CentOS 7 GSSAPI module

The GSSPI module has been built as a replacement for the aging mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as possible agnostic of the actual mechanism used.

Installing packages

yum install -y epel-release
yum install -y krb5-workstation krb5-devel krb5-libs mod_auth_gssapi mod_session

Prepare a /etc/krb5.conf against the AD environment

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = SAMPLE.COM
  default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac
  default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac
  permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 caes128-cts rc4-hmac
  forwardable = true
  dns_lookup_realm = false
  dns_lookup_kdc = false

[realms]
  SAMPLE.COM  = {
    kdc = domainc1.sample.com
    default_domain = SAMPLE.COM
}

[domain_realm]
  .SAMPLE.COM = SAMPLE.COM
  SAMPLE.COM = SAMPLE.COM

Check the time. Kerberos is extremely time sensitive.

ntpdate domainc1.sample.com

kinit Administrator@SAMPLE.COM
klist 
kdestroy

PowerShell on macOS

CentOS 7 GSSAPI module

CentOS Linux 8 to CentOS Stream

Custom CentOS ISO

LVM with cache

Move RHEL Users

NFS on ZFS HA Cluster

RHEL Move Printers

systemd services

tmux

FFMPEG on EL 8

Azure to Ubiquiti IPSec

Ubiquti - USG disable NAT

tcpdump

Extract key/cert from PFX

Postfix TLS

OpenSSL tricks

Unlock the ESXi host account

Active Directory

Windows Management Consoles

Windows Install Media

CentOS 7 GSSAPI module

No Comments