<meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8">
<title></title>
<meta name="GENERATOR" content="OpenOffice.org 2.3 (Linux)">
<style type="text/css">
<!--
@page { size: 8.5in 11in; margin: 0.79in }
P { margin-bottom: 0.08in }
H1 { margin-bottom: 0.08in }
H1.western { font-family: "Liberation Sans", sans-serif; font-size: 16pt }
H1.cjk { font-family: "DejaVu LGC Sans"; font-size: 16pt }
H1.ctl { font-family: "DejaVu LGC Sans"; font-size: 16pt }
H2 { margin-bottom: 0.08in }
H2.western { font-family: "Liberation Sans", sans-serif; font-size: 14pt; font-style: italic }
H2.cjk { font-size: 14pt; font-style: italic }
H2.ctl { font-size: 14pt; font-style: italic }
TD P { margin-bottom: 0in }
TH P { margin-bottom: 0in }
-->
</style>
<p style="margin-top: 0.17in; page-break-after: avoid;" align="center"><font face="Liberation Sans, sans-serif"><font size="5"><b>Transparent
Authentication against Active Directory 2003 with Apache and CentOS 5</b></font></font></p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">Here, I will explain the steps I went
through to get a Linux server joined to our Active Directory 2003
infrastructure and to authenticate users against the domain without
them being required to enter credentials.
</p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">As I said, this is against an AD 2003
structure. If you are operating in a 200 or NT domain, this might
not work for you, but it should point you on your way.</p>
<p style="margin-bottom: 0in;"><br>
</p>
<p style="margin-bottom: 0in;">I'll make a few assumptions at this
point for the example.
</p>
<ul><li><p style="margin-bottom: 0in;">You are setting up a webserver to
be named <i><a href="http://web1.example.com">web1.example.com</a></i><span style="font-style: normal;">.</span></p>
</li><li><p style="margin-bottom: 0in;"><span style="font-style: normal;">Your
domain is called </span><i>EXAMPLE</i><span style="font-style: normal;"> and
your kerberos Realm is named </span><i><a href="http://EXAMPLE.COM">EXAMPLE.COM</a></i></p>
</li><li><p style="margin-bottom: 0in; font-style: normal;">You have a
domain account baned <i>EXAMPLE\Bob</i> that is authorized to add
machines into the domain.</p>
</li><li><p style="margin-bottom: 0in; font-style: normal;">Your Domain
controller is <i><a href="http://dc1.example.com">dc1.example.com</a>.</i></p>
</li></ul>
<h1 class="western">Install Packages</h1>
<p>You obviously need apache installed. You will also need the
mod_auth_kerb package to authenticate against the domain. It is also
much easier if you use the system-config-authentication tool in the
authconfig-gtk package.
</p>
<p># yum -y install mod_auth_kerb authconfig-gtk</p>
<h1 class="western">Join the Machine to the Domain</h1>
<p>Before you can join a machine to a domain, you must have a few
items taken care of...</p>
<ul><li><p>The hostname (excluding the domain) should be 15 characters
or less.
</p>
</li><li><p>The system clocks should be synchronized. Use NTP for this.
</p>
</li><li><p>Your <b>/etc/hosts </b><span style="">file
needs to be properly set up. You should have a localhost entry
pointing to 127.0.0.1 and an entry that has your fully-qualified
host name pointing to its assigned IP address. </span>
</p>
</li></ul>
<p style="margin-bottom: 0in;"><span style="">With
that out of the way, we can begin configuring authentication.</span></p>
<ul><li><p><span style="">Run
</span><span style="font-style: normal;"><b>system-config-authentication</b></span><span style="">
as root.</span></p>
</li><li><p><span style="">On the Authentication tab,
Enable Kerberos and Winbind</span></p>
</li><li><p><span style="">Configure Kerberos.</span></p>
<ul><li><p><span style="">REALM = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a></span></p>
</li><li><p><span style="">Check the boxes for using
DNS to resolve hosts to realms and locate KDCs.</span></p>
</li><li><p><span style="">KDC and Admin Sevrer can
be left blank</span></p>
</li><li><p><span style="">Click ok.</span></p>
</li></ul>
</li><li><p><span style="">Configure Winbind</span></p>
<ul><li><p><span style="">Domain = EXAMPLE</span></p>
</li><li><p><span style="">Security Model = ads</span></p>
</li><li><p><span style="">ADS Realm = <a href="http://EXAMPLE.COM">EXAMPLE.COM</a></span></p>
</li><li><p><span style="">Domain Controllers =
<a href="http://dc1.example.com">dc1.example.com</a></span></p>
</li><li><p><span style="">Click ok</span></p>
</li></ul>
</li><li><p><span style="">Edit your
</span><b>/etc/samba/smb.conf </b><span style="">file</span><b>
</b><span style="">and make sure that your
netbios name is the same as your hostname. This should be the host
part only, not the domain.</span></p>
</li></ul>
<h2 class="western"><span style="">Join the Domain</span></h2>
<p><span style="">As the root user, run the
following commands. You will have to enter a password for Bob after
both commands.</span></p>
<p style="margin-left: 0.49in;"><span style="">#
kinit EXAMPLE\Bob</span></p>
<p style="margin-left: 0.49in;"><span style="">#
net ads join -U EXAMPLE\Bob</span></p>
<p><span style="">That's it! You're on the domain
now. By default you have to have a local account on the box to
authenticate against AD, meaning if there is not a bob account on
<a href="http://web1.example.com">web1.example.com</a>, bob cannot log in with his domain password.</span></p>
<h1 class="western">Configure an AD User</h1>
<p>This is where things become a little convoluted. We are going to
create a user account in AD that the web server will use for
authentication. There are a number of different versions and service
packs out there for Windows Server 2000 and 2003. I got a lot of my
information from <a href="http://grolmsnet.de/kerbtut/">http://grolmsnet.de/kerbtut/</a>
so check there if you have problems with this part.
</p>
<ul><li><p>Create a user in AD named http_web1.</p>
</li><li><p>Set this account so that the password never expires.</p>
</li><li><p>On the command line of the Domain Controller, run this line</p>
</li><li><p>ktpass -princ HTTP/<a href="http://web1.example.com">web1.example.com</a>@<a href="http://EXAMPLE.COM">EXAMPLE.COM</a> mapuser
-EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass
* -out c:\temp\http_web1.heytab</p>
</li><li><p>This will create a keytab file in <a href="file:///C:/temp">C:\temp</a>
that you need to move to your webserver and place in <b>/etc/http.</b></p>
</li></ul>
<h2 class="western">Configure Apache</h2>
<p>Your configuration should look something like this...</p>
<p style="margin-left: 0.49in;"><Location /></p>
<p style="margin-left: 0.98in;">AuthName "Welcome to EXAMPLE"</p>
<p style="margin-left: 0.98in;">AuthType Kerberos</p>
<p style="margin-left: 0.98in;">Krb5Keytab /etc/httpd/http_web1.keytab</p>
<p style="margin-left: 0.98in;">KrbAuthRealm <a href="http://EXAMPLE.COM">EXAMPLE.COM</a></p>
<p style="margin-left: 0.98in;">KrbMethodNegotiate On</p>
<p style="margin-left: 0.98in;">KrbSaveCredentials off</p>
<p style="margin-left: 0.98in;">KrbVerifyKDC off</p>
<p style="margin-left: 0.98in;">Require valid-user</p>
<p style="margin-left: 0.49in;"></Location></p>
<p>Naturally, you can change the Authname to whatever you like. Check
<a href="http://modauthkerb.sourceforge.net/">http://modauthkerb.sourceforge.net/</a>
for more info on specific configurations</p>
<h1 class="western">Configure Firefox (Optional)</h1>
<p>Type about:config in the URL bar
</p>
<p>Modify the following "Preference Name"
</p><a name="table1"></a>
<table border="1" cellpadding="2" cellspacing="0" rules="rows" width="634">
<col width="272">
<col width="353">
<thead>
<tr valign="top">
<th bgcolor="#687684" width="272">
<p><a href="https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table"><font color="#ffffff">Preference
Name</font></a>
</p>
</th>
<th bgcolor="#687684" width="353">
<p><a href="https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=1;table=1;up=0#sorted_table"><font color="#ffffff">Value</font></a>
</p>
</th>
</tr>
</thead>
<tbody>
<tr valign="top">
<td bgcolor="#ffffff" width="272">
<p>network.negotiate-auth.delegation-uris
</p>
</td>
<td bgcolor="#ffffff" width="353">
<p>Example.com</p>
</td>
</tr>
<tr valign="top">
<td bgcolor="#edf4f9" width="272">
<p>network.negotiate-auth.trusted-uris
</p>
</td>
<td bgcolor="#edf4f9" width="353">
<p>Example.com</p>
</td>
</tr>
<tr valign="top">
<td bgcolor="#ffffff" width="272">
<p>network.automatic-ntlm-auth.trusted-uris
</p>
</td>
<td bgcolor="#ffffff" width="353">
<p>Example.com</p>
</td>
</tr>
</tbody>
</table>
<p><br><br>
</p>