The Kerberos authentication should be performed by taking the already-configured kerberos credentials (via kinit) and authenticate through the /ipa/session/login_kerberos endpoint.
How to reproduce
It is assumed that no ticket is created, no browser has been opened yet, and there is a vagrant machine up and running containing the modern WebUI (see README file instructions).
[From local] Destroy all kerberos keys:
>> kdestroy -A
To be able to test the results in local, we need to modify the resolved file and add the IP of our already created vagrant VM. Add the following lines in the /etc/systemd/resolved.conf file:
You can check if the ticket was successfully create it by executing klist -A. Alternatively, you can also create the ticket while debugging by executing KRB5_TRACE=/dev/stdout kinit admin@DOM-IPA.DEMO.
These steps should be enough to test the authentication via Kerberos:
Open a new tab on any browser (recommended: Firefox or Chrome)
Navigate to the /login page
Follow the instructions mentioned in the Browser Kerberos setup link (or /ipa/config/ssbrowser.html)(link from the FreeIPA demo) for your specific browser
NOTE: No need to add any certificate, so you can skip those specific steps
Close the browser and open it again to apply the changes (that includes ALL tabs from that browser)
Go to the /login page and click the Login button (without entering any user + pwd). You should be authenticated now.
If this doesn't work, try the steps described in 'Plan B'.
Plan B
This approach assumes that we want to configure the Kerberos authentication in a server with a different name (e.g., <my-webui-local-instance>.ipa.demo). This can be configured via the WebUI or CLI commands
Option 1: WebUI
Create the zone for dom-ipa.demo
Access the WebUI with our credentials
Go to Network services > DNS > DNS zones
Create a new zone called dom-ipa.demo. (the final . is important!)
Access the settings page of the already-created zone
Create new records (you can use the same values from e.g. dom-server.ipa.demo as a reference):
_kerberos (TXT and URI types)
_kerberos._tcp (if it doesn't exist)
Save the changes
At the end, it should look like something similar to this:
Disclaimer: The image show more values defined, but there might be not necessary in this case
Option 2: CLI
Execute the following commands to generate the zone:
Access vagrant machine: vagrant ssh
Create a ticket: kinit
Create DNS zone: ipa dnszone_add mynewzone.ipa.demo.
If there is a kerberos ticket, this should automatically log in to the WebUI
NOTE
This solution is not able to log out from the WebUi as long as there is a Kerberos ticket. The same thing happens to the current WebUI when the page is refreshed from the /login page. Not sure if this is an expected behavior.
The Kerberos authentication should be performed by taking the already-configured kerberos credentials (via
kinit
) and authenticate through the/ipa/session/login_kerberos
endpoint.How to reproduce
It is assumed that no ticket is created, no browser has been opened yet, and there is a vagrant machine up and running containing the modern WebUI (see
README
file instructions).[From local] Destroy all kerberos keys:
To be able to test the results in local, we need to modify the
resolved
file and add the IP of our already created vagrant VM. Add the following lines in the/etc/systemd/resolved.conf
file:Save the changes and restart the service.
Create a ticket against admin + the webui realm
You can check if the ticket was successfully create it by executing
klist -A
. Alternatively, you can also create the ticket while debugging by executingKRB5_TRACE=/dev/stdout kinit admin@DOM-IPA.DEMO
.These steps should be enough to test the authentication via Kerberos:
/login
pageBrowser Kerberos setup
link (or/ipa/config/ssbrowser.html
)(link from the FreeIPA demo) for your specific browser/login
page and click theLogin
button (without entering any user + pwd). You should be authenticated now.If this doesn't work, try the steps described in 'Plan B'.
Plan B
This approach assumes that we want to configure the Kerberos authentication in a server with a different name (e.g.,
<my-webui-local-instance>.ipa.demo
). This can be configured via the WebUI or CLI commandsOption 1: WebUI
Create the zone for
dom-ipa.demo
Network services
>DNS
>DNS zones
dom-ipa.demo.
(the final.
is important!)dom-server.ipa.demo
as a reference):_kerberos
(TXT
andURI
types)_kerberos._tcp
(if it doesn't exist)Option 2: CLI
Execute the following commands to generate the zone:
vagrant ssh
kinit
ipa dnszone_add mynewzone.ipa.demo.
ipa dnsrecord_add somezone.ipa.demo. --uri-priority=0 --uri-weight=100 --uri-target=krb5srv:m:tcp:server.ipa.demo
_kerberos
ipa dnsrecord_add somezone.ipa.demo. --uri-priority=0 --uri-weight=100 --uri-target=krb5srv:m:udp:server.ipa.demo
_kerberos
ipa dnsrecord_add somezone.ipa.demo. --txt-data=DOM-IPA.DEMO
_kerberos
ipa dnsrecord_add somezone --srv-priority=0 --srv-weight=100 --srv-port=88 --srv-target=server.ipa.demo
_kerberos._tcp
ipa dnsrecord_add somezone --srv-priority=0 --srv-weight=100 --srv-port=88 --srv-target=server.ipa.demo
_kerberos._udp
Modify the kerberos configuration file to be able to create tickets for the
DOM-IPA.DEMO
realmsudo vim /etc/krb5.conf
default_realm
and create the settings:Check if there is a krb ticket and print the version numbers
Open a Google chrome window while adding the
ipa.demo
server to the whitelistIf there is a kerberos ticket, this should automatically log in to the WebUI
NOTE
This solution is not able to log out from the WebUi as long as there is a Kerberos ticket. The same thing happens to the current WebUI when the page is refreshed from the
/login
page. Not sure if this is an expected behavior.