メモ。
win2008ad.testdom.local 192.168.68.205(Windows 2008 R2)
hast-a.testdom.local 192.168.68.205(FreeBSD 8.3)
8.3はなんかkrb5-configがぶっ壊れているようで修正が必要っぽい。
mod_auth_kerb2をインストールしてもライブラリが足りないと言われる。
gssapi_krb5をたす。
if test "$do_libs" = "yes"; then
lib_flags="-L${libdir}"
case $library in
gssapi)
lib_flags="$lib_flags -lgssapi -lgssapi_krb5 -lheimntlm"
hast-a# cat /etc/krb5.conf
[libdefaults]
default_realm = TESTDOM.LOCAL
[realms]
TESTDOM.LOCAL = {
kdc = win2008ad.testdom.local:88
default_domain = TESTDOM.LOCAL
}[domain_realm]
.testdom.local = TESTDOM.LOCAL
testdom.local = TESTDOM.LOCAL[logging]
kdc = SYSLOG:INFO:DAEMON
hast-a# cat .htaccess
AuthType Kerberos
AuthName "Kerberos Login"
KrbAuthRealms TESTDOM.LOCAL
KrbServiceName HTTP/hast-a.testdom.local@TESTDOM.LOCAL
Krb5Keytab /etc/http.keytab
KrbVerifyKDC Off
Require valid-user
Windows2008ではユーザを作っておく(kbhttp)
C:\>ktpass -out http.keytab -princ HTTP/hast-a.testdom.local@TESTDOM.LOC
AL -pass * -mapuser kbhttp -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5
Targeting domain controller: WIN2008AD.testdom.local
Using legacy password setting method
Successfully mapped HTTP/hast-a.testdom.local to kbhttp.
Type the password for HTTP/hast-a.testdom.local:
Type the password again to confirm:The passwords you type must match exactly.
Type the password for HTTP/hast-a.testdom.local:
Type the password again to confirm:
Key created.
Output keytab to http.keytab:
Keytab version: 0x502
keysize 66 HTTP/hast-a.testdom.local@TESTDOM.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) v
no 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0x7cadf2c8b680256b)
これでOKなはずだが、対象のURLを開いても認証ダイアログが出てきてしまう。
そこでADのID,PASSでのログインは出来るんだが・・・
