CentOS - Feb 2009 - Practical experience with NTLM/Windows Integrated Authentication [Apache]

Hi folks

I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is
SSO with Windows Integrated Authentication[0].

Anyone have experience with such a setup and can say a few sentences
how to do that and if its stable?

kind regards
Sven Aluoor

(Please CC me I am not on the list)
[0] http://bayimg.com/image/hanogaabi.jpg

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Sven
> Sent: Friday, February 13, 2009 6:11 AM
> To: CentOS mailing list
> Subject: [CentOS] Practical experience with NTLM/Windows 
> IntegratedAuthentication [Apache]
> 
> Hi folks
> 
> I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is
> SSO with Windows Integrated Authentication[0].
> 
> Anyone have experience with such a setup and can say a few sentences
> how to do that and if its stable?
> 
----
Now that sounds like a .aspx and .Net Web App which will not run under
CentOS (Apache) (1). But also it depends though on what your wanting to
actually do on Apache. WIA can still work for example running an app under
centos using apache to access MSSQL server. It just totally depends on what
cat your trying to skin. BTW .Net Version 1 which is Mono on CentOS Apache
has somewhat doable functionality. With Apache on Winblows it can parse
.aspx (.Net) requests. That is a lot of code testing to get it to a usable
state and is NOT worth the effort involved in doing so. You can move all
your web apps for example and still have Single Sign On accessing Active
Directory on the winblows PDC.

All in all your best to stay where your at on IIS and start from the ground
up on CentOS and Apache. Some Fast CGI IIS Apps will work under Apache keep
that in mind.

(1) Requires lots worthless work! In other words do not waist your time.

JohnStanley

On Fri, 2009-02-13 at 12:11 +0100, Sven wrote:
> I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is
> SSO with Windows Integrated Authentication[0].
> 
> Anyone have experience with such a setup and can say a few sentences
> how to do that and if its stable?
I''ve done this on a few servers at work and it works great.  Stable and
essentially hands off after the initial config. The very first time I
set it up, I had a tough time figuring out all the bits that were
necessary to make it work, but I guess that''s true of anything you do
the first time.

You know what the best part is? Nothing was documented. HA!  It''s
actually quite horrible.  My plan is to set up the Apache/Windows AD
integration again on another box and to document it at that time.

Your two keys to success:

1. you better have a solid understanding of administering a CentOS 
   system.  You don''t have to know Apache inside and out, but good
   grasp of how to configure apache is a plus.

2. make sure your Windows ADS is configured properly. If there''s 
   anything that will throw off your project, it''s the Windows server.
   Your Windows admin better know his stuff!

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
21:12:14 up 2 days, 22:59, 4 users, load average: 0.22, 0.21, 0.29

Hi,

Last year I tried to get this working on a CentOS 4 server, but I
could not get it running.

I used this module at the time:
http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind

I spent some time trying to figure out what was the issue, but
eventually I just gave up. I believe I had some problem on the Samba
config somewhere...

My current job is Linux only so I never tried this again, maybe it
would work under CentOS 5, it might be worth the try...

HTH,
Filipe

On Fri, Feb 13, 2009 at 8:22 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Fri, 2009-02-13 at 12:11 +0100, Sven wrote:
>> I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is
>> SSO with Windows Integrated Authentication[0].
>>
>> Anyone have experience with such a setup and can say a few sentences
>> how to do that and if its stable?
>
> I''ve done this on a few servers at work and it works great. 
Stable and
> essentially hands off after the initial config. The very first time I
> set it up, I had a tough time figuring out all the bits that were
> necessary to make it work, but I guess that''s true of anything you
do
> the first time.
>
> You know what the best part is? Nothing was documented. HA!  It''s
> actually quite horrible.  My plan is to set up the Apache/Windows AD
> integration again on another box and to document it at that time.
>
> Your two keys to success:
>
> 1. you better have a solid understanding of administering a CentOS
>   system.  You don''t have to know Apache inside and out, but good
>   grasp of how to configure apache is a plus.
>
> 2. make sure your Windows ADS is configured properly. If there''s
>   anything that will throw off your project, it''s the Windows
server.
>   Your Windows admin better know his stuff!
>
OK, so you say it''s possible, but how about some hints? You''re
leaving
us completely in the dark here.

-- 
Jeff

Sven wrote:
> Hi folks
>
> I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is
> SSO with Windows Integrated Authentication[0].
>   
Cor...you are asking for a tough one here.
> Anyone have experience with such a setup and can say a few sentences
> how to do that and if its stable?
>
>   
No experience with apache in particular but for SSO to work, Kerberos 
will have to be involved.

Hmm, a Google on apache kerberos produced this:

http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/


Have fun. Oh, I believe this will only work with IE clients on the 
desktop side of things unless Mozilla or whatever else out there has 
kerberos support too.

Hi,

On Sun, Feb 15, 2009 at 19:02, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Have fun. Oh, I believe this will only work with IE clients on the
> desktop side of things unless Mozilla or whatever else out there has
> kerberos support too.
No, NTLM auth works in Firefox (at least on Firefox on Windows, I
don''t think it will work in other platforms though).

I tested configuring Firefox on Windows to do NTLM auth, and it worked
with the IIS sites my company had. As I said before, unfortunately I
couldn''t get Apache on Linux to work with NTLM authentication.

See:
http://www.crossedconnections.org/w/?p=89
http://www.cauldwell.net/patrick/blog/PermaLink,guid,c7f1e799-c4ae-4758-9de7-5c3e7a16f3da.aspx
http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris

HTH,
Filipe

Filipe Brandenburger wrote:
> Hi,
>
> On Sun, Feb 15, 2009 at 19:02, Christopher Chan
> <christopher.chan at bradbury.edu.hk> wrote:
>   
>> Have fun. Oh, I believe this will only work with IE clients on the
>> desktop side of things unless Mozilla or whatever else out there has
>> kerberos support too.
>>     
>
> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
> don''t think it will work in other platforms though).
>   
Okay.
> I tested configuring Firefox on Windows to do NTLM auth, and it worked
> with the IIS sites my company had. As I said before, unfortunately I
> couldn''t get Apache on Linux to work with NTLM authentication.
>   
Too bad. However, based on your information I found this on Google:

http://sivel.net/2007/05/sso-apache-ad-1/

Thanks Filipe. Now I guess I can have a crack at this too.


Christopher

>-----Original Message-----
>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf
>Of Filipe Brandenburger
>Sent: Monday, February 16, 2009 3:58 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated
>Authentication [Apache]
>
>No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>don''t think it will work in other platforms though).
It doesn''t. NTLM auth to eg Sharepoint sites works fine with Firefox in
Windows. Setting the same things in Firefox under linux and having it login
to sharepoint doesn''t.
-- 
/Sorin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5106 bytes
Desc: not available
Url :
http://lists.centos.org/pipermail/centos/attachments/20090216/3e200401/attachment.bin

>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>> don''t think it will work in other platforms though).
>>     
>
> It doesn''t. NTLM auth to eg Sharepoint sites works fine with
Firefox in
> Windows. Setting the same things in Firefox under linux and having it login
> to sharepoint doesn''t.
>   
I don''t think any other OS other than Windows has NTLM bindings.

>-----Original Message-----
>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf
>Of Christopher Chan
>Sent: Monday, February 16, 2009 8:53 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated
>Authentication [Apache]
>
>
>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>> don''t think it will work in other platforms though).
>>
>> It doesn''t. NTLM auth to eg Sharepoint sites works fine with
Firefox in
>> Windows. Setting the same things in Firefox under linux and having it
login
>> to sharepoint doesn''t.
>
>I don''t think any other OS other than Windows has NTLM bindings.
Probably not, but I was thinking there may be some obscure package somewhere
on the ''net to do this.
-- 
/Sorin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5106 bytes
Desc: not available
Url :
http://lists.centos.org/pipermail/centos/attachments/20090216/d4b67e64/attachment.bin

>> I don''t think any other OS other than Windows has NTLM
bindings.
>>     
>
> Probably not, but I was thinking there may be some obscure package
somewhere
> on the ''net to do this.
>   
Hahaha, and I was hoping to flush it/them out.

On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at
orgfarm.uu.se>
wrote:
>> -----Original Message-----
>> From: centos-bounces at centos.org [mailto:centos-bounces at
centos.org] On
> Behalf
>> Of Christopher Chan
>> Sent: Monday, February 16, 2009 8:53 AM
>> To: CentOS mailing list
>> Subject: Re: [CentOS] Practical experience with NTLM/Windows  
>> Integrated
>> Authentication [Apache]
>>
>>
>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows,
I
>>>> don''t think it will work in other platforms though).
>>>
>>> It doesn''t. NTLM auth to eg Sharepoint sites works fine
with
>>> Firefox in
>>> Windows. Setting the same things in Firefox under linux and having
>>> it
> login
>>> to sharepoint doesn''t.
>>
>> I don''t think any other OS other than Windows has NTLM
bindings.
>
> Probably not, but I was thinking there may be some obscure package  
> somewhere
> on the ''net to do this.
Avoid NTLM all together and use Kerberos between apache/squid, Active  
Directory and the Windows and Linux clients.

Firefox and IE both support Kerberos authentication. I believe apache/ 
squid do too, but you need a manually create the service principal  
names in AD for those.

Use pam_krb5 on the Linux clients to get a ticket on login.

Use samba client on Linux hosts to join to domain and manage the  
Kerberos keytab file for the machine passwords.

Use winbind to get passwd/group files via nsswitch.

-Ross

On Sat, 2009-02-14 at 09:14 -0600, Jeff wrote:
> OK, so you say it''s possible, but how about some hints?
You''re leaving
> us completely in the dark here.
The problem is I don''t have a step-by-step procedure to give you
because
I didn''t document as I went along.  Working in smaller company usually
means documentation gets delayed or not done at all, unfortunately (not
enough time to do it!).

I''ll see if I saved the links I found the most useful when I did the
integration (on my work PC, so has to wait until Feb 17th, at least).
The websites I used will hopefully be useful to you, too.

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
17:50:59 up 5 days, 19:38, 3 users, load average: 2.08, 1.78, 0.98

On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote:
> Probably not, but I was thinking there may be some obscure package
somewhere
> on the ''net to do this.
There is - I found it last year, and it works.  I have everything on my
work PC, so I''ll let the list know tomorrow or later this week.

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
17:54:53 up 5 days, 19:41, 3 users, load average: 1.20, 1.70, 1.14

On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
> Avoid NTLM all together and use Kerberos between apache/squid, Active  
> Directory and the Windows and Linux clients.
> 
> Firefox and IE both support Kerberos authentication. I believe apache/ 
> squid do too, but you need a manually create the service principal  
> names in AD for those.
I was using NTLM at first, but then switched to Kerberos (on the CentOS
server side).  The Windows users didn''t see a difference.  For them,
SSO
works just as well as before, but I still get prompted to enter
user/password when I use my Fedora 10 desktop to browse to CentOS hosted
web sites.

My Fedora desktop is joined to the domain. I can login with my AD
user/password. I even have caching working, which lets me sign on to my
laptop when it''s not connected to the network.

I suppose I''ve missed something, though I don''t know what.

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
17:57:09 up 5 days, 19:44, 3 users, load average: 0.21, 1.13, 1.00

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Kanwar Ranbir Sandhu
> Sent: Monday, February 16, 2009 5:56 PM
> To: centos at centos.org
> Subject: Re: [CentOS] Practical experience with NTLM/Windows 
> Integrated Authentication [Apache]
> 
> On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote:
> > Probably not, but I was thinking there may be some obscure 
> package somewhere
> > on the ''net to do this.
> 
> There is - I found it last year, and it works.  I have 
> everything on my
> work PC, so I''ll let the list know tomorrow or later this week.
If you can, provide a link to it please or if the link is no longer valid
can you some how send me a mail personally so I could receive it from you to
provide it to interested people? That is if you still have the src or
binary.

JohnStanley

Kanwar Ranbir Sandhu wrote:
> On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
>
>   
>> Avoid NTLM all together and use Kerberos between apache/squid, Active  
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/ 
>> squid do too, but you need a manually create the service principal  
>> names in AD for those.
>>     
>
> I was using NTLM at first, but then switched to Kerberos (on the CentOS
> server side).  The Windows users didn''t see a difference.  For
them, SSO
> works just as well as before, but I still get prompted to enter
> user/password when I use my Fedora 10 desktop to browse to CentOS hosted
> web sites.
>
> My Fedora desktop is joined to the domain. I can login with my AD
> user/password. I even have caching working, which lets me sign on to my
> laptop when it''s not connected to the network.
>
> I suppose I''ve missed something, though I don''t know
what.
Maybe kerberos authentication?

I have winbind authentication working here but I have yet to get 
kerberos working to get SSO on Linux desktops.

Ross Walker wrote:
> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at
orgfarm.uu.se>
> wrote:
>
>   
>>> -----Original Message-----
>>> From: centos-bounces at centos.org [mailto:centos-bounces at
centos.org] On
>>>       
>> Behalf
>>     
>>> Of Christopher Chan
>>> Sent: Monday, February 16, 2009 8:53 AM
>>> To: CentOS mailing list
>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows  
>>> Integrated
>>> Authentication [Apache]
>>>
>>>
>>>       
>>>>> No, NTLM auth works in Firefox (at least on Firefox on
Windows, I
>>>>> don''t think it will work in other platforms
though).
>>>>>           
>>>> It doesn''t. NTLM auth to eg Sharepoint sites works
fine with
>>>> Firefox in
>>>> Windows. Setting the same things in Firefox under linux and
having
>>>> it
>>>>         
>> login
>>     
>>>> to sharepoint doesn''t.
>>>>         
>>> I don''t think any other OS other than Windows has NTLM
bindings.
>>>       
>> Probably not, but I was thinking there may be some obscure package  
>> somewhere
>> on the ''net to do this.
>>     
>
> Avoid NTLM all together and use Kerberos between apache/squid, Active  
> Directory and the Windows and Linux clients.
>
> Firefox and IE both support Kerberos authentication. I believe apache/ 
> squid do too, but you need a manually create the service principal  
> names in AD for those.
>
> Use pam_krb5 on the Linux clients to get a ticket on login.
>   
Mind sharing the pam config for that? I have something setup but things 
don''t seem to work.
> Use samba client on Linux hosts to join to domain and manage the  
> Kerberos keytab file for the machine passwords.
>   
Hmm...maybe I should not have manually created the credentials.

On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan
wrote:
> Maybe kerberos authentication?
> 
> I have winbind authentication working here but I have yet to get 
> kerberos working to get SSO on Linux desktops.
Isn''t winbind enough?  Afterall, winbind gets the kerberos ticket when
the user logs in.

What''s the difference between kerberos auth and winbind auth?

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
19:32:30 up 5 days, 21:19, 3 users, load average: 0.30, 0.24, 0.21

Kanwar Ranbir Sandhu wrote:
> On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
>   
>> Maybe kerberos authentication?
>>
>> I have winbind authentication working here but I have yet to get 
>> kerberos working to get SSO on Linux desktops.
>>     
>
> Isn''t winbind enough?  Afterall, winbind gets the kerberos ticket
when
> the user logs in.
>   
??? That''s new to me...are you sure?
> What''s the difference between kerberos auth and winbind auth?
kerberos auth...should be the one that gets the ticket for you. Winbind 
servers to both authenticate you and provide user/group account info.

On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Ross Walker wrote:
>> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu at
orgfarm.uu.se>
>> wrote:
>>
>>
>>>> -----Original Message-----
>>>> From: centos-bounces at centos.org [mailto:centos-bounces at
centos.org] On
>>>>
>>> Behalf
>>>
>>>> Of Christopher Chan
>>>> Sent: Monday, February 16, 2009 8:53 AM
>>>> To: CentOS mailing list
>>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>>>> Integrated
>>>> Authentication [Apache]
>>>>
>>>>
>>>>
>>>>>> No, NTLM auth works in Firefox (at least on Firefox on
Windows, I
>>>>>> don''t think it will work in other platforms
though).
>>>>>>
>>>>> It doesn''t. NTLM auth to eg Sharepoint sites works
fine with
>>>>> Firefox in
>>>>> Windows. Setting the same things in Firefox under linux and
having
>>>>> it
>>>>>
>>> login
>>>
>>>>> to sharepoint doesn''t.
>>>>>
>>>> I don''t think any other OS other than Windows has NTLM
bindings.
>>>>
>>> Probably not, but I was thinking there may be some obscure package
>>> somewhere
>>> on the ''net to do this.
>>>
>>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>>
>> Use pam_krb5 on the Linux clients to get a ticket on login.
>>
> Mind sharing the pam config for that? I have something setup but things
> don''t seem to work.
>> Use samba client on Linux hosts to join to domain and manage the
>> Kerberos keytab file for the machine passwords.
>>
> Hmm...maybe I should not have manually created the credentials.
Ok, here are the default settings that my kickstart file creates to
allow me to join the domain and have samba manage the keytab.

# Default Kerberos configuration
mv /etc/krb5.conf /etc/krb5.conf.orig

cat >/etc/krb5.conf <<EOF
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   krb4_convert = false
 }

EOF

authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV
--krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns
--enablekrb5realmdns

# Default Samba configuration
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

cat >/etc/samba/smb.conf <<EOF
[global]
   workgroup = EXAMPLE
   realm = EXAMPLE.COM
   security = ads
   password server = *
   use kerberos keytab = yes
   passdb backend = tdbsam
   allow trusted domains = no
   idmap domains = default
   idmap config default:default = yes
   idmap config default:backend = rid
   idmap uid = 100000 - 999999
   idmap gid = 100000 - 999999
   template homedir = /home/%U
   template shell = /bin/bash
   winbind use default domain = true
   winbind enum groups = yes
   winbind enum users = yes
   name resolve order = wins bcast host

[homes]
   comment = Home Directories
   read only = no
   browseable = no

[printers]
   comment = All Printers
   path = /var/spool/samba
   printable = yes
   browseable = no

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/drivers
   admin users = @"MFG\Printer Admins"
   write list = @"MFG\Printer Admins"
   force user = root
   force group = root
   create mask = 0664
   directory mask = 0775
EOF

mkdir -p /var/lib/samba/drivers/W32ALPHA
mkdir -p /var/lib/samba/drivers/W32MIPS
mkdir -p /var/lib/samba/drivers/W32PPC
mkdir -p /var/lib/samba/drivers/W32X86
mkdir -p /var/lib/samba/drivers/WIN40
chown -R root:root /var/lib/samba/drivers
chmod -R 775 /var/lib/samba/drivers

authconfig --kickstart --smbworkgroup=MFG --smbservers=*
--enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV
--smbidmapuid=100000-999999 --smbidmapgid=100000-999999
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash
--enablewinbindusedefaultdomain

# Default NSS_LDAP configuration
mv /etc/ldap.conf /etc/ldap.conf.orig

cat >/etc/ldap.conf <<EOF
uri ldap://example.com/
base dc=example,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 3600
ssl start_tls
tls_checkpeer no
use_sasl yes
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5.ldap

pam_filter		objectClass=User
pam_password		crypt

nss_map_objectclass	posixAccount		User
nss_map_objectclass	shadowAccount		User
nss_map_objectclass	posixGroup		Group

nss_map_attribute	homeDirectory		unixHomeDirectory
nss_map_attribute	uniqueMember		msSFU30PosixMember
nss_map_attribute	userPassword		unixUserPassword

nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
EOF

# Default OpenLDAP configuration
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig

cat >/etc/openldap/ldap.conf <<EOF
URI            ldap://example.com
BASE           dc=example, dc=com
SASL_SECPROPS  maxssf=0
TLS_REQCERT    allow
EOF

authconfig --kickstart --ldapserver=mfg.prv
--ldapbasedn="DC=mfg,DC=prv"

# Add an entry for pam_mkhomedir in system-auth
sed -i -e ''s/\(session     required      pam_limits.so\)/session
required      pam_mkhomedir.so skel=\/etc\/skel umask=0077
silent\n\1/'' /etc/pam.d/system-auth

By using authconfig I avoid having to manually edit the PAM stuff
which can get clobbered after an upgrade.

After configured I do have to manually join the domain, and
enable/restart winbind.

# net ads join -U <admin user>
# chkconfig winbind restart

-Ross

Thanks Ross, much appreciated.


Now I have to see if I can translate the necessary stuff to Ubuntu 
(Centos 5 did not cut it for desktop - cost me almost all the new Linux 
desktops but it sure was the easiest to install and setup. Ubuntu is a 
pain to get the debian-installer to do what kickstart does...still stuck 
on the stupid disk part/RAID/LVM configuration)


Christopher

On Mon, Feb 16, 2009 at 6:03 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>
> I was using NTLM at first, but then switched to Kerberos (on the CentOS
> server side).  The Windows users didn''t see a difference.  For
them, SSO
> works just as well as before, but I still get prompted to enter
> user/password when I use my Fedora 10 desktop to browse to CentOS hosted
> web sites.
>
> My Fedora desktop is joined to the domain. I can login with my AD
> user/password. I even have caching working, which lets me sign on to my
> laptop when it''s not connected to the network.
>
> I suppose I''ve missed something, though I don''t know
what.
In Firefox go to your about:config page and scroll down to:

network.negotiate-auth.delegation-uris

and

network.negotiate-auth.trusted-uris

and for their string values enter your DNS domain to allow kerberos
negotiation and delegation to occur.

-Ross

On Mon, Feb 16, 2009 at 7:33 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
>> Maybe kerberos authentication?
>>
>> I have winbind authentication working here but I have yet to get
>> kerberos working to get SSO on Linux desktops.
>
> Isn''t winbind enough?  Afterall, winbind gets the kerberos ticket
when
> the user logs in.
>
> What''s the difference between kerberos auth and winbind auth?
The difference is that winbind authentication is NTLM and it''s good
for that endpoint only, but it can''t be forwarded on to other services
for a SSO experience (unless there is an NTLM session cache and the
applications are written to use it ala Windows, but it is insecure).

-Ross

On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan
<christopher.chan at bradbury.edu.hk> wrote:
> Thanks Ross, much appreciated.
>
>
> Now I have to see if I can translate the necessary stuff to Ubuntu
> (Centos 5 did not cut it for desktop - cost me almost all the new Linux
> desktops but it sure was the easiest to install and setup. Ubuntu is a
> pain to get the debian-installer to do what kickstart does...still stuck
> on the stupid disk part/RAID/LVM configuration)
Yes, Ubuntu is nice, but the automated installer of Debian''s still
leaves a lot to be desired.

Just use sed to edit the pam configs in the script section at the end.

Below are what mine look like after authconfig was finished with them.

== system-auth =#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

== nsswitch.conf =#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry ''[NOTFOUND=return]'' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries
you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files winbind
shadow:     files winbind
group:      files winbind

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus


== krb5.conf =[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MFG.PRV
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = yes
 renewable = yes

[realms]
 MFG.PRV = {
  kdc = mfg.prv
  admin_server = mfg.prv
   default_domain = mfg.prv
 }

[domain_realm]
 .mfg.prv = MFG.PRV
 mfg.prv = MFG.PRV

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   renewable = true
   krb4_convert = false
 }


== smb.conf =[global]
workgroup = MFG
security = ads
realm = MFG.PRV
load printers = yes
printing = cups
max log size = 50
passdb backend = tdbsam
use kerberos keytab = Yes
allow trusted domains = no
idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999"
winbind gid = 100000-999999
winbind uid = 100000-999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
wins server = mfg.prv
name resolve order = wins bcast host
restrict anonymous = no
domain master = no
preferred master = no
printer admin = @"MFG\Printer Admins"

[printers]
path = /var/spool/samba
printable = yes

[print$]
path = /var/lib/samba/print
write list = @"MFG\Printer Admins"
force user = root
force group = "printer admins"
create mask = 0664
directory mask = 0775

== ldap.conf =URI ldap://mfg.prv/
BASE DC=mfg,DC=prv
SASL_SECPROPS  maxssf=0
TLS_REQCERT    allow
TLS_CACERTDIR /etc/openldap/cacerts


The LDAP stuff really wasn''t necessary to get things working, I just
like the ldapsearch tool for exploring attributes in AD and it works
with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to
work).

On Redhat these are:

cyrus-sasl-gssapi-2.1.22-4
libgssapi-0.10-2
cyrus-sasl-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-plain-2.1.22-4

-Ross

>-----Original Message-----
>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf
>Of Ross Walker
>Sent: Tuesday, February 17, 2009 2:36 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated
>Authentication [Apache]
>
>In Firefox go to your about:config page and scroll down to:
>
>network.negotiate-auth.delegation-uris
>
>and
>
>network.negotiate-auth.trusted-uris
>
>and for their string values enter your DNS domain to allow kerberos
>negotiation and delegation to occur.
No way! This works in linux with Firefox?? 

I''ve only tried setting the string values to the Windows trivial names.
Using the FQDN didn''t even occur to me. I''ve got to try this.

Thx for the hint.
-- 
/Sorin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5106 bytes
Desc: not available
Url :
http://lists.centos.org/pipermail/centos/attachments/20090217/861e02e1/attachment.bin

>Ok, here are the default settings that my kickstart file creates to
>allow me to join the domain and have samba manage the keytab.
Ross,
I was out of town and missed this thread which is of great interest to me
as well. When you say "have samba manage the keytab" do you mean not
use one
as have a dedicated service account on the DC and have it generate the keytab
and have it copied over? A lot of solution I have seen use that procedure which
I have never wanted to do for obvious reasons.

Also, I see you also configure ldap to point towards what looks like your AD
server as well. How come you use both Samba/Winbind and ldap?

Thanks for the info!
jlc

>Too bad. However, based on your information I found this on Google:
>
>http://sivel.net/2007/05/sso-apache-ad-1/
>
>Thanks Filipe. Now I guess I can have a crack at this too.
I haven''t tried this one, but make note it lacks NTLMv2 and group
support
which made it non usable in my environment. Like Filipe suggested
mod_auth_ntlm_winbind addresses this but it appears it''s not actively
maintained and I got stuck configuring it and gave up...

jlc

On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
> In Firefox go to your about:config page and scroll down to:
> 
> network.negotiate-auth.delegation-uris
> 
> and
> 
> network.negotiate-auth.trusted-uris
> 
> and for their string values enter your DNS domain to allow kerberos
> negotiation and delegation to occur.
HA! I had these set already, but I still get prompted.  So, today I
decided I should delete the saved passwords for the apache hosted site I
was trying to access, and viola, SSO worked!  I can''t believe I
didn''t
remove the saved passwords before.

Anyway, thanks for pointing out the Firefox settings. I doubt I would
have remembered they were there.

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
14:04:07 up 6 days, 15:51, 4 users, load average: 0.92, 1.02, 0.69

On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu
wrote:
> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
> > In Firefox go to your about:config page and scroll down to:
> > 
> > network.negotiate-auth.delegation-uris
> > 
> > and
> > 
> > network.negotiate-auth.trusted-uris
> > 
> > and for their string values enter your DNS domain to allow kerberos
> > negotiation and delegation to occur.
> 
> HA! I had these set already, but I still get prompted.  So, today I
> decided I should delete the saved passwords for the apache hosted site I
> was trying to access, and viola, SSO worked!  I can''t believe I
didn''t
> remove the saved passwords before.
I should have mentioned that I only set
"network.negotiate-auth.trusted-uris".  I left the other one blank.
Setting it or not didn''t seem to make a difference. But, based on this:

https://developer.mozilla.org/en/Integrated_Authentication

The apache server should have been able to handle the authentication.
Maybe I''m misunderstanding what "delegation" does.

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
14:12:01 up 6 days, 15:59, 4 users, load average: 1.11, 1.13, 0.87

On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale
wrote:
> I haven''t tried this one, but make note it lacks NTLMv2 and group
support
> which made it non usable in my environment. Like Filipe suggested
> mod_auth_ntlm_winbind addresses this but it appears it''s not
actively
> maintained and I got stuck configuring it and gave up...
I believe you can use kerberos auth and group lookups.  For the group
support, you need to do direct LDAP lookups.  Just run a google search
for ''kerberos apache group'', or something along those lines,
to find
some links discussing what I''ve mentioned here.

Regards,

Ranbir

-- 
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 
14:58:02 up 6 days, 16:45, 4 users, load average: 1.32, 1.27, 1.21

On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote:
>> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
>> > In Firefox go to your about:config page and scroll down to:
>> >
>> > network.negotiate-auth.delegation-uris
>> >
>> > and
>> >
>> > network.negotiate-auth.trusted-uris
>> >
>> > and for their string values enter your DNS domain to allow
kerberos
>> > negotiation and delegation to occur.
>>
>> HA! I had these set already, but I still get prompted.  So, today I
>> decided I should delete the saved passwords for the apache hosted site
I
>> was trying to access, and viola, SSO worked!  I can''t believe
I didn''t
>> remove the saved passwords before.
>
> I should have mentioned that I only set
> "network.negotiate-auth.trusted-uris".  I left the other one
blank.
> Setting it or not didn''t seem to make a difference. But, based on
this:
>
> https://developer.mozilla.org/en/Integrated_Authentication
>
> The apache server should have been able to handle the authentication.
> Maybe I''m misunderstanding what "delegation" does.
Delegation will allow a system or service to authenticate you to
another system or service on your behalf.

For example, say your apache server has a mysql database backend for
an application that requires each user to authenticate individually,
well without delegation the users would need to use another form of
authentication such as HTTP basic authentication which would then pass
it off to the mysql. Even if done over SSL this can open your
application up to a man-in-the-middle attack. Kerberos delegation was
designed to defeat the man-in-the-middle scenario through signing of
the ticket request along the line and back.

-Ross

On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale
<JCasale at activenetwerx.com> wrote:
>>Ok, here are the default settings that my kickstart file creates to
>>allow me to join the domain and have samba manage the keytab.
>
> Ross,
> I was out of town and missed this thread which is of great interest to me
> as well. When you say "have samba manage the keytab" do you mean
not use one
> as have a dedicated service account on the DC and have it generate the
keytab
> and have it copied over? A lot of solution I have seen use that procedure
which
> I have never wanted to do for obvious reasons.
If you don''t have a keytab file when you use samba to join to the
domain and you have the ''use kerberos keytab = yes'' set in
your
smb.conf, then samba creates one and populates it with the AD
compatible host SPNs and machine password. From that point on it will
keep the keytab in sync. I don''t know if it will add these if SPNs
already exist, I haven''t tried it.
> Also, I see you also configure ldap to point towards what looks like your
AD
> server as well. How come you use both Samba/Winbind and ldap?
LDAP wasn''t necessary, I use it for querying AD attributes using the
OpenLDAP tools (I don''t trust Microsoft and think they hide attributes
in ADSIEdit!).

Though I could have used NSS_LDAP instead of Winbind, I just would
need to set UID/GID for every user and group in AD which was just too
much of a PITA.

-Ross

On Tue, Feb 17, 2009 at 2:59 PM, Kanwar Ranbir Sandhu
<m3freak at thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote:
>> I haven''t tried this one, but make note it lacks NTLMv2 and
group support
>> which made it non usable in my environment. Like Filipe suggested
>> mod_auth_ntlm_winbind addresses this but it appears it''s not
actively
>> maintained and I got stuck configuring it and gave up...
>
> I believe you can use kerberos auth and group lookups.  For the group
> support, you need to do direct LDAP lookups.  Just run a google search
> for ''kerberos apache group'', or something along those
lines, to find
> some links discussing what I''ve mentioned here.
If you have a lot of hosts that need access to winbind mapped
UIDs/GIDs instead of setting up winbind everywhere and having a
administrative headache if the RID mapping gets messed up on one host,
setup a winbind to NIS server that puts the mappings into NIS maps and
propagate the information that way. Only real difference on the other
hosts is to switch ''winbind'' to ''nis'' in
nsswitch.conf.

-Ross

> If you have a lot of hosts that need access to winbind mapped
> UIDs/GIDs instead of setting up winbind everywhere and having a
> administrative headache if the RID mapping gets messed up on one host,
> setup a winbind to NIS server that puts the mappings into NIS maps and
> propagate the information that way. Only real difference on the other
> hosts is to switch ''winbind'' to ''nis''
in nsswitch.conf.
>   
What''s wrong with winbind on a ldap backend? I have winbind installed 
everywhere...all pointing to a single ldap instance.

On Feb 17, 2009, at 7:50 PM, Christopher Chan <christopher.chan at
bradbury.edu.hk
 > wrote:
>
>> If you have a lot of hosts that need access to winbind mapped
>> UIDs/GIDs instead of setting up winbind everywhere and having a
>> administrative headache if the RID mapping gets messed up on one  
>> host,
>> setup a winbind to NIS server that puts the mappings into NIS maps  
>> and
>> propagate the information that way. Only real difference on the other
>> hosts is to switch ''winbind'' to
''nis'' in nsswitch.conf.
>>
> What''s wrong with winbind on a ldap backend? I have winbind
installed
> everywhere...all pointing to a single ldap instance.
Well yeah you can use ldap too to keep the rid mappings centralized. I  
just think configuring ldap, putting schema together and configuring  
samba everywhere is more work then nis, but to each their own.

-Ross