Configuring Kerberos authentication

Note

  • this configuration is required when using WAPT Enterprise version;
  • Indeed Kerberos is necessary to authenticate the workstation during the registration process to be sure not to have an incorrect inventory.
  • for more information, visit Registering a machine with the WAPT Server and Signing inventory updates;
  • the kerberos authentication will be used only when registering the device;

Installing the Kerberos components

apt-get install krb5-user msktutil
apt-get install libnginx-mod-http-auth-spnego

Configuring krb5

Modify the /etc/krb5.conf file and replace all the content with the following 4 lines replacing MYDOMAIN.LAN with your Active Directory domain name (i.e. <MYDOMAIN.LAN>).

Attention

default_realm must be written with ALL CAPS!!

[libdefaults]
    default_realm = MYDOMAIN.LAN
    dns_lookup_kdc = true
    dns_lookup_realm=false

Retrieving a service keytab

Use the :command:`kinit and klist. You can use a Administrator account or any other account with the delegated right to join a computer to the domain in the proper destination container (by default CN=Computers).

In the shell transcript below, commands are in black and returned text is commented in light gray:

sudo kinit administrator
## Password for administrator@MYDOMAIN.LAN:
## Warning: Your password will expire in 277 days on lun. 17 sept. 2018 10:51:21 CEST
sudo klist
## Ticket cache: FILE:/tmp/krb5cc_0
## Default principal: administrator@MYDOMAIN.LAN
##
## Valid starting       Expires              Service principal
## 01/12/2017 16:49:31  02/12/2017 02:49:31  krbtgt/MYDOMAIN.LAN@MYDOMAIN.LAN
## renew until 02/12/2017 16:49:27

If the authentication request is sucessful, you can then create your HTTP Keytab with the msktutil command.

Be sure to modify the <DOMAIN_CONTROLER> string with the name of your domain controller (eg: srvads.mydomain.lan).

sudo msktutil --server DOMAIN_CONTROLER --precreate --host $(hostname) -b cn=computers --service HTTP --description "host account for wapt server" --enctypes 24 -N
sudo msktutil --server DOMAIN_CONTROLER --auto-update --keytab /etc/nginx/http-krb5.keytab --host $(hostname) -N

Attention

Be sure to have properly configured your hostname before running those command lines.

In order to double check your hostname, you can run echo $(hostname) and it must return the name that will be used by WAPT agent running on client workstation.

Finally, change the ownership rights on the keytab file.

sudo chown root:www-data /etc/nginx/http-krb5.keytab
sudo chmod 640 /etc/nginx/http-krb5.keytab

Post-configuring

You can now use post-configuration script to configure the WAPT Server to use Kerberos so your computers will be automatically registered with the WAPT Server.

Post-configuration script will configure Nginx and the WAPT Server to use Kerberos authentication.

Hint

This post-configuration script must be run as root.

/opt/wapt/waptserver/scripts/postconf.sh --use-kerberos --force-https

Kerberos authentication is now configured.

Note

The post-configuration script generates a self-signed certificate. If you prefer, you may replace it with a commercial certificate or a certificate issued by a Trusted internal Authority of Certification by following this documentation.

Otherwise, go on directly to the next step to install the WAPT console.