Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [libdefaults]
- default_realm = KWTEST.LOCAL
- kdc_timesync = 1
- # https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
- # we do not want the keyring due to docker
- ccache_type = 3
- forwardable = true
- proxiable = true
- # no reverse lookup
- rdns = false
- [realms]
- KWTEST.LOCAL = {
- kdc = kdc.kwtest.local
- admin_server = kdc.kwtest.local
- }
- [login]
- krb4_convert = true
- krb4_get_tickets = false
- [logging]
- default = FILE:/var/log/kdc.log:SYSLOG
- kdc = FILE:/var/log/kdc.log:SYSLOG
- # https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html?highlight=appdefaults#appdefaults
- [appdefaults]
- forwardable = true
- # https://manpages.debian.org/stretch/libpam-heimdal/pam_krb5.5.en.html
- pam = {
- ignore_k5login=true
- debug=true
- forwardable = true
- proxiable = true
- minimum_uid = 0
- realm = KWTEST.LOCAL
- keytab = /mnt/config/kerberos/drupalwiki.keytab
- }
- cat /etc/pam.d/dw-kerb-nginx
- auth required pam_krb5.so keytab=/mnt/config/kerberos/drupalwiki.keytab minimum_uid=20 forwardable=true realm=KWTEST.LOCAL trace=/var/log/pamtrace silent=false debug=true
- account required pam_unix.so keytab=/mnt/config/kerberos/drupalwiki.keytab minimum_uid=20 forwardable=true realm=KWTEST.LOCAL trace=/var/log/pamtrace silent=false debug=true
- cat /etc/nginx/sites-enabled/default
- server {
- listen 80 default_server;
- listen [::]:80 default_server;
- root /var/www/html;
- index index.html index.htm index.nginx-debian.html;
- server_name _;
- error_log /var/log/nginx/error.log debug;
- location / {
- auth_pam "Secure Zone";
- auth_pam_service_name "dw-kerb-nginx";
- try_files $uri $uri/ =404;
- }
- }
- #kdc
- kvno HTTP/wiki.kwtest.local@KWTEST.LOCAL
- HTTP/wiki.kwtest.local@KWTEST.LOCAL: kvno = 16
- #client
- klist -ke /mnt/config/kerberos/drupalwiki.keytab
- Keytab name: FILE:/mnt/config/kerberos/drupalwiki.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 16 HTTP/wiki.kwtest.local@KWTEST.LOCAL (arcfour-hmac)
- klist -ke /mnt/config/kerberos/drupalwiki.keytab
- Keytab name: FILE:/mnt/config/kerberos/drupalwiki.keytab
- KVNO Principal
- ---- --------------------------------------------------------------------------
- 16 HTTP/wiki.kwtest.local@KWTEST.LOCAL (arcfour-hmac)
- kinit -k -t /mnt/config/kerberos/drupalwiki.keytab HTTP/wiki.kwtest.local@KWTEST.LOCAL
- klist
- Ticket cache: FILE:/tmp/krb5cc_0
- Default principal: HTTP/wiki.kwtest.local@KWTEST.LOCAL
- Valid starting Expires Service principal
- 01/07/2019 12:50:18 01/07/2019 22:50:18 krbtgt/KWTEST.LOCAL@KWTEST.LOCAL
- renew until 01/08/2019 12:50:18
- kinit wikiuser@KWTEST.LOCAL
- # ticket exists
- klist
- Credentials cache: API:34173A61-DFBB-4191-A39C-62EF67F1AC39
- Principal: wikiuser@KWTEST.LOCAL
- Issued Expires Principal
- Jan 7 13:26:38 2019 Jan 7 23:26:20 2019 krbtgt/KWTEST.LOCAL@KWTEST.LOCAL
- # the actual test
- curl -u : --negotiate http://wiki.kwtest.local/index.html
- <html>
- <head><title>401 Authorization Required</title></head>
- <body bgcolor="white">
- <center><h1>401 Authorization Required</h1></center>
- <hr><center>nginx/1.10.3</center>
- </body>
- </html>
- # on the Debian Service box
- service nginx stop && service apache2 start
- kinit
- curl -u : --negotiate http://wiki.kwtest.local/index.html
- worked!%
Add Comment
Please, Sign In to add comment
