Kerberos with active directory from linux

Posted on

Kerberos with active directory from linux – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about java, linux, kerberos, , .

I have windows stations and a linux server – and I would like to perform SSO using Windows-Kerberos (via Active Directory – the same one all users on the windows station use).

And so – I have searched many examples and ways of acheving this goal: Samba, Winbind, tomcat-spengo (which requires the server process to run on a domain), Waffle (which only runs on Windows server) etc…

I feel awfully frustrated because I wasn’t able to find a simple tutorial/example for this case, even though it looks like a simple case.

What am I missing? Is it possible that the solution is really simple?

Thank you.

Solution :

Don’t know how to do that in Java – but: There are ways to have Apache take care of SSO (MIT Kerberos or Winbind), and pass the REMOTE_USER to Tomcat using HTTP or AJP. This has worked for me in the past.

This is a rough outline of what’s necessary. Mileage may vary, but it should give you a solid starting point for study.

The LDAP source doesn’t matter. In your case, it’s Active Directory. All that matters is that your user and group objects are populated with the correct RFC2307 attributes. RFC2307 defines the standard LDAP attributes for each user and group object that will correspond to the fields in /etc/passwd, /etc/shadow, and /etc/group. When your Linux servers go to look up a user or group, it will assume these specific attributes are populated when it runs its queries.

Depending on your distribution and how old it is, you’ll likely be using nss_ldap or nss-pam-ldapd. These libraries are what PAM is going to use to actually make its LDAP queries. Those configuration files are where you’ll specify the AD servers, the user/group OUs and filters, attribute mappings (if needed), etc.

Finally, you’ll need to actually tell Linux to use LDAP as one of its sources of user and group information. This is handled by /etc/nsswitch.conf. This file is simple mapping of database to information source. In your case, you’ll just want to add “ldap” to the lists for the “passwd”, “shadow”, and “group” databases.

Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *