I was trying to get authentication via kerberos working but I'm having trouble trying to run ktpass as in step 6 here http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ ktpass -princ HTTP/contoso.com at CONTOSO.COM -mapuser CONTOSO\<USERNAME> -crypto all -ptype KRB5_NT_PRINCIPAL -pass <PASSWORD> -out webpage.HTTP.keytab I'm not sure of the syntax of even the microsoft command. In step 5 it looked like they created a user apache but I don't see that in the command at all. even if I was able to run it I don't know what arguments to put in. I saw other sites that suggest using ktutil instead. I ran #ktutil ktutil: addent -password -p apache@<mydomain> -k 1 -e RC4-HMAC Password for apache@<mydomain>: ktutil: wkt /etc/krb5.keytab ktutil: q as one of the sites suggested and kinit apache@<mydomain> worked with the password and kinit apache@<mydomain> -k -t /etc/krb5.keytab worked without a password. I did not see a "Delegation" tab when I open the "AD Users and Computers" in my windows 10 pro This document seems dated as I run into other areas of trouble. I noticed in my apache log PHP Notice: Undefined index: AUTH_TYPE PHP Notice: Undefined index: REMOTE_USER
On Fri, 2017-01-20 at 12:57 -0700, Jeff Sadowski via samba wrote:> I was trying to get authentication via kerberos working but I'm > having > trouble trying to run ktpass as in step 6 here > > http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ > > ktpass -princ HTTP/contoso.com at CONTOSO.COM -mapuser > CONTOSO\<USERNAME> -crypto all -ptype KRB5_NT_PRINCIPAL -pass > <PASSWORD> -out webpage.HTTP.keytab > > I'm not sure of the syntax of even the microsoft command. In step 5 > it > looked like they created a user apache but I don't see that in the > command > at all.Thankfully we have a great wiki page with the right commands for the Samba AD DC here: https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_D irectory -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Fri, 20 Jan 2017 12:57:41 -0700 Jeff Sadowski via samba <samba at lists.samba.org> wrote:> I was trying to get authentication via kerberos working but I'm having > trouble trying to run ktpass as in step 6 here > > http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ >You could do something really strange, something that nobody seems to do, use the Samba documentation ;-) https://wiki.samba.org/index.php/Authenticating_Apache_against_Active_Directory#Apache_single_sign-on Rowland
On Fri, Jan 20, 2017 at 1:21 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 20 Jan 2017 12:57:41 -0700 > Jeff Sadowski via samba <samba at lists.samba.org> wrote: > > > I was trying to get authentication via kerberos working but I'm having > > trouble trying to run ktpass as in step 6 here > > > > http://robertan.com/home/2015/01/14/kerberos-auth-with-apachephp/ > > > > You could do something really strange, something that nobody seems to > do, use the Samba documentation ;-) > > https://wiki.samba.org/index.php/Authenticating_Apache_ > against_Active_Directory#Apache_single_sign-on > > Thank you. I had no idea what I was looking for. I'll see if I ca commenton the page the link you gave me. :-)> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >