1.6. Configuring Kerberos authentication for the Apache HTTP web server

Procedure

1. Enable access to the keytab file of HTTP/<SERVER_NAME>@realm principal by creating the service principal:

   # ipa service-add HTTP/<SERVER_NAME>

2. Retrieve the keytab for the principal stored in the /etc/gssproxy/http.keytab file:

   # ipa-getkeytab -s $(awk '/^server =/ {print $3}' /etc/ipa/default.conf) -k /etc/gssproxy/http.keytab -p HTTP/$(hostname -f)

   This step sets permissions to 400, thus only the root user has access to the keytab file. The apache user does not.

3. Create the /etc/gssproxy/80-httpd.conf file with the following content:

   [service/HTTP]
     mechs = krb5
     cred_store = keytab:/etc/gssproxy/http.keytab
     cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
     euid = apache

4. Restart and enable the gssproxy service:

   # systemctl restart gssproxy.service
   # systemctl enable gssproxy.service

Procedure

1. Configure the mod_auth_gssapi module to protect the /var/www/html/private/ directory:

   <Location /var/www/html/private>
     AuthType GSSAPI
     AuthName "GSSAPI Login"
     Require valid-user
   </Location>

2. Create system unit configuration drop-in file:

   # systemctl edit httpd.service

3. Add the following parameter to the system drop-in file:

   [Service]
   Environment=GSS_USE_PROXY=1

4. Reload the systemd configuration:

   # systemctl daemon-reload

5. Restart the httpd service:

   # systemctl restart httpd.service

Verification

1. Obtain a Kerberos ticket:

   # kinit

2. Open the URL to the protected directory in a browser.