Active Directory SSO

Mod_NTLM

Disadvantages include no group support and no support for NTLM2, which is default in Vista.

NOTE: You don't really want to use this. Use Kerberos instead.

Install Instructions:

From here: (http://ubuntuforums.org/showthread.php?p=1706192)

• mkdir ntlm && cd ntlm
• wget http://www.jamiekerwick.co.uk/modntlm/ntlm2.tar.gz
• tar -zxvf ntlm2.tar.gz
• sudo apt-get update
• sudo apt-get install apache2-prefork-dev gcc-3.4
• sudo ln -fs /usr/bin/gcc-3.4 /usr/bin/gcc

Changes made according to this: http://wiki.bestpractical.com/view/NtlmAuthentication

•  cd smbval
• sudo nano smblib.inc.c
• For the two lines that look like this:

static int SMBlib_errno;
static int SMBlib_SMB_Error;

• Change to this:

int SMBlib_errno;
int SMBlib_SMB_Error;

• For the line that looks like this:

 static SMB_State_Types SMBlib_State;

• Change to this:

SMB_State_Types SMBlib_State;
 

• cd ..
• sudo nano mod_ntlm.c
• Change the line that looks like this:

apr_pool_sub_make(&sp,p,NULL);

• To this:

apr_pool_create_ex(&sp,p,NULL,NULL);

• sudo apxs2 -i -c mod_ntlm.c
• sudo make clean
• sudo echo "LoadModule ntlm_module /usr/lib/apache2/modules/mod_ntlm.so" > /etc/apache2/mods-available/ntlm.load

• sudo a2enmod ntlm
• cd /etc/apache2
• sudo nano httpd.conf
• Paste the following, and modify accordingly:

AuthType NTLM
NTLMAuth on
NTLMAuthoritative on
NTLMDomain YOURDOMAIN
NTLMServer yourDomainController
NTLMBackup yourBackupDomainController
Require valid-user

• sudo /etc/init.d/apache2 restart

Mod_Auth_Kerb

Kerberos authentication. This allows Vista and Windows 7 users, as well as Windows XP users, to authenticate. You will need to create a regular AD account for credentials. This is referenced as user-account@domain.com below.

Capitilization matters!

• sudo apt-get install krb5-user msktutil
• nano /etc/krb5.conf
  • Add the following:

[libdefaults]
    default_realm = DOMAIN.COM

[domain_realm]
    domain.com = DOMAIN.COM
[realms]
     DOMAIN.COM = {
                      kdc = win2k3.domain.com
                      admin_server = win2k3.domain.com
  }

• Ensure that you can ping between the Windows 2003 server and the linux server in both directions and using both the fully-qualified domain name (win2k3.acme.local) and the IP address. 
• Test kerberos authentication to ensure that you can get a ticket:

# kinit administrator
Password for administrator@DOMAIN.COM: 

• Use one of the following methods to generate the kerberos keystore:
  
  • On your Domain Controller:

# ktpass -princ HTTP/fully-qualified-hostname.com@DOMAIN.COM -mapuser user-account -crypto DES-CBC-MD5 -pass password -ptype KRB5_NT_PRINCIPAL -out c:\http.keytab
 

Copy the http.keytab file from your domain controller, to /etc/apache2 on your wiki 

• Alternatively, you can use msktutil on the Linux side NOTE: You will need to be authenticated as Domain Admin to do this. The 'kinit' step above should have generated a kerberos ticket for you, so this will work using those credentials.

# msktutil -c -k /etc/apache2/http.keytab

Add an HTTP service principal. This should produce no errors.

# msktutil -s HTTP/fully-qualified-hostname.com -k /etc/apache2/http.keytab -h fully-qualified-hostname.com --computer-name netBIOS-hostname --upn HTTP/fully-qualified-hostname.com --server domain-controller.com

• Check the keystore:

# klist -k /etc/apache2/http.keytab 

• Test the keytab file like so from your wiki console (This should exit without any error messages):

# kinit -k -t /etc/apache2/http.keytab HTTP/fully-qualified-hostname.domain.com

• Change permissions on the keystore to allow the apache user access (change username as appropriate; look at 'ps -ef |grep httpd'.)

# chown apache:apache /etc/apache2/http.keytab

• Add your directory service as an authentication provider , except that you must specify a valid account for bindingdn and bindingpw like this:

•  After you create the auth provider, make note of the Service ID:

• With the service ID now go to System Settings -> Configuration -> Advanced Configuration in the Control Panel and add the following key values: 

Key	Value
security/allow-trusted-auth	true
security/trusted-auth-provider-id	45
security/trusted-auth-cgi-variable-name	REMOTE_USER
security/trusted-auth-cgi-variable-pattern	([^@]+)

NOTE: "trusted-auth-cgi-variable-pattern" extracts username from the REMOTE_USER cgi variable as set by apache when using kerberos auth. So username@domain.com will be logged in as username. Kerberos auth will set this from the user principal name for the user account, which should normally be the SMB username in AD.

Now let's set up apache to use kerberos auth.

• sudo apt-get install libapache2-mod-auth-kerb
•  Tell apache to use kerberos auth with either httpd.conf or .htaccess:
  
  • nano /etc/apache2/httpd.conf
    • Add the following:

<Location />
   Allow from all  
   AuthType Kerberos
   KrbAuthRealms DOMAIN.COM
   KrbServiceName HTTP
   Krb5Keytab /etc/apache2/http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd on
   Require valid-user
</Location>

•  nano /var/www/dekiwiki/.htaccess
• Add the following:

   AuthType Kerberos
   AuthName "Krb5 Auth"
   KrbAuthRealm DOMAIN.COM
   KrbServiceName HTTP
   Krb5Keytab /etc/apache2/http.keytab
   KrbMethodNegotiate on
   KrbMethodK5Passwd off
   Require valid-user
 

• /etc/init.d/apache2 restart