Red Hat Bugzilla – Bug 490593
If RHEL ES4 krb5 support credential delegation like windows 2003 AD
Last modified: 2009-03-17 14:04:22 EDT
Description of problem:
I want to enable credential delegation in RHEL ES4 krb5 just like in Windows 2003 Active Directory server Delegation tab, but I can not find the way to configure it. If RHEL ES 4 support credential delegation in RHEL ES4 and how to configure and enable it?
Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux ES release 4 (Nahant Update 6)
Kernel \r on an \m
Linux linuxclient 2.6.9-67.ELsmp #1 SMP Wed Nov 7 13:58:04 EST 2007 i686 i686 i386 GNU/Linux
Steps to Reproduce:
For RHEL ES4, Firefox version is 18.104.22.168, I configures following steps to enable SPNEGO, but when I browse our server, server log will always show credential delegation error.
1.Edit /etc/krb5.conf and specify the kerberos realm and kdc. And run command #system-config-authentication to select kerberos authentication and input kerver kdc settings.
2.Open Firefox and go to the about:config URL and change:
network.negotiate-auth.trusted-uris to include the web server's domain name (eg. "office.lan')
network.negotiate-auth.using-native-gsslib to false
network.negotiate-auth.gsslib to '/usr/lib/libgssapi_krb5.so.2'
3.Then close Firefox and run kinit to get TGT, then open firefox again, browse server, the server log will show credential delegation error and firefox will show This request requires HTTP authentication().
There need no login, and I could access web page directly.
To have the web server authenticate clients using Kerberos, you need to install and configure the mod_auth_kerb package.
The default configuration file (/etc/httpd/conf.d/auth_kerb.conf) included in the package includes a commented-out example configuration, and you'll also need to create a keytab file which the httpd process can read and which contains the key for the service. Running all of this over SSL is strongly recommended.
This appears to be a support request, and as bugzilla is not an avenue for technical assistance or support, I'm going to close this and mark it as not-a-bug. The welcome section at http://bugzilla.redhat.com/ suggests some alternate avenues for support; I encourage you to ask there.