Re: [Samba] apache authentication using ad kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Perfect! Will add that presently. Thanks for the info. Michael Blindauer Emmanuel wrote: > Some help to finish your document: > For linux browser, it works same: > you can add you server to "network-negotiate-auth.trusted-uris" in firefox > (file all.js), and if you already have a ticket on your linux computer, it > will be passed to the website by your browser, you'll get the same behaviour > as under window. konqueror works too, I have some problems with mozilla > 1.7.3, didn't test galeon too > > To get the ticket I have switched all my linux computer to authentificate on > kerberos. So all users have a krb5 ticked when they have logged in. > > Emmanuel -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCpP2MKgGND9z3oKwRAlQrAJ9QLMuZAN00Y9fCjrsBOXjVOBkFqgCeNEFM 7oFvgmKBx9SUM99B8D49vQw= =9iIN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] apache authentication using ad kerberos
Some help to finish your document: For linux browser, it works same: you can add you server to "network-negotiate-auth.trusted-uris" in firefox (file all.js), and if you already have a ticket on your linux computer, it will be passed to the website by your browser, you'll get the same behaviour as under window. konqueror works too, I have some problems with mozilla 1.7.3, didn't test galeon too To get the ticket I have switched all my linux computer to authentificate on kerberos. So all users have a krb5 ticked when they have logged in. Emmanuel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] apache authentication using ad kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 A bare-minimum document is up at http://oslabs.mikro-net.com/krb_apache.html It assumes samba-ads install along with all that entails. Hope it helps. Michael Andrew Bartlett wrote: > On Sat, 2005-06-04 at 09:46 -0700, Michael Brown wrote: > >>-BEGIN PGP SIGNED MESSAGE- >>Hash: SHA1 >> >>Thanks Samba Team! >>I was able to utilize AD kerberos authentication to apache using >>mod_auth_kerb and samba. The 'net ads keytab create' enabled me to >>create a machine keytab for the webserver. The 'net ads keytab add' >>feature enabled me to add an 'HTTP' service principal to this keytab, >>which shows up in the AD machine object's attributes. I did not have to >>create a user in AD and map the attributes (as in this doc: >>http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp), >>so for all intents and purposes this is a seamless operation. >>AD single sign on using GSSAPI is working for windows firefox and >>internet exploiter clients beautifully! >> I will be writing up a doc on this soon (this weekend) at >>oslabs.mikro-net.com. > > > Make sure to bring all documentation to the attention of jht (cc'd). It > is very good to see this working. > > Should you find yourself needing the NTLM side of things, look at: > > http://samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind/ > > Andrew Bartlett > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCo03+KgGND9z3oKwRAl63AKCLKHJI0cTDkFchmEbHyqYfKB2ucQCgjfxb 8Ss/C6yB1pyHilk5fDPXEm0= =qMEG -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] apache authentication using ad kerberos
On Sat, 2005-06-04 at 09:46 -0700, Michael Brown wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Thanks Samba Team! > I was able to utilize AD kerberos authentication to apache using > mod_auth_kerb and samba. The 'net ads keytab create' enabled me to > create a machine keytab for the webserver. The 'net ads keytab add' > feature enabled me to add an 'HTTP' service principal to this keytab, > which shows up in the AD machine object's attributes. I did not have to > create a user in AD and map the attributes (as in this doc: > http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp), > so for all intents and purposes this is a seamless operation. > AD single sign on using GSSAPI is working for windows firefox and > internet exploiter clients beautifully! > I will be writing up a doc on this soon (this weekend) at > oslabs.mikro-net.com. Make sure to bring all documentation to the attention of jht (cc'd). It is very good to see this working. Should you find yourself needing the NTLM side of things, look at: http://samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind/ Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] apache authentication using ad kerberos
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Samba Team! I was able to utilize AD kerberos authentication to apache using mod_auth_kerb and samba. The 'net ads keytab create' enabled me to create a machine keytab for the webserver. The 'net ads keytab add' feature enabled me to add an 'HTTP' service principal to this keytab, which shows up in the AD machine object's attributes. I did not have to create a user in AD and map the attributes (as in this doc: http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp), so for all intents and purposes this is a seamless operation. AD single sign on using GSSAPI is working for windows firefox and internet exploiter clients beautifully! I will be writing up a doc on this soon (this weekend) at oslabs.mikro-net.com. Thanks again for the tireless efforts of the Samba Team! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCodriKgGND9z3oKwRAgQaAJ4jxYwxj1qKxjJAwZGMwKXOEAcSqgCgmcTy e8rGiG2kV6bv1XkMzxNsV78= =VwZI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba