CentOS 7 GSSAPI module
The GSSPI module has been built as a replacement for the aging mod_auth_kerb. Its aim is to use only GSSAPI calls and be as much as possible agnostic of the actual mechanism used.
Installing packages
yum install -y epel-release
yum install -y krb5-workstation krb5-devel krb5-libs mod_auth_gssapi mod_session
Prepare a /etc/krb5.conf
against the AD environment
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMPLE.COM
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 aes128-cts rc4-hmac
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts aes128-cts-hmac-sha1-96 caes128-cts rc4-hmac
forwardable = true
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
SAMPLE.COM = {
kdc = domainc1.sample.com
default_domain = SAMPLE.COM
}
[domain_realm]
.SAMPLE.COM = SAMPLE.COM
SAMPLE.COM = SAMPLE.COM
Check the time. Kerberos is extremely time sensitive.
ntpdate domainc1.sample.com
Test the login
kinit Administrator@SAMPLE.COM
klist
kdestroy