[hobbit] Using ldap accounts with Xymon

Stewart L stewartl42 at gmail.com
Wed Apr 8 18:36:07 CEST 2009 

*Transparent Authentication against Active Directory 2003 with Apache and
CentOS 5*


 Here, I will explain the steps I went through to get a Linux server joined
to our Active Directory 2003 infrastructure and to authenticate users
against the domain without them being required to enter credentials.


 As I said, this is against an AD 2003 structure. If you are operating in a
200 or NT domain, this might not work for you, but it should point you on
your way.


 I'll make a few assumptions at this point for the example.

   -

   You are setting up a webserver to be named *web1.example.com*.
   -

   Your domain is called *EXAMPLE* and your kerberos Realm is named *
   EXAMPLE.COM*
   -

   You have a domain account baned *EXAMPLE\Bob* that is authorized to add
   machines into the domain.
   -

   Your Domain controller is *dc1.example.com.*

Install Packages

You obviously need apache installed. You will also need the mod_auth_kerb
package to authenticate against the domain. It is also much easier if you
use the system-config-authentication tool in the authconfig-gtk package.

# yum -y install mod_auth_kerb authconfig-gtk
Join the Machine to the Domain

Before you can join a machine to a domain, you must have a few items taken
care of...

   -

   The hostname (excluding the domain) should be 15 characters or less.
   -

   The system clocks should be synchronized. Use NTP for this.
   -

   Your */etc/hosts *file needs to be properly set up. You should have a
   localhost entry pointing to 127.0.0.1 and an entry that has your
   fully-qualified host name pointing to its assigned IP address.

With that out of the way, we can begin configuring authentication.

   -

   Run *system-config-authentication* as root.
   -

   On the Authentication tab, Enable Kerberos and Winbind
   -

   Configure Kerberos.
   -

      REALM = EXAMPLE.COM
      -

      Check the boxes for using DNS to resolve hosts to realms and locate
      KDCs.
      -

      KDC and Admin Sevrer can be left blank
      -

      Click ok.
       -

   Configure Winbind
   -

      Domain = EXAMPLE
      -

      Security Model = ads
      -

      ADS Realm = EXAMPLE.COM
      -

      Domain Controllers = dc1.example.com
      -

      Click ok
       -

   Edit your */etc/samba/smb.conf *file* *and make sure that your netbios
   name is the same as your hostname. This should be the host part only, not
   the domain.

Join the Domain

As the root user, run the following commands. You will have to enter a
password for Bob after both commands.

# kinit EXAMPLE\Bob

# net ads join -U EXAMPLE\Bob

That's it! You're on the domain now. By default you have to have a local
account on the box to authenticate against AD, meaning if there is not a bob
account on web1.example.com, bob cannot log in with his domain password.
Configure an AD User

This is where things become a little convoluted. We are going to create a
user account in AD that the web server will use for authentication. There
are a number of different versions and service packs out there for Windows
Server 2000 and 2003. I got a lot of my information from
http://grolmsnet.de/kerbtut/ so check there if you have problems with this
part.

   -

   Create a user in AD named http_web1.
   -

   Set this account so that the password never expires.
   -

   On the command line of the Domain Controller, run this line
   -

   ktpass -princ HTTP/web1.example.com at EXAMPLE.COM mapuser
   -EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass * -out
   c:\temp\http_web1.heytab
   -

   This will create a keytab file in C:\temp <file:///C:/temp> that you need
   to move to your webserver and place in */etc/http.*

Configure Apache

Your configuration should look something like this...

<Location />

AuthName "Welcome to EXAMPLE"

AuthType Kerberos

Krb5Keytab /etc/httpd/http_web1.keytab

KrbAuthRealm EXAMPLE.COM

KrbMethodNegotiate On

KrbSaveCredentials off

KrbVerifyKDC off

Require valid-user

</Location>

Naturally, you can change the Authname to whatever you like. Check
http://modauthkerb.sourceforge.net/ for more info on specific configurations
Configure Firefox (Optional)

Type about:config in the URL bar

Modify the following "Preference Name"

Preference Name<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table>

Value<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=1;table=1;up=0#sorted_table>

network.negotiate-auth.delegation-uris

Example.com

network.negotiate-auth.trusted-uris

Example.com

network.automatic-ntlm-auth.trusted-uris

Example.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090408/a66509a2/attachment.html>

More information about the Xymon mailing list