[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Ross Walker
rswwalker at gmail.com
Tue Feb 17 01:18:23 UTC 2009
On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Ross Walker wrote:
>> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at orgfarm.uu.se>
>> wrote:
>>
>>
>>>> -----Original Message-----
>>>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>>>>
>>> Behalf
>>>
>>>> Of Christopher Chan
>>>> Sent: Monday, February 16, 2009 8:53 AM
>>>> To: CentOS mailing list
>>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>>>> Integrated
>>>> Authentication [Apache]
>>>>
>>>>
>>>>
>>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>>>>> don't think it will work in other platforms though).
>>>>>>
>>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with
>>>>> Firefox in
>>>>> Windows. Setting the same things in Firefox under linux and having
>>>>> it
>>>>>
>>> login
>>>
>>>>> to sharepoint doesn't.
>>>>>
>>>> I don't think any other OS other than Windows has NTLM bindings.
>>>>
>>> Probably not, but I was thinking there may be some obscure package
>>> somewhere
>>> on the 'net to do this.
>>>
>>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>>
>> Use pam_krb5 on the Linux clients to get a ticket on login.
>>
> Mind sharing the pam config for that? I have something setup but things
> don't seem to work.
>> Use samba client on Linux hosts to join to domain and manage the
>> Kerberos keytab file for the machine passwords.
>>
> Hmm...maybe I should not have manually created the credentials.
Ok, here are the default settings that my kickstart file creates to
allow me to join the domain and have samba manage the keytab.
# Default Kerberos configuration
mv /etc/krb5.conf /etc/krb5.conf.orig
cat >/etc/krb5.conf <<EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
}
EOF
authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV
--krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns
--enablekrb5realmdns
# Default Samba configuration
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
cat >/etc/samba/smb.conf <<EOF
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ads
password server = *
use kerberos keytab = yes
passdb backend = tdbsam
allow trusted domains = no
idmap domains = default
idmap config default:default = yes
idmap config default:backend = rid
idmap uid = 100000 - 999999
idmap gid = 100000 - 999999
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind enum groups = yes
winbind enum users = yes
name resolve order = wins bcast host
[homes]
comment = Home Directories
read only = no
browseable = no
[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = no
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = @"MFG\Printer Admins"
write list = @"MFG\Printer Admins"
force user = root
force group = root
create mask = 0664
directory mask = 0775
EOF
mkdir -p /var/lib/samba/drivers/W32ALPHA
mkdir -p /var/lib/samba/drivers/W32MIPS
mkdir -p /var/lib/samba/drivers/W32PPC
mkdir -p /var/lib/samba/drivers/W32X86
mkdir -p /var/lib/samba/drivers/WIN40
chown -R root:root /var/lib/samba/drivers
chmod -R 775 /var/lib/samba/drivers
authconfig --kickstart --smbworkgroup=MFG --smbservers=*
--enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV
--smbidmapuid=100000-999999 --smbidmapgid=100000-999999
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash
--enablewinbindusedefaultdomain
# Default NSS_LDAP configuration
mv /etc/ldap.conf /etc/ldap.conf.orig
cat >/etc/ldap.conf <<EOF
uri ldap://example.com/
base dc=example,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 3600
ssl start_tls
tls_checkpeer no
use_sasl yes
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5.ldap
pam_filter objectClass=User
pam_password crypt
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword unixUserPassword
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
EOF
# Default OpenLDAP configuration
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig
cat >/etc/openldap/ldap.conf <<EOF
URI ldap://example.com
BASE dc=example, dc=com
SASL_SECPROPS maxssf=0
TLS_REQCERT allow
EOF
authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv"
# Add an entry for pam_mkhomedir in system-auth
sed -i -e 's/\(session required pam_limits.so\)/session
required pam_mkhomedir.so skel=\/etc\/skel umask=0077
silent\n\1/' /etc/pam.d/system-auth
By using authconfig I avoid having to manually edit the PAM stuff
which can get clobbered after an upgrade.
After configured I do have to manually join the domain, and
enable/restart winbind.
# net ads join -U <admin user>
# chkconfig winbind restart
-Ross
More information about the CentOS
mailing list