On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" sorin.srbu@orgfarm.uu.se wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Christopher Chan Sent: Monday, February 16, 2009 8:53 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it
login
to sharepoint doesn't.
I don't think any other OS other than Windows has NTLM bindings.
Probably not, but I was thinking there may be some obscure package somewhere on the 'net to do this.
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
Use pam_krb5 on the Linux clients to get a ticket on login.
Use samba client on Linux hosts to join to domain and manage the Kerberos keytab file for the machine passwords.
Use winbind to get passwd/group files via nsswitch.
-Ross
On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
I was using NTLM at first, but then switched to Kerberos (on the CentOS server side). The Windows users didn't see a difference. For them, SSO works just as well as before, but I still get prompted to enter user/password when I use my Fedora 10 desktop to browse to CentOS hosted web sites.
My Fedora desktop is joined to the domain. I can login with my AD user/password. I even have caching working, which lets me sign on to my laptop when it's not connected to the network.
I suppose I've missed something, though I don't know what.
Regards,
Ranbir
Kanwar Ranbir Sandhu wrote:
On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
I was using NTLM at first, but then switched to Kerberos (on the CentOS server side). The Windows users didn't see a difference. For them, SSO works just as well as before, but I still get prompted to enter user/password when I use my Fedora 10 desktop to browse to CentOS hosted web sites.
My Fedora desktop is joined to the domain. I can login with my AD user/password. I even have caching working, which lets me sign on to my laptop when it's not connected to the network.
I suppose I've missed something, though I don't know what.
Maybe kerberos authentication?
I have winbind authentication working here but I have yet to get kerberos working to get SSO on Linux desktops.
On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
Maybe kerberos authentication?
I have winbind authentication working here but I have yet to get kerberos working to get SSO on Linux desktops.
Isn't winbind enough? Afterall, winbind gets the kerberos ticket when the user logs in.
What's the difference between kerberos auth and winbind auth?
Regards,
Ranbir
Kanwar Ranbir Sandhu wrote:
On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
Maybe kerberos authentication?
I have winbind authentication working here but I have yet to get kerberos working to get SSO on Linux desktops.
Isn't winbind enough? Afterall, winbind gets the kerberos ticket when the user logs in.
??? That's new to me...are you sure?
What's the difference between kerberos auth and winbind auth?
kerberos auth...should be the one that gets the ticket for you. Winbind servers to both authenticate you and provide user/group account info.
On Mon, Feb 16, 2009 at 7:33 PM, Kanwar Ranbir Sandhu m3freak@thesandhufamily.ca wrote:
On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
Maybe kerberos authentication?
I have winbind authentication working here but I have yet to get kerberos working to get SSO on Linux desktops.
Isn't winbind enough? Afterall, winbind gets the kerberos ticket when the user logs in.
What's the difference between kerberos auth and winbind auth?
The difference is that winbind authentication is NTLM and it's good for that endpoint only, but it can't be forwarded on to other services for a SSO experience (unless there is an NTLM session cache and the applications are written to use it ala Windows, but it is insecure).
-Ross
On Mon, Feb 16, 2009 at 6:03 PM, Kanwar Ranbir Sandhu m3freak@thesandhufamily.ca wrote:
On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
I was using NTLM at first, but then switched to Kerberos (on the CentOS server side). The Windows users didn't see a difference. For them, SSO works just as well as before, but I still get prompted to enter user/password when I use my Fedora 10 desktop to browse to CentOS hosted web sites.
My Fedora desktop is joined to the domain. I can login with my AD user/password. I even have caching working, which lets me sign on to my laptop when it's not connected to the network.
I suppose I've missed something, though I don't know what.
In Firefox go to your about:config page and scroll down to:
network.negotiate-auth.delegation-uris
and
network.negotiate-auth.trusted-uris
and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur.
-Ross
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Ross Walker Sent: Tuesday, February 17, 2009 2:36 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
In Firefox go to your about:config page and scroll down to:
network.negotiate-auth.delegation-uris
and
network.negotiate-auth.trusted-uris
and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur.
No way! This works in linux with Firefox??
I've only tried setting the string values to the Windows trivial names. Using the FQDN didn't even occur to me. I've got to try this.
Thx for the hint.
On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
In Firefox go to your about:config page and scroll down to:
network.negotiate-auth.delegation-uris
and
network.negotiate-auth.trusted-uris
and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur.
HA! I had these set already, but I still get prompted. So, today I decided I should delete the saved passwords for the apache hosted site I was trying to access, and viola, SSO worked! I can't believe I didn't remove the saved passwords before.
Anyway, thanks for pointing out the Firefox settings. I doubt I would have remembered they were there.
Regards,
Ranbir
On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
In Firefox go to your about:config page and scroll down to:
network.negotiate-auth.delegation-uris
and
network.negotiate-auth.trusted-uris
and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur.
HA! I had these set already, but I still get prompted. So, today I decided I should delete the saved passwords for the apache hosted site I was trying to access, and viola, SSO worked! I can't believe I didn't remove the saved passwords before.
I should have mentioned that I only set "network.negotiate-auth.trusted-uris". I left the other one blank. Setting it or not didn't seem to make a difference. But, based on this:
https://developer.mozilla.org/en/Integrated_Authentication
The apache server should have been able to handle the authentication. Maybe I'm misunderstanding what "delegation" does.
Regards,
Ranbir
On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu m3freak@thesandhufamily.ca wrote:
On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
In Firefox go to your about:config page and scroll down to:
network.negotiate-auth.delegation-uris
and
network.negotiate-auth.trusted-uris
and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur.
HA! I had these set already, but I still get prompted. So, today I decided I should delete the saved passwords for the apache hosted site I was trying to access, and viola, SSO worked! I can't believe I didn't remove the saved passwords before.
I should have mentioned that I only set "network.negotiate-auth.trusted-uris". I left the other one blank. Setting it or not didn't seem to make a difference. But, based on this:
https://developer.mozilla.org/en/Integrated_Authentication
The apache server should have been able to handle the authentication. Maybe I'm misunderstanding what "delegation" does.
Delegation will allow a system or service to authenticate you to another system or service on your behalf.
For example, say your apache server has a mysql database backend for an application that requires each user to authenticate individually, well without delegation the users would need to use another form of authentication such as HTTP basic authentication which would then pass it off to the mysql. Even if done over SSL this can open your application up to a man-in-the-middle attack. Kerberos delegation was designed to defeat the man-in-the-middle scenario through signing of the ticket request along the line and back.
-Ross
Ross Walker wrote:
On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" sorin.srbu@orgfarm.uu.se wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Christopher Chan Sent: Monday, February 16, 2009 8:53 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it
login
to sharepoint doesn't.
I don't think any other OS other than Windows has NTLM bindings.
Probably not, but I was thinking there may be some obscure package somewhere on the 'net to do this.
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
Use pam_krb5 on the Linux clients to get a ticket on login.
Mind sharing the pam config for that? I have something setup but things don't seem to work.
Use samba client on Linux hosts to join to domain and manage the Kerberos keytab file for the machine passwords.
Hmm...maybe I should not have manually created the credentials.
On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Ross Walker wrote:
On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" sorin.srbu@orgfarm.uu.se wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
Of Christopher Chan Sent: Monday, February 16, 2009 8:53 AM To: CentOS mailing list Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though).
It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it
login
to sharepoint doesn't.
I don't think any other OS other than Windows has NTLM bindings.
Probably not, but I was thinking there may be some obscure package somewhere on the 'net to do this.
Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients.
Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those.
Use pam_krb5 on the Linux clients to get a ticket on login.
Mind sharing the pam config for that? I have something setup but things don't seem to work.
Use samba client on Linux hosts to join to domain and manage the Kerberos keytab file for the machine passwords.
Hmm...maybe I should not have manually created the credentials.
Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab.
# Default Kerberos configuration mv /etc/krb5.conf /etc/krb5.conf.orig
cat >/etc/krb5.conf <<EOF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false }
EOF
authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV --krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns --enablekrb5realmdns
# Default Samba configuration mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat >/etc/samba/smb.conf <<EOF [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads password server = * use kerberos keytab = yes passdb backend = tdbsam allow trusted domains = no idmap domains = default idmap config default:default = yes idmap config default:backend = rid idmap uid = 100000 - 999999 idmap gid = 100000 - 999999 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind enum groups = yes winbind enum users = yes name resolve order = wins bcast host
[homes] comment = Home Directories read only = no browseable = no
[printers] comment = All Printers path = /var/spool/samba printable = yes browseable = no
[print$] comment = Printer Drivers path = /var/lib/samba/drivers admin users = @"MFG\Printer Admins" write list = @"MFG\Printer Admins" force user = root force group = root create mask = 0664 directory mask = 0775 EOF
mkdir -p /var/lib/samba/drivers/W32ALPHA mkdir -p /var/lib/samba/drivers/W32MIPS mkdir -p /var/lib/samba/drivers/W32PPC mkdir -p /var/lib/samba/drivers/W32X86 mkdir -p /var/lib/samba/drivers/WIN40 chown -R root:root /var/lib/samba/drivers chmod -R 775 /var/lib/samba/drivers
authconfig --kickstart --smbworkgroup=MFG --smbservers=* --enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV --smbidmapuid=100000-999999 --smbidmapgid=100000-999999 --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain
# Default NSS_LDAP configuration mv /etc/ldap.conf /etc/ldap.conf.orig
cat >/etc/ldap.conf <<EOF uri ldap://example.com/ base dc=example,dc=com timelimit 30 bind_timelimit 30 idle_timelimit 3600 ssl start_tls tls_checkpeer no use_sasl yes sasl_secprops maxssf=0 krb5_ccname FILE:/tmp/krb5.ldap
pam_filter objectClass=User pam_password crypt
nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword unixUserPassword
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman EOF
# Default OpenLDAP configuration mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig
cat >/etc/openldap/ldap.conf <<EOF URI ldap://example.com BASE dc=example, dc=com SASL_SECPROPS maxssf=0 TLS_REQCERT allow EOF
authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv"
# Add an entry for pam_mkhomedir in system-auth sed -i -e 's/(session required pam_limits.so)/session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent\n\1/' /etc/pam.d/system-auth
By using authconfig I avoid having to manually edit the PAM stuff which can get clobbered after an upgrade.
After configured I do have to manually join the domain, and enable/restart winbind.
# net ads join -U <admin user> # chkconfig winbind restart
-Ross
Thanks Ross, much appreciated.
Now I have to see if I can translate the necessary stuff to Ubuntu (Centos 5 did not cut it for desktop - cost me almost all the new Linux desktops but it sure was the easiest to install and setup. Ubuntu is a pain to get the debian-installer to do what kickstart does...still stuck on the stupid disk part/RAID/LVM configuration)
Christopher
On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan christopher.chan@bradbury.edu.hk wrote:
Thanks Ross, much appreciated.
Now I have to see if I can translate the necessary stuff to Ubuntu (Centos 5 did not cut it for desktop - cost me almost all the new Linux desktops but it sure was the easiest to install and setup. Ubuntu is a pain to get the debian-installer to do what kickstart does...still stuck on the stupid disk part/RAID/LVM configuration)
Yes, Ubuntu is nice, but the automated installer of Debian's still leaves a lot to be desired.
Just use sed to edit the pam configs in the script section at the end.
Below are what mine look like after authconfig was finished with them.
== system-auth == #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
== nsswitch.conf == # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far #
# To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis
passwd: files winbind shadow: files winbind group: files winbind
#hosts: db files nisplus nis dns hosts: files dns
# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: files
publickey: nisplus
automount: files aliases: files nisplus
== krb5.conf == [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = MFG.PRV dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes renewable = yes
[realms] MFG.PRV = { kdc = mfg.prv admin_server = mfg.prv default_domain = mfg.prv }
[domain_realm] .mfg.prv = MFG.PRV mfg.prv = MFG.PRV
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true renewable = true krb4_convert = false }
== smb.conf == [global] workgroup = MFG security = ads realm = MFG.PRV load printers = yes printing = cups max log size = 50 passdb backend = tdbsam use kerberos keytab = Yes allow trusted domains = no idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999" winbind gid = 100000-999999 winbind uid = 100000-999999 template homedir = /home/%U template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind use default domain = yes wins server = mfg.prv name resolve order = wins bcast host restrict anonymous = no domain master = no preferred master = no printer admin = @"MFG\Printer Admins"
[printers] path = /var/spool/samba printable = yes
[print$] path = /var/lib/samba/print write list = @"MFG\Printer Admins" force user = root force group = "printer admins" create mask = 0664 directory mask = 0775
== ldap.conf == URI ldap://mfg.prv/ BASE DC=mfg,DC=prv SASL_SECPROPS maxssf=0 TLS_REQCERT allow TLS_CACERTDIR /etc/openldap/cacerts
The LDAP stuff really wasn't necessary to get things working, I just like the ldapsearch tool for exploring attributes in AD and it works with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to work).
On Redhat these are:
cyrus-sasl-gssapi-2.1.22-4 libgssapi-0.10-2 cyrus-sasl-2.1.22-4 cyrus-sasl-gssapi-2.1.22-4 cyrus-sasl-lib-2.1.22-4 cyrus-sasl-md5-2.1.22-4 cyrus-sasl-ntlm-2.1.22-4 cyrus-sasl-plain-2.1.22-4
-Ross
Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab.
Ross, I was out of town and missed this thread which is of great interest to me as well. When you say "have samba manage the keytab" do you mean not use one as have a dedicated service account on the DC and have it generate the keytab and have it copied over? A lot of solution I have seen use that procedure which I have never wanted to do for obvious reasons.
Also, I see you also configure ldap to point towards what looks like your AD server as well. How come you use both Samba/Winbind and ldap?
Thanks for the info! jlc
On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale JCasale@activenetwerx.com wrote:
Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab.
Ross, I was out of town and missed this thread which is of great interest to me as well. When you say "have samba manage the keytab" do you mean not use one as have a dedicated service account on the DC and have it generate the keytab and have it copied over? A lot of solution I have seen use that procedure which I have never wanted to do for obvious reasons.
If you don't have a keytab file when you use samba to join to the domain and you have the 'use kerberos keytab = yes' set in your smb.conf, then samba creates one and populates it with the AD compatible host SPNs and machine password. From that point on it will keep the keytab in sync. I don't know if it will add these if SPNs already exist, I haven't tried it.
Also, I see you also configure ldap to point towards what looks like your AD server as well. How come you use both Samba/Winbind and ldap?
LDAP wasn't necessary, I use it for querying AD attributes using the OpenLDAP tools (I don't trust Microsoft and think they hide attributes in ADSIEdit!).
Though I could have used NSS_LDAP instead of Winbind, I just would need to set UID/GID for every user and group in AD which was just too much of a PITA.
-Ross
-
Christopher Chan -
Joseph L. Casale -
Kanwar Ranbir Sandhu -
Ross Walker -
Sorin Srbu