[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]

Tue Feb 17 01:57:36 UTC 2009
Ross Walker <rswwalker at gmail.com>

On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Thanks Ross, much appreciated.
>
>
> Now I have to see if I can translate the necessary stuff to Ubuntu
> (Centos 5 did not cut it for desktop - cost me almost all the new Linux
> desktops but it sure was the easiest to install and setup. Ubuntu is a
> pain to get the debian-installer to do what kickstart does...still stuck
> on the stupid disk part/RAID/LVM configuration)

Yes, Ubuntu is nice, but the automated installer of Debian's still
leaves a lot to be desired.

Just use sed to edit the pam configs in the script section at the end.

Below are what mine look like after authconfig was finished with them.

== system-auth ==
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

== nsswitch.conf ==
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus


== krb5.conf ==
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MFG.PRV
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes
 renewable = yes

[realms]
 MFG.PRV = {
  kdc = mfg.prv
  admin_server = mfg.prv
   default_domain = mfg.prv
 }

[domain_realm]
 .mfg.prv = MFG.PRV
 mfg.prv = MFG.PRV

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   renewable = true
   krb4_convert = false
 }


== smb.conf ==
[global]
workgroup = MFG
security = ads
realm = MFG.PRV
load printers = yes
printing = cups
max log size = 50
passdb backend = tdbsam
use kerberos keytab = Yes
allow trusted domains = no
idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999"
winbind gid = 100000-999999
winbind uid = 100000-999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
wins server = mfg.prv
name resolve order = wins bcast host
restrict anonymous = no
domain master = no
preferred master = no
printer admin = @"MFG\Printer Admins"

[printers]
path = /var/spool/samba
printable = yes

[print$]
path = /var/lib/samba/print
write list = @"MFG\Printer Admins"
force user = root
force group = "printer admins"
create mask = 0664
directory mask = 0775

== ldap.conf ==
URI ldap://mfg.prv/
BASE DC=mfg,DC=prv
SASL_SECPROPS  maxssf=0
TLS_REQCERT    allow
TLS_CACERTDIR /etc/openldap/cacerts


The LDAP stuff really wasn't necessary to get things working, I just
like the ldapsearch tool for exploring attributes in AD and it works
with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to
work).

On Redhat these are:

cyrus-sasl-gssapi-2.1.22-4
libgssapi-0.10-2
cyrus-sasl-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-plain-2.1.22-4

-Ross