[hobbit] Using ldap accounts with Xymon

Stewart L stewartl42 at gmail.com
Wed Apr 8 21:21:32 CEST 2009 

If anyone has any feedback, Let me know.   Anxious to hear if this works for
others.

Stewart


On Wed, Apr 8, 2009 at 12:36 PM, Stewart L <stewartl42 at gmail.com> wrote:

> *Transparent Authentication against Active Directory 2003 with Apache and
> CentOS 5*
>
>
>  Here, I will explain the steps I went through to get a Linux server
> joined to our Active Directory 2003 infrastructure and to authenticate users
> against the domain without them being required to enter credentials.
>
>
>  As I said, this is against an AD 2003 structure. If you are operating in
> a 200 or NT domain, this might not work for you, but it should point you on
> your way.
>
>
>  I'll make a few assumptions at this point for the example.
>
>    -
>
>    You are setting up a webserver to be named *web1.example.com*.
>    -
>
>    Your domain is called *EXAMPLE* and your kerberos Realm is named *
>    EXAMPLE.COM*
>    -
>
>    You have a domain account baned *EXAMPLE\Bob* that is authorized to add
>    machines into the domain.
>    -
>
>    Your Domain controller is *dc1.example.com.*
>
> Install Packages
>
> You obviously need apache installed. You will also need the mod_auth_kerb
> package to authenticate against the domain. It is also much easier if you
> use the system-config-authentication tool in the authconfig-gtk package.
>
> # yum -y install mod_auth_kerb authconfig-gtk
> Join the Machine to the Domain
>
> Before you can join a machine to a domain, you must have a few items taken
> care of...
>
>    -
>
>    The hostname (excluding the domain) should be 15 characters or less.
>    -
>
>    The system clocks should be synchronized. Use NTP for this.
>    -
>
>    Your */etc/hosts *file needs to be properly set up. You should have a
>    localhost entry pointing to 127.0.0.1 and an entry that has your
>    fully-qualified host name pointing to its assigned IP address.
>
> With that out of the way, we can begin configuring authentication.
>
>    -
>
>    Run *system-config-authentication* as root.
>    -
>
>    On the Authentication tab, Enable Kerberos and Winbind
>    -
>
>    Configure Kerberos.
>    -
>
>       REALM = EXAMPLE.COM
>       -
>
>       Check the boxes for using DNS to resolve hosts to realms and locate
>       KDCs.
>       -
>
>       KDC and Admin Sevrer can be left blank
>       -
>
>       Click ok.
>        -
>
>    Configure Winbind
>    -
>
>       Domain = EXAMPLE
>       -
>
>       Security Model = ads
>       -
>
>       ADS Realm = EXAMPLE.COM
>       -
>
>       Domain Controllers = dc1.example.com
>       -
>
>       Click ok
>        -
>
>    Edit your */etc/samba/smb.conf *file* *and make sure that your netbios
>    name is the same as your hostname. This should be the host part only, not
>    the domain.
>
> Join the Domain
>
> As the root user, run the following commands. You will have to enter a
> password for Bob after both commands.
>
> # kinit EXAMPLE\Bob
>
> # net ads join -U EXAMPLE\Bob
>
> That's it! You're on the domain now. By default you have to have a local
> account on the box to authenticate against AD, meaning if there is not a bob
> account on web1.example.com, bob cannot log in with his domain password.
> Configure an AD User
>
> This is where things become a little convoluted. We are going to create a
> user account in AD that the web server will use for authentication. There
> are a number of different versions and service packs out there for Windows
> Server 2000 and 2003. I got a lot of my information from
> http://grolmsnet.de/kerbtut/ so check there if you have problems with this
> part.
>
>    -
>
>    Create a user in AD named http_web1.
>    -
>
>    Set this account so that the password never expires.
>    -
>
>    On the command line of the Domain Controller, run this line
>    -
>
>    ktpass -princ HTTP/web1.example.com at EXAMPLE.COM mapuser
>    -EXMAPLE\http_web1 -crypto DES-CBC-MD5 -ptype KRB5_NT_SRV_HST -pass * -out
>    c:\temp\http_web1.heytab
>    -
>
>    This will create a keytab file in C:\temp that you need to move to your
>    webserver and place in */etc/http.*
>
> Configure Apache
>
> Your configuration should look something like this...
>
> <Location />
>
> AuthName "Welcome to EXAMPLE"
>
> AuthType Kerberos
>
> Krb5Keytab /etc/httpd/http_web1.keytab
>
> KrbAuthRealm EXAMPLE.COM
>
> KrbMethodNegotiate On
>
> KrbSaveCredentials off
>
> KrbVerifyKDC off
>
> Require valid-user
>
> </Location>
>
> Naturally, you can change the Authname to whatever you like. Check
> http://modauthkerb.sourceforge.net/ for more info on specific
> configurations
> Configure Firefox (Optional)
>
> Type about:config in the URL bar
>
> Modify the following "Preference Name"
>
> Preference Name<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=0;table=1;up=0#sorted_table>
>
> Value<https://bbtest.doh.state.fl.us/twiki/bin/view/SORT/TnTFirefoxNTLM?sortcol=1;table=1;up=0#sorted_table>
>
> network.negotiate-auth.delegation-uris
>
> Example.com
>
> network.negotiate-auth.trusted-uris
>
> Example.com
>
> network.automatic-ntlm-auth.trusted-uris
>
> Example.com
>
>
>
>


-- 
Stewart
--
If you see yourself in others, then whom can you harm?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20090408/5b6ba391/attachment.html>

More information about the Xymon mailing list