On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan <christopher.chan at bradbury.edu.hk> wrote: > Ross Walker wrote: >> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at orgfarm.uu.se> >> wrote: >> >> >>>> -----Original Message----- >>>> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >>>> >>> Behalf >>> >>>> Of Christopher Chan >>>> Sent: Monday, February 16, 2009 8:53 AM >>>> To: CentOS mailing list >>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows >>>> Integrated >>>> Authentication [Apache] >>>> >>>> >>>> >>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >>>>>> don't think it will work in other platforms though). >>>>>> >>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with >>>>> Firefox in >>>>> Windows. Setting the same things in Firefox under linux and having >>>>> it >>>>> >>> login >>> >>>>> to sharepoint doesn't. >>>>> >>>> I don't think any other OS other than Windows has NTLM bindings. >>>> >>> Probably not, but I was thinking there may be some obscure package >>> somewhere >>> on the 'net to do this. >>> >> >> Avoid NTLM all together and use Kerberos between apache/squid, Active >> Directory and the Windows and Linux clients. >> >> Firefox and IE both support Kerberos authentication. I believe apache/ >> squid do too, but you need a manually create the service principal >> names in AD for those. >> >> Use pam_krb5 on the Linux clients to get a ticket on login. >> > Mind sharing the pam config for that? I have something setup but things > don't seem to work. >> Use samba client on Linux hosts to join to domain and manage the >> Kerberos keytab file for the machine passwords. >> > Hmm...maybe I should not have manually created the credentials. Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab. # Default Kerberos configuration mv /etc/krb5.conf /etc/krb5.conf.orig cat >/etc/krb5.conf <<EOF [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true krb4_convert = false } EOF authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV --krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns --enablekrb5realmdns # Default Samba configuration mv /etc/samba/smb.conf /etc/samba/smb.conf.orig cat >/etc/samba/smb.conf <<EOF [global] workgroup = EXAMPLE realm = EXAMPLE.COM security = ads password server = * use kerberos keytab = yes passdb backend = tdbsam allow trusted domains = no idmap domains = default idmap config default:default = yes idmap config default:backend = rid idmap uid = 100000 - 999999 idmap gid = 100000 - 999999 template homedir = /home/%U template shell = /bin/bash winbind use default domain = true winbind enum groups = yes winbind enum users = yes name resolve order = wins bcast host [homes] comment = Home Directories read only = no browseable = no [printers] comment = All Printers path = /var/spool/samba printable = yes browseable = no [print$] comment = Printer Drivers path = /var/lib/samba/drivers admin users = @"MFG\Printer Admins" write list = @"MFG\Printer Admins" force user = root force group = root create mask = 0664 directory mask = 0775 EOF mkdir -p /var/lib/samba/drivers/W32ALPHA mkdir -p /var/lib/samba/drivers/W32MIPS mkdir -p /var/lib/samba/drivers/W32PPC mkdir -p /var/lib/samba/drivers/W32X86 mkdir -p /var/lib/samba/drivers/WIN40 chown -R root:root /var/lib/samba/drivers chmod -R 775 /var/lib/samba/drivers authconfig --kickstart --smbworkgroup=MFG --smbservers=* --enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV --smbidmapuid=100000-999999 --smbidmapgid=100000-999999 --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash --enablewinbindusedefaultdomain # Default NSS_LDAP configuration mv /etc/ldap.conf /etc/ldap.conf.orig cat >/etc/ldap.conf <<EOF uri ldap://example.com/ base dc=example,dc=com timelimit 30 bind_timelimit 30 idle_timelimit 3600 ssl start_tls tls_checkpeer no use_sasl yes sasl_secprops maxssf=0 krb5_ccname FILE:/tmp/krb5.ldap pam_filter objectClass=User pam_password crypt nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMember msSFU30PosixMember nss_map_attribute userPassword unixUserPassword nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman EOF # Default OpenLDAP configuration mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig cat >/etc/openldap/ldap.conf <<EOF URI ldap://example.com BASE dc=example, dc=com SASL_SECPROPS maxssf=0 TLS_REQCERT allow EOF authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv" # Add an entry for pam_mkhomedir in system-auth sed -i -e 's/\(session required pam_limits.so\)/session required pam_mkhomedir.so skel=\/etc\/skel umask=0077 silent\n\1/' /etc/pam.d/system-auth By using authconfig I avoid having to manually edit the PAM stuff which can get clobbered after an upgrade. After configured I do have to manually join the domain, and enable/restart winbind. # net ads join -U <admin user> # chkconfig winbind restart -Ross