On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Ross Walker wrote:
On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" sorin.srbu@orgfarm.uu.se wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Christopher Chan Sent: Monday, February 16, 2009 8:53 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it
login
to sharepoint doesn't.
I don't think any other OS other than Windows has NTLM bindings.
Probably not, but I was thinking there may be some obscure package somewhere on the 'net to do this.
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
Use pam_krb5 on the Linux clients to get a ticket on login.
Mind sharing the pam config for that? I have something setup but things don't seem to work.
Use samba client on Linux hosts to join to domain and manage the Kerberos keytab file for the machine passwords.
Hmm...maybe I should not have manually created the credentials.
Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab.
# Default Kerberos configuration mv /etc/krb5.conf /etc/krb5.conf.orig
cat >/etc/krb5.conf <<EOF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
EOF
authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV --krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns --enablekrb5realmdns
# Default Samba configuration mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat >/etc/samba/smb.conf <<EOF [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads password server = * use kerberos keytab = yes passdb backend = tdbsam allow trusted domains = no idmap domains = default idmap config default:default = yes idmap config default:backend = rid idmap uid = 100000 - 999999 idmap gid = 100000 - 999999 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind enum groups = yes winbind enum users = yes name resolve order = wins bcast host
[homes] comment = Home Directories read only = no browseable = no
[printers] comment = All Printers path = /var/spool/samba printable = yes browseable = no
[print$] comment = Printer Drivers path = /var/lib/samba/drivers admin users = @"MFG\Printer Admins" write list = @"MFG\Printer Admins" force user = root force group = root create mask = 0664 directory mask = 0775 EOF
mkdir -p /var/lib/samba/drivers/W32ALPHA mkdir -p /var/lib/samba/drivers/W32MIPS mkdir -p /var/lib/samba/drivers/W32PPC mkdir -p /var/lib/samba/drivers/W32X86 mkdir -p /var/lib/samba/drivers/WIN40 chown -R root:root /var/lib/samba/drivers chmod -R 775 /var/lib/samba/drivers
authconfig --kickstart --smbworkgroup=MFG --smbservers=* --enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV --smbidmapuid=100000-999999 --smbidmapgid=100000-999999 --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain
# Default NSS_LDAP configuration mv /etc/ldap.conf /etc/ldap.conf.orig
cat >/etc/ldap.conf <<EOF uri ldap://example.com/ base dc=example,dc=com timelimit 30 bind_timelimit 30 idle_timelimit 3600 ssl start_tls tls_checkpeer no use_sasl yes sasl_secprops maxssf=0 krb5_ccname FILE:/tmp/krb5.ldap
pam_filter objectClass=User pam_password crypt
nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword unixUserPassword
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman EOF
# Default OpenLDAP configuration mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig
cat >/etc/openldap/ldap.conf <<EOF URI ldap://example.com BASE dc=example, dc=com SASL_SECPROPS maxssf=0 TLS_REQCERT allow EOF
authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv"
# Add an entry for pam_mkhomedir in system-auth sed -i -e 's/(session required pam_limits.so)/session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent\n\1/' /etc/pam.d/system-auth
By using authconfig I avoid having to manually edit the PAM stuff which can get clobbered after an upgrade.
After configured I do have to manually join the domain, and enable/restart winbind.
# net ads join -U <admin user> # chkconfig winbind restart
-Ross