[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Ross Walker
rswwalker at gmail.com
Tue Feb 17 01:57:36 UTC 2009
On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Thanks Ross, much appreciated.
>
>
> Now I have to see if I can translate the necessary stuff to Ubuntu
> (Centos 5 did not cut it for desktop - cost me almost all the new Linux
> desktops but it sure was the easiest to install and setup. Ubuntu is a
> pain to get the debian-installer to do what kickstart does...still stuck
> on the stupid disk part/RAID/LVM configuration)
Yes, Ubuntu is nice, but the automated installer of Debian's still
leaves a lot to be desired.
Just use sed to edit the pam configs in the script section at the end.
Below are what mine look like after authconfig was finished with them.
== system-auth ==
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
== nsswitch.conf ==
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis
passwd: files winbind
shadow: files winbind
group: files winbind
#hosts: db files nisplus nis dns
hosts: files dns
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
== krb5.conf ==
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MFG.PRV
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
renewable = yes
[realms]
MFG.PRV = {
kdc = mfg.prv
admin_server = mfg.prv
default_domain = mfg.prv
}
[domain_realm]
.mfg.prv = MFG.PRV
mfg.prv = MFG.PRV
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
renewable = true
krb4_convert = false
}
== smb.conf ==
[global]
workgroup = MFG
security = ads
realm = MFG.PRV
load printers = yes
printing = cups
max log size = 50
passdb backend = tdbsam
use kerberos keytab = Yes
allow trusted domains = no
idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999"
winbind gid = 100000-999999
winbind uid = 100000-999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
wins server = mfg.prv
name resolve order = wins bcast host
restrict anonymous = no
domain master = no
preferred master = no
printer admin = @"MFG\Printer Admins"
[printers]
path = /var/spool/samba
printable = yes
[print$]
path = /var/lib/samba/print
write list = @"MFG\Printer Admins"
force user = root
force group = "printer admins"
create mask = 0664
directory mask = 0775
== ldap.conf ==
URI ldap://mfg.prv/
BASE DC=mfg,DC=prv
SASL_SECPROPS maxssf=0
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts
The LDAP stuff really wasn't necessary to get things working, I just
like the ldapsearch tool for exploring attributes in AD and it works
with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to
work).
On Redhat these are:
cyrus-sasl-gssapi-2.1.22-4
libgssapi-0.10-2
cyrus-sasl-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-plain-2.1.22-4
-Ross
More information about the CentOS
mailing list