[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]

Tue Feb 17 01:18:23 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Ross Walker wrote:
>> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at orgfarm.uu.se>
>> wrote:
>>
>>
>>>> -----Original Message-----
>>>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
>>>>
>>> Behalf
>>>
>>>> Of Christopher Chan
>>>> Sent: Monday, February 16, 2009 8:53 AM
>>>> To: CentOS mailing list
>>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>>>> Integrated
>>>> Authentication [Apache]
>>>>
>>>>
>>>>
>>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>>>>> don't think it will work in other platforms though).
>>>>>>
>>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with
>>>>> Firefox in
>>>>> Windows. Setting the same things in Firefox under linux and having
>>>>> it
>>>>>
>>> login
>>>
>>>>> to sharepoint doesn't.
>>>>>
>>>> I don't think any other OS other than Windows has NTLM bindings.
>>>>
>>> Probably not, but I was thinking there may be some obscure package
>>> somewhere
>>> on the 'net to do this.
>>>
>>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>>
>> Use pam_krb5 on the Linux clients to get a ticket on login.
>>
> Mind sharing the pam config for that? I have something setup but things
> don't seem to work.
>> Use samba client on Linux hosts to join to domain and manage the
>> Kerberos keytab file for the machine passwords.
>>
> Hmm...maybe I should not have manually created the credentials.

Ok, here are the default settings that my kickstart file creates to
allow me to join the domain and have samba manage the keytab.

# Default Kerberos configuration
mv /etc/krb5.conf /etc/krb5.conf.orig

cat >/etc/krb5.conf <<EOF
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
 }

EOF

authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV
--krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns
--enablekrb5realmdns

# Default Samba configuration
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

cat >/etc/samba/smb.conf <<EOF
[global]
   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   security = ads
   password server = *
   use kerberos keytab = yes
   passdb backend = tdbsam
   allow trusted domains = no
   idmap domains = default
   idmap config default:default = yes
   idmap config default:backend = rid
   idmap uid = 100000 - 999999
   idmap gid = 100000 - 999999
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind enum groups = yes
   winbind enum users = yes
   name resolve order = wins bcast host

[homes]
   comment = Home Directories
   read only = no
   browseable = no

[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = yes
   browseable = no

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/drivers
   admin users = @"MFG\Printer Admins"
   write list = @"MFG\Printer Admins"
   force user = root
   force group = root
   create mask = 0664
   directory mask = 0775
EOF

mkdir -p /var/lib/samba/drivers/W32ALPHA
mkdir -p /var/lib/samba/drivers/W32MIPS
mkdir -p /var/lib/samba/drivers/W32PPC
mkdir -p /var/lib/samba/drivers/W32X86
mkdir -p /var/lib/samba/drivers/WIN40
chown -R root:root /var/lib/samba/drivers
chmod -R 775 /var/lib/samba/drivers

authconfig --kickstart --smbworkgroup=MFG --smbservers=*
--enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV
--smbidmapuid=100000-999999 --smbidmapgid=100000-999999
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash
--enablewinbindusedefaultdomain

# Default NSS_LDAP configuration
mv /etc/ldap.conf /etc/ldap.conf.orig

cat >/etc/ldap.conf <<EOF
uri ldap://example.com/
base dc=example,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 3600
ssl start_tls
tls_checkpeer no
use_sasl yes
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5.ldap

pam_filter		objectClass=User
pam_password		crypt

nss_map_objectclass	posixAccount		User
nss_map_objectclass	shadowAccount		User
nss_map_objectclass	posixGroup		Group

nss_map_attribute	homeDirectory		unixHomeDirectory
nss_map_attribute	uniqueMember		msSFU30PosixMember
nss_map_attribute	userPassword		unixUserPassword

nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
EOF

# Default OpenLDAP configuration
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig

cat >/etc/openldap/ldap.conf <<EOF
URI            ldap://example.com
BASE           dc=example, dc=com
SASL_SECPROPS  maxssf=0
TLS_REQCERT    allow
EOF

authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv"

# Add an entry for pam_mkhomedir in system-auth
sed -i -e 's/\(session     required      pam_limits.so\)/session
required      pam_mkhomedir.so skel=\/etc\/skel umask=0077
silent\n\1/' /etc/pam.d/system-auth

By using authconfig I avoid having to manually edit the PAM stuff
which can get clobbered after an upgrade.

After configured I do have to manually join the domain, and
enable/restart winbind.

# net ads join -U <admin user>
# chkconfig winbind restart

-Ross