If anyone has any feedback, Let me know. Anxious to hear if this works for others.<br><br>Stewart<br><br><br><div class="gmail_quote">On Wed, Apr 8, 2009 at 12:36 PM, Stewart L <span dir="ltr"><<a href="mailto:stewartl42@gmail.com">stewartl42@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<p style="margin-top: 0.17in;" align="center"><font face="Liberation Sans, sans-serif"><font size="5"><b>Transparent
Authentication against Active Directory 2003 with Apache and CentOS 5</b></font></font></p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">Here, I will explain the steps I went
through to get a Linux server joined to our Active Directory 2003
infrastructure and to authenticate users against the domain without
them being required to enter credentials.
</p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">As I said, this is against an AD 2003
structure. If you are operating in a 200 or NT domain, this might
not work for you, but it should point you on your way.</p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">I'll make a few assumptions at this
point for the example.
</p>
<ul><li><p style="margin-bottom: 0in;">You are setting up a webserver to
be named <i><a href="http://web1.example.com" target="_blank">web1.example.com</a></i><span style="font-style: normal;">.</span></p>
</li><li><p style="margin-bottom: 0in;"><span style="font-style: normal;">Your
domain is called </span><i>EXAMPLE</i><span style="font-style: normal;"> and
your kerberos Realm is named </span><i><a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a></i></p>
</li><li><p style="margin-bottom: 0in; font-style: normal;">You have a
domain account baned <i>EXAMPLE\Bob</i> that is authorized to add
machines into the domain.</p>
</li><li><p style="margin-bottom: 0in; font-style: normal;">Your Domain
controller is <i><a href="http://dc1.example.com" target="_blank">dc1.example.com</a>.</i></p>
</li></ul>
<h1>Install Packages</h1>
<p>You obviously need apache installed. You will also need the
mod_auth_kerb package to authenticate against the domain. It is also
much easier if you use the system-config-authentication tool in the
authconfig-gtk package.
</p>
<p># yum -y install mod_auth_kerb authconfig-gtk</p>
<h1>Join the Machine to the Domain</h1>
<p>Before you can join a machine to a domain, you must have a few
items taken care of...</p>
<ul><li><p>The hostname (excluding the domain) should be 15 characters
or less.
</p>
</li><li><p>The system clocks should be synchronized. Use NTP for this.
</p>
</li><li><p>Your <b>/etc/hosts </b><span>file
needs to be properly set up. You should have a localhost entry
pointing to 127.0.0.1 and an entry that has your fully-qualified
host name pointing to its assigned IP address. </span>
</p>
</li></ul>
<p style="margin-bottom: 0in;"><span>With
that out of the way, we can begin configuring authentication.</span></p>
<ul><li><p><span>Run
</span><span style="font-style: normal;"><b>system-config-authentication</b></span><span>
as root.</span></p>
</li><li><p><span>On the Authentication tab,
Enable Kerberos and Winbind</span></p>
</li><li><p><span>Configure Kerberos.</span></p>
<ul><li><p><span>REALM = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a></span></p>
</li><li><p><span>Check the boxes for using
DNS to resolve hosts to realms and locate KDCs.</span></p>
</li><li><p><span>KDC and Admin Sevrer can
be left blank</span></p>
</li><li><p><span>Click ok.</span></p>
</li></ul>
</li><li><p><span>Configure Winbind</span></p>
<ul><li><p><span>Domain = EXAMPLE</span></p>
</li><li><p><span>Security Model = ads</span></p>
</li><li><p><span>ADS Realm = <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a></span></p>
</li><li><p><span>Domain Controllers =
<a href="http://dc1.example.com" target="_blank">dc1.example.com</a></span></p>
</li><li><p><span>Click ok</span></p>
</li></ul>
</li><li><p><span>Edit your
</span><b>/etc/samba/smb.conf </b><span>file</span><b>
</b><span>and make sure that your
netbios name is the same as your hostname. This should be the host
part only, not the domain.</span></p>
</li></ul>
<h2><span>Join the Domain</span></h2>
<p><span>As the root user, run the
following commands. You will have to enter a password for Bob after
both commands.</span></p>
<p style="margin-left: 0.49in;"><span>#
kinit EXAMPLE\Bob</span></p>
<p style="margin-left: 0.49in;"><span>#
net ads join -U EXAMPLE\Bob</span></p>
<p><span>That's it! You're on the domain
now. By default you have to have a local account on the box to
authenticate against AD, meaning if there is not a bob account on
<a href="http://web1.example.com" target="_blank">web1.example.com</a>, bob cannot log in with his domain password.</span></p>
<h1>Configure an AD User</h1>
<p>This is where things become a little convoluted. We are going to
create a user account in AD that the web server will use for
authentication. There are a number of different versions and service
packs out there for Windows Server 2000 and 2003. I got a lot of my
information from <a href="http://grolmsnet.de/kerbtut/" target="_blank">http://grolmsnet.de/kerbtut/</a>
so check there if you have problems with this part.
</p>
<ul><li><p>Create a user in AD named http_web1.</p>
</li><li><p>Set this account so that the password never expires.</p>
</li><li><p>On the command line of the Domain Controller, run this line</p>
</li><li><p>ktpass -princ HTTP/<a href="http://web1.example.com" target="_blank">web1.example.com</a>@<a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a> mapuser
-EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
* -out c:\temp\http_web1.heytab</p>
</li><li><p>This will create a keytab file in <a>C:\temp</a>
that you need to move to your webserver and place in <b>/etc/http.</b></p>
</li></ul>
<h2>Configure Apache</h2>
<p>Your configuration should look something like this...</p>
<p style="margin-left: 0.49in;"><Location /></p>
<p style="margin-left: 0.98in;">AuthName "Welcome to EXAMPLE"</p>
<p style="margin-left: 0.98in;">AuthType Kerberos</p>
<p style="margin-left: 0.98in;">Krb5Keytab /etc/httpd/http_web1.keytab</p>
<p style="margin-left: 0.98in;">KrbAuthRealm <a href="http://EXAMPLE.COM" target="_blank">EXAMPLE.COM</a></p>
<p style="margin-left: 0.98in;">KrbMethodNegotiate On</p>
<p style="margin-left: 0.98in;">KrbSaveCredentials off</p>
<p style="margin-left: 0.98in;">KrbVerifyKDC off</p>
<p style="margin-left: 0.98in;">Require valid-user</p>
<p style="margin-left: 0.49in;"></Location></p>
<p>Naturally, you can change the Authname to whatever you like. Check
<a href="http://modauthkerb.sourceforge.net/" target="_blank">http://modauthkerb.sourceforge.net/</a>
for more info on specific configurations</p>
<h1>Configure Firefox (Optional)</h1>
<p>Type about:config in the URL bar
</p>
<p>Modify the following "Preference Name"
</p><a name="1208696248f46058_table1"></a>
<table border="1" cellpadding="2" cellspacing="0" rules="rows" width="634">
<col width="272">
<col width="353">
<thead>
<tr valign="top">
<th bgcolor="#687684" width="272">
<p><a href="https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table" target="_blank"><font color="#ffffff">Preference
Name</font></a>
</p>
</th>
<th bgcolor="#687684" width="353">
<p><a href="https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=1;table=1;up=0#sorted_table" target="_blank"><font color="#ffffff">Value</font></a>
</p>
</th>
</tr>
</thead>
<tbody>
<tr valign="top">
<td bgcolor="#ffffff" width="272">
<p>network.negotiate-auth.delegation-uris
</p>
</td>
<td bgcolor="#ffffff" width="353">
<p>Example.com</p>
</td>
</tr>
<tr valign="top">
<td bgcolor="#edf4f9" width="272">
<p>network.negotiate-auth.trusted-uris
</p>
</td>
<td bgcolor="#edf4f9" width="353">
<p>Example.com</p>
</td>
</tr>
<tr valign="top">
<td bgcolor="#ffffff" width="272">
<p>network.automatic-ntlm-auth.trusted-uris
</p>
</td>
<td bgcolor="#ffffff" width="353">
<p>Example.com</p>
</td>
</tr>
</tbody>
</table>
<p><br><br>
</p>
</blockquote></div><br><br clear="all"><br>-- <br>Stewart<br>--<br>If you see yourself in others, then whom can you harm?<br>