Andy,
When you set up your linux box that CAS is running on did you enable
kerberos? Here is what I gave the group that administers our production
servers....sorry if its a bit simplistic, there is not much Linux experience
in the group..You could try to do it by hand but its easier to use the
Authentication Configuration app.
Configure Linux Host for Kerberos/Spnego support
Bring up the authentication configuration app.
System-->Configuratio->Authentication.
Select the checkbox labeled Enable Kerberos Support.
Click on the Configure Kerberos button
For Realm, enter your kerberos realm, all in upper case.
For KDCs, enter your KDC(s), separated by commas
Select Use DNS to resolve hosts to realms. ( we do not use local
keytabs )
Select Use DNS to locate KDCs for realms.
Click OK.
Select the checkbox labeled Enable Winbind Support
Click on the Configure Winbind button
For Winbind Doman, enter your windows domain
For Security Model select ads (for active directory)
For Winbind ADS Realm, enter the Kerberos Realm that was set
when configuring Kerberos support.
For Winbind Domain Controllers, enter the fully qualified
domain name of the Active Directory servers used in the domain, separated by
commas
Click the join Domain button to test. Then click OK and save
configuration.
Check Kerberos Configuration
Open up a terminal
cd to /etc
Modify the krb5.conf file so it looks like the following :
[libdefaults]
default_realm = YOUR.REALM
dns_lookup_realm = true
dns_lookup_kdc = true
udp_preference_limit = 1
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
YOUR.REALM = {
kdc = fqdn of kdc
kdc = fqdn of kdc1...etc
default_domain = YOUR.REALM
}
[domain_realm]
test.nintendo.com = YOUR.REALM
.test.nintendo.com = YOUR.REALM
Check Winbind configuration.
cd /etc/samba.
vi smb.conf, look for workgroup( it should be set to NOA)
look for security(it should be set to ads)
both settings should be in the [global] section of smb.conf.
Check that the Kerberos validation is working.
Use the kinit command.
Open a terminal
Type: kinit HTTP/fqdn.foo.bar
It should prompt for the user password
Enter the password, if it finds the user it will return silently,
otherwise an error will be displayed.
To check that a key was saved, type klist. That should list the most
recent key.
--
View this message in context:
http://n4.nabble.com/CAS-SPNEGO-Debugging-tp1838523p1839078.html
Sent from the CAS Users mailing list archive at Nabble.com.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
