NGINX / SPNEGO / GSSAPI / Kerberos

reqs

apt install build-essential libpcre3-dev libssl-dev
apt install libkrb5-dev
updatedb
locate gssapi.h

compile

git clone https://github.com/stnoonan/spnego-http-auth-nginx-module.git
wget http://nginx.org/download/nginx-1.13.9.tar.gz
tar xzf nginx-1.13.9.tar.gz
cd nginx-1.13.9

./configure --with-http_ssl_module --add-module=../spnego-http-auth-nginx-module
make
make install

prepare Kerberos keytab

on the Samba4 host,

samba-tool user add ldap-service
samba-tool user setexpiry ldap-service --noexpiry
samba-tool domain exportkeytab /etc/nslcd.keytab --principal=ldap-service

scp /etc/nslcd.keytab domain-member1:/etc/nslcd.keytab
scp /etc/nslcd.keytab domain-member2:/etc/nslcd.keytab

and back to the member hosts, check that the file permissions are root.root/600,

ls -lhF /etc/nslcd.keytab 

ref. https://zachbethel.wordpress.com/2013/04/10/linux-ldap-authentication-with-samba4/

config

    location / {
        auth_gss on;
        auth_gss_keytab /etc/nslcd.keytab;
        #auth_gss_realm EXAMPLE.LOCAL;

        root   html;
        index  index.html index.htm;
    }

usage

vi /etc/rc.local

#!/bin/bash

echo -n Starting NGINX+SPNEGO...
/usr/local/nginx/sbin/nginx && echo \ Done

chmod +x /etc/rc.local

to reload,

/usr/local/nginx/sbin/nginx -s reload

refs