KDC (windows 2008): 10.0.2.12 (也就是域服务器)
Workstation (windows 10): 10.0.2.100(也就是公司域内电脑)
Webserver (CentOS release 6.5 (Final), apache2.4): 10.0.2.15 webserver.example.com
1、配置Webserver,在 10.0.2.15 上 安装krb5-libs,krb5-workstation, apache , mod_auth_kerb(apache的kerberos module), yum install -y krb5-libs krb5-workstation mod_auth_kerb
2、首先将Workstation的DNS指向域服务器,在公司DNS服务器上新建A记录(webserver.example.com)指向10.0.2.15
3、确保kdc,Webserver,workstation的时间是一致的,kerberos要求时差不能超过5分钟
4、配置Webserver的/etc/krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
default_realm = EXAMPLE.COM //域
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
SPEECHOCEAN.COM = {
kdc = 10.0.2.12:88 //KDC默认端口
admin_server = 10.0.2.12:749
}
[domain_realm]
# .example.com = EXAMPLE.COM
webserver.example.com = EXAMPLE.COM //此处域名要与webserver一致
5、测试kerb配置是否成功
[root@localhost ~]# kinit client2@EXAMPLE.COM
Password for client2@EXAMPLE.COM
[root@localhost ~]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: client2@EXAMPLE.COM
Valid starting Expires Service principal
03/19/2019 12:00:00 03/19/2019 22:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/26/2019 11:59:44
6、在AD上为webserver创建principal
登录域服务器,执行:
ktpass -princ HTTP/webserver.example.com@EXAMPLE.COM -mapuser client2 -pass xxxxx -out D:\web.keytab
将生成的web.keytab文件放置到Webserver上,比如/etc/web.keytab,并设置只读权限
chown apache:apche /etc/web.keytab
chmod 400 /etc/web.keytab
验证AD发送的tickets是否正确
[root@localhost ~]# kvno HTTP/webserver.example.com@EXAMPLE.COM
HTTP/webserver.example.com@EXAMPLE.COM: kvno = 4
[root@localhost ~]# klist -e
Ticket cache: KEYRING:persistent:0:0
Default principal: client2@EXAMPLE.COM
Valid starting Expires Service principal
03/19/2019 12:09:23 03/19/2019 22:00:00 HTTP/webserver.example.com@EXAMPLE.COM
renew until 03/26/2019 11:59:44, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
03/19/2019 12:00:00 03/19/2019 22:00:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 03/26/2019 11:59:44, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
[root@localhost ~]# klist -e -k -t /etc/web.keytab
Keytab name: FILE:/etc/web.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
4 01/01/1970 08:00:00 HTTP/webserver.example.com@EXAMPLE.COM (arcfour-hmac)
7、配置apache的mod_auth_kerb
我是用yum安装的mod_auth_kerb,在/etc/httpd/conf.modules.d/10-auth_kerb.conf会有配置文件
需要注意的是,如果有其他的apache权限配置,比如/etc/httpd/conf/httpd.conf里面有Require all denied或者Require all granted,需要注释掉!!否则apache不会开启mod_auth_kerb的验证。可以通过修改LogLevel 值为debug,来调试看下mod_auth_kerb是否运行。
LoadModule auth_kerb_module modules/mod_auth_kerb.so
<Directory />
AuthType Kerberos
AuthName "Windows AD Account"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/web.keytab
require valid-user
</Directory>
8、如果配置没问题,这个时候使用登录了域的电脑访问webserver.example.com ,会提示登录框,输入正确的域账号可以访问网站。如果想要免去输入密码需要在域服务器设置组策略。具体可以参见这篇文http://www.cnblogs.com/love007/p/4082875.html,目前可以支持ie和chrome两种浏览器自动登录,firefox好像不支持。edge经测试需要windows2016做域服务器才可以支持。
9、如何获取当前域用户?PHP可以使用$_SERVER变量获取
<?php
echo $_SERVER['REMOTE_USER']
?>
10、参考文章