  • /etc/samba/smb.conf
    workgroup = YOURDOMAIN
    realm = YOURDOMAIN.COM
    netbios name = WEBSERVER
    security = ADS
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    machine password timeout = 0 # needed when using only the machine account as described below
  • /var/www/kerberos/.htaccess
    AuthType Kerberos
    KrbAuthRealms YOURDOMAIN.COM
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbServiceName HTTP/webserver.yourdomain.com
    Krb5KeyTab /etc/krb5.keytab
    require valid-user

Now you basically have two choices for Kerberos authentication against the Active Directory: Using a seperate technical user account (which should be the preferred method) or using only the Linux server’s machine account.

Using a seperate technical user account

  • (re)join the Linux server to the domain
    webserver:~# net ads join -U administrator
    Enter administrator's password:
    Using short domain name -- YOURDOMAIN
    Joined 'WEBSERVER' to realm 'yourdomain.com'
  • restart the services
    webserver:~# /etc/init.d/samba restart
    Stopping Samba daemons: nmbd smbd.
    Starting Samba daemons: nmbd smbd.
    webserver:~# /etc/init.d/winbind restart
    Stopping the Winbind daemon: winbind.
    Starting the Winbind daemon: winbind.
  • check whether everything works
    webserver:~# wbinfo -t
    checking the trust secret for domain YOURDOMAIN via RPC calls succeeded
  • add a technical user to your Active Directory, e.g. tukerberos with password Kerber0s
  • create and attach the needed service principals for the website to the technical user on the domain controller
    ktpass -princ HOST/webserver.yourdomain.com@YOURDOMAIN.COM -mapuser tukerberos@YOURDOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Kerber0s -out c:\krb5.keytab
    ktpass -princ HTTP/webserver.yourdomain.com@YOURDOMAIN.COM -mapuser tukerberos@YOURDOMAIN.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Kerber0s -out c:\krb5.keytab -in c:\krb5.keytab
  • copy \\domaincontroller\c$\krb5.keytab to webserver:/etc/krb5.keytab
  • set the needed file system permissions on the keytab file
    webserver:~# chown root.www-data /etc/krb5.keytab
    webserver:~# chmod 0640 /etc/krb5.keytab
  • open http://webserver/ in Internet Explorer → the user should be logged in automatically

Using only the Linux server’s machine account

  • (re)join the Linux server to the domain (the error message may be ignored for now)
    webserver:~# net ads join -U administrator
    Enter administrator's password:
    Using short domain name -- YOURDOMAIN
    Joined 'WEBSERVER' to realm 'yourdomain.com'
    [2011/04/19 10:54:35.026049,  0] libads/kerberos.c:333(ads_kinit_password)
      kerberos_kinit_password WEBSERVER$@YOURDOMAIN.COM failed: Preauthentication failed
  • reset the (newly created) machine account in your Active Directory so the machine’s password is reset to the initial value (i.e. the machine’s hostname, webserver)
  • change the machine’s password to a new value (e.g. Kerber0s)
    webserver:~# kpasswd webserver
    Password for webserver@YOURDOMAIN.COM: webserver
    Enter new password: Kerber0s
    Enter it again: Kerber0s
    Password changed.
  • add the needed service principals (e.g. HTTP/webserver, HTTP/webserver.yourdomain.com) to the machine account using adsiedit.msc on your domain controller
  • request an initial Kerberos ticket
    webserver:~# kinit webserver
    Password for webserver@YOURDOMAIN.COM: Kerber0s
  • find out the current kvno of the service principal
    webserver:~# kvno HTTP/webserver
    HTTP/webserver@YOURDOMAIN.COM: kvno = 18
  • create a Kerberos keytab file
    webserver:~# ktutil
    ktutil:  addent -password -p HOST/webserver.yourdomain.com@YOURDOMAIN.COM -k 18 -e rc4-hmac
    Password for HTTP/webserver.yourdomain.com@YOURDOMAIN.COM: Kerber0s
    ktutil:  addent -password -p HTTP/webserver.yourdomain.com@YOURDOMAIN.COM -k 18 -e rc4-hmac
    Password for HTTP/webserver.yourdomain.com@YOURDOMAIN.COM: Kerber0s
    ktutil:  wkt /etc/krb5.keytab
    ktutil:  q
  • set the needed file system permissions on the keytab file
    webserver:~# chown root.www-data /etc/krb5.keytab
    webserver:~# chmod 0640 /etc/krb5.keytab
  • open http://webserver/ in Internet Explorer → the user should be logged in automatically

Possible errors and how to fix them

This is how a successful Kerberos login looks in the Apache logfile:

[Tue Apr 19 11:09:04 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.120.22.74] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Tue Apr 19 11:09:04 2011] [debug] src/mod_auth_kerb.c(1240): [client 10.120.22.74] Acquiring creds for HTTP/webserver.yourdomain.com
[Tue Apr 19 11:09:04 2011] [debug] src/mod_auth_kerb.c(1385): [client 10.120.22.74] Verifying client data using KRB5 GSS-API
[Tue Apr 19 11:09:04 2011] [debug] src/mod_auth_kerb.c(1401): [client 10.120.22.74] Client didn't delegate us their credential
[Tue Apr 19 11:09:04 2011] [debug] src/mod_auth_kerb.c(1420): [client 10.120.22.74] GSS-API token of length 163 bytes will be sent back

However, these are all the different error messages I got throughout my initial attempt:

[Mon Apr 18 16:57:30 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.120.22.74] GSS-API major_status:000d0000, minor_status:0000000d
[Mon Apr 18 16:57:30 2011] [error] [client 10.120.22.74] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Permission denied)

→ wrong file system permissions for /etc/krb5.keytab, i.e. not readable for the webserver’s Linux user

[Mon Apr 18 17:51:54 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.120.22.74] GSS-API major_status:000d0000, minor_status:025ea101
[Mon Apr 18 17:51:54 2011] [error] [client 10.120.22.74] gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, Key table entry not found)

→ missing service principal (possibly HTTP/webserver.yourdomain.com@YOURDOMAIN.COM) in /etc/krb5.keytab

[Tue Apr 19 08:40:38 2011] [debug] src/mod_auth_kerb.c(1429): [client 10.120.22.74] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Tue Apr 19 08:40:38 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.120.22.74] GSS-API major_status:00010000, minor_status:00000000
[Tue Apr 19 08:40:38 2011] [error] [client 10.120.22.74] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

→ the website is not in zone “Local Intranet” in IE or IE is configured incorrectly, see Authentication Uses NTLM instead of Kerberos

[Tue Apr 19 09:31:43 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.120.20.81] GSS-API major_status:000d0000, minor_status:000186a3
[Tue Apr 19 09:31:43 2011] [error] [client 10.120.20.81] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, )

→ wrong kvno or machine password in /etc/krb5.keytab → recreate the keytab using the correct information
→ OR problem with local Kerberos ticket cache on your workstation, use Kerbtray.exe to purge the ticket cache and open the website in IE again

Kommentare zu diesem Beitrag

  1. Gravatar Single Sign On with Kerberos using Debian and Windows Server 2008 … | Windows (7) Affinity
    Am 19. April 2011 um 22:15 Uhr

    [...] post: Single Sign On with Kerberos using Debian and Windows Server 2008 … No [...]

  2. Gravatar bertignac
    Am 25. November 2011 um 15:42 Uhr

    Thanks for this very useful doc.

    How can I find the reason for such error :
    GSS-API major_status:000d0000, minor_status:000186a4

    I can’t get a mapping between minor_status and anything I could use to find the cause.

    Thanks !

  3. Gravatar Stefan
    Am 27. November 2011 um 16:12 Uhr

    Hi bertignac. Sorry, all the errors I found a solution for are listed above. I don’t know how to help you…

  4. Gravatar Win 7 Forum
    Am 30. Dezember 2011 um 03:17 Uhr

    [...] die über keinen starken PC verfügen. Win 7 macht vieles richtig und ist das System der Gegenwart.Das Betriebssystem Win 7 aus dem Hause Microsoft ist der Nachfolger des Betriebssystems Vista und he… Neben der Standard Edition, welche auf den meisten Computern zu finden ist, gibt es auch die [...]

  5. Gravatar Win 7 Forum
    Am 30. Dezember 2011 um 03:17 Uhr

    [...] die über keinen starken PC verfügen. Win 7 macht vieles richtig und ist das System der Gegenwart.Das Betriebssystem Win 7 aus dem Hause Microsoft ist der Nachfolger des Betriebssystems Vista und he… Neben der Standard Edition, welche auf den meisten Computern zu finden ist, gibt es auch die [...]

  6. Gravatar network | Pearltrees
    Am 24. Februar 2012 um 01:23 Uhr

    [...] Single Sign On with Kerberos using Debian and Windows Server 2008 R2 » Stefan Macke find out the current kvno of the service principal webserver:~# kvno HTTP/webserver HTTP/webserver@YOURDOMAIN.COM: kvno = 18 [...]

  7. Gravatar InuSasha
    Am 9. Oktober 2012 um 12:15 Uhr

    the last week, i tried to configure a SSO, on an Apache. In the error-log listed folling error message:

    [Tue Oct 09 08:55:09 2012] [debug] src/mod_auth_kerb.c(1429): [client 10.9.53.41] Warning: received token seems to be NTLM, which
     isn't supported by the Kerberos module. Check your IE configuration.
    [Tue Oct 09 08:55:09 2012] [debug] src/mod_auth_kerb.c(1101): [client 10.9.53.41] GSS-API major_status:00070000, minor_status:000
    00000
    [Tue Oct 09 08:55:09 2012] [error] [client 10.9.53.41] gss_accept_sec_context() failed: No credentials were supplied, or the cred
    entials were unavailable or inaccessible (, Unknown error)

    All howto, tutorials and documentations say: setup your browser propertly.
    But after many tries and a temporary test on an other server, the SSO opertates well. The analyse shows, the change on the hosts file solved the problem.

    The base problem was the DNS entry. The servername was entered as an CNAME. After the change of this entry (CNAME to A record), the SSO operates without any modification on the hosts file.

    Sascha

  8. Gravatar Seguridad al Día » Apache kerberizado – Single Sign On (AD y MIT Kerberos)
    Am 8. August 2013 um 20:32 Uhr

    [...] Kerberos authentication – Kerberos authentication with Apache in a multi-domain Active Directory – Single Sign On with Kerberos using Debian and Windows Server 2008 R2 – Kerberos-Based SSO with Apache – Using mod_auth_kerb and Windows 2000/2003/2008R2 as KDC – Apache [...]

  9. Gravatar Ana
    Am 18. September 2013 um 09:52 Uhr

    “This is how a successful Kerberos login looks in the Apache logfile”
    Thanks for this useful bit, i was getting crazy because i thought that was an error :D

  10. Gravatar Stefan Bauer
    Am 13. Juni 2014 um 11:44 Uhr

    Just stumbled over your webpage – amazing – you saved me a lot of time!

    Thank you.

    stefan

  11. Gravatar Mossy
    Am 2. Juli 2014 um 16:01 Uhr

    If anyone encounters the following in the Apache logfile, it is due to multiple service principles.

    [Wed Jul 02 09:40:00.085709 2014] [auth_kerb:debug] [pid 28980] src/mod_auth_kerb.c(1155): [client 10.51.2.212:55640] GSS-API major_status:00010000, minor_status:000186a5
    [Wed Jul 02 09:40:00.085734 2014] [auth_kerb:error] [pid 28980] [client 10.51.2.212:55640] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)

    Make sure when you run setspn -q HTTP/webserver.domainname it only returns one CN. You should NOT have it attached to both the technical user account and the machine account.

Einen Kommentar schreiben

XHTML: Diese Tags sind erlaubt: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>