Adding NT Domain Authentication to Apache and Samba on SLES\openSUSE Servers

The purpose of this document is to detail the steps necessary to add a SLES 10 or openSUSE server to an existing NT domain. This will enable us to configure both Samba and Apache to authenticate users from the domain instead of using local accounts. PAM for Linux would allow this but would also allow anyone to login to the Linux server as well, something we do not want. Using this process, only local server accounts can login to the server console but any Samba shares and Apache web pages are authenticated using Domain credentials.

Configuring Samba

First, we need to edit Samba’s configuration to prepare to join the domain. For reference, we’ll use MOUSE as our domain and CAT.COM as our entity. These of course need to be replaced with your domain and entity settings.

1. Open your favorite text editor and open /etc/samba/smb.conf
2. Add the following lines to the [global] config section for the domain to join:

[global]
workgroup = MOUSE
realm = MOUSE.CAT.COM
netbios name = CHEESE
server string = CHEESE
security = domain
password server = domaincontroller1.CAT.COM domaincontroller2.CAT.COM
wins server = IP.of.WINS.server
idmap uid = 10000-20000
idmap gid = 30000-40000
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = yes

While Samba does not use PAM directly, obey pam restrictions is necessary for the Apache module to function properly.

1. Open the file /etc/nsswitch.conf and add winbind to the following lines as shown below:
   
2. Save both files and restart Samba by entering /etc/rc.d/smb restart in a terminal.
3. In a terminal window, type the command net join –U ADMINACCOUNT. In our example, ADMINACCOUNT is an account with permission to join the domain. Type the password for the account at the prompt and hit enter. Once entered, you should receive a message stating:
   “Joined domain MOUSE”
4. Verify the Domain trust is valid by typing the command wbinfo –u. After a few seconds, you should have a list of all the Domain user accounts. Similarly, wbinfo –g will give you a list of all the Domain groups. If either command fails to return the list of Domain users or groups, double check the entries in your smb.conf file.
5. Provided your domain trust is valid, it’s necessary to start the winbind daemon to resolve Domain usernames/groups as UNIX user IDs and group IDs. Start winbind with the command /etc/rc.d/winbind
   start.

Samba is now configured and able to use NT Domain authentication for shares. You should also see your server in the NT Domain management console. Shares can be secured with valid users = MOUSE\account1 MOUSE\account2, etc. To use an NT group name, type an @ sign instead like so: valid users = @MOUSE\sales. Group names with a space can be used if you encapsulate it in quotes, like so: “@MOUSE\sales execs”.

Configuring Apache

Apache itself requires little configuration other than telling it what modules we need it to load. Unfortunately, the PAM module for Apache is not included nor available from the install
media. Mod_auth_PAM is simple enough to compile and install though. Before beginning, make sure your server has the C/C++ Compiler and Tools package pattern installed. You will also need the following packages:

• pam
• pam_apparmor
• pam-devel
• pam-modules
• pam_smb
• yast2-pam

1. Download mod_auth_pam from the project’s website located at: <a
   href=”http://pam.sourceforge.net/mod_auth_pam/download.html”>http://pam.sourceforge.net/mod_auth_pam/download.html. The Apache 2.0 module is what you’ll need.
   For the purpose of user account or primary group authentication, the three patches are not needed.
2. Uncompress the module using the command tar –xzf mod_auth_pam-2.0-1.1.1.tar.gz. This will create a new folder called mod_auth_pam.
3. In a terminal window, navigate to the folder mod_auth_pam and run the command make && make
   install. This will compile the module and install it into the necessary locations.
4. Using your favorite text editor, open the file /etc/pam.d/httpd.
   Comment out the two lines created by the mod_auth_pam’s install process and add:
   auth required /lib/security/pam_winbind.so
   account required /lib/security/pam_permit.so
   session required /lib/security/pam_permit.soTo enable logging, add debug after pam_winbind.so. This will record any errors from PAM into
   the file /var/log/messages.
5. Open the file /etc/sysconfig/apache2. Scroll through the document and find the section beginning with APACHE_MODULES. Add auth_sys_group and auth_pam inside the list contained within the double quotations. For example: “actions include expires” would become “actions include expires auth_sys_group
   auth_pam”
6. Save both files and restart Apache by running the command /etc/rc.d/apache2 restart.The module supports two methods to add/change Domain authentication to folders served by Apache.

   Method 1 is to place the necessary parameters within the <Directory></Directory> declaration in your /etc/apache2/httpd.conf or /etc/apache2/vhosts.d/sitename.conf. This method requires Apache to be restarted when a change is made to take effect.

   Method 2 is to place the parameters inside a .htaccess file that’s located in the folder you wish to add authentication. Method 2 is easier for troubleshooting but can be circumvented by simply deleting the .htaccess file.

   My recommendation is to use a .htaccess file to test and setup the permissions the way you like, then copy and place the parameters within your <Directory> definition. This will give your site the added security without the need to restart Apache multiple times while testing.

   In either method chosen, you will need the following parameters:

   AuthPAM_Enabled On
   AuthPAM_FallThrough Off
   AuthBasicAuthoritative Off
   AuthGROUP_Enabled On
   AuthUserFile /dev/null
   AuthType Basic
   AuthName “Login”
   require group MOUSE\sales

   If you want to specify users to have access instead of a group, omit AuthGROUP_Enabled and use require user instead. As with Samba, groups or usernames with spaces will need to be encapsulated with double quotations.

   Depending on your chosen method, you may need to restart Apache. Now, when you try to view a page within the protected folder, you should receive a login prompt. If you are unable to login, check the error log for the site as specified by your <Directory> definition and enable logging mode within the file /etc/pam.d/httpd.