Adding NT Domain Authentication to Apache and Samba on SLES\openSUSE Servers
The purpose of this document is to detail the steps necessary to add a SLES 10 or openSUSE server to an existing NT domain. This will enable us to configure both Samba and Apache to authenticate users from the domain instead of using local accounts. PAM for Linux would allow this but would also allow anyone to login to the Linux server as well, something we do not want. Using this process, only local server accounts can login to the server console but any Samba shares and Apache web pages are authenticated using Domain credentials.
Configuring Samba
First, we need to edit Samba’s configuration to prepare to join the domain. For reference, we’ll use MOUSE as our domain and CAT.COM as our entity. These of course need to be replaced with your domain and entity settings.
- Open your favorite text editor and open /etc/samba/smb.conf
- Add the following lines to the [global] config section for the domain to join:
[global] workgroup = MOUSE realm = MOUSE.CAT.COM netbios name = CHEESE server string = CHEESE security = domain password server = domaincontroller1.CAT.COM domaincontroller2.CAT.COM wins server = IP.of.WINS.server idmap uid = 10000-20000 idmap gid = 30000-40000 winbind enum users = yes winbind enum groups = yes obey pam restrictions = yes
While Samba does not use PAM directly, obey pam restrictions is necessary for the Apache module to function properly.
- Open the file /etc/nsswitch.conf and add winbind to the following lines as shown below:
- Save both files and restart Samba by entering /etc/rc.d/smb restart in a terminal.
- In a terminal window, type the command net join –U ADMINACCOUNT. In our example, ADMINACCOUNT is an account with permission to join the domain. Type the password for the account at the prompt and hit enter. Once entered, you should receive a message stating:
“Joined domain MOUSE” - Verify the Domain trust is valid by typing the command wbinfo –u. After a few seconds, you should have a list of all the Domain user accounts. Similarly, wbinfo –g will give you a list of all the Domain groups. If either command fails to return the list of Domain users or groups, double check the entries in your smb.conf file.
- Provided your domain trust is valid, it’s necessary to start the winbind daemon to resolve Domain usernames/groups as UNIX user IDs and group IDs. Start winbind with the command /etc/rc.d/winbind
start.
Samba is now configured and able to use NT Domain authentication for shares. You should also see your server in the NT Domain management console. Shares can be secured with valid users = MOUSE\account1 MOUSE\account2, etc. To use an NT group name, type an @ sign instead like so: valid users = @MOUSE\sales. Group names with a space can be used if you encapsulate it in quotes, like so: “@MOUSE\sales execs”.
Configuring Apache
Apache itself requires little configuration other than telling it what modules we need it to load. Unfortunately, the PAM module for Apache is not included nor available from the install
media. Mod_auth_PAM is simple enough to compile and install though. Before beginning, make sure your server has the C/C++ Compiler and Tools package pattern installed. You will also need the following packages:
- pam
- pam_apparmor
- pam-devel
- pam-modules
- pam_smb
- yast2-pam
- Download mod_auth_pam from the project’s website located at: <a
href=”http://pam.sourceforge.net/mod_auth_pam/download.html”>http://pam.sourceforge.net/mod_auth_pam/download.html. The Apache 2.0 module is what you’ll need.
For the purpose of user account or primary group authentication, the three patches are not needed. - Uncompress the module using the command tar –xzf mod_auth_pam-2.0-1.1.1.tar.gz. This will create a new folder called mod_auth_pam.
- In a terminal window, navigate to the folder mod_auth_pam and run the command make && make
install. This will compile the module and install it into the necessary locations. - Using your favorite text editor, open the file /etc/pam.d/httpd.
Comment out the two lines created by the mod_auth_pam’s install process and add:
auth required /lib/security/pam_winbind.so
account required /lib/security/pam_permit.so
session required /lib/security/pam_permit.soTo enable logging, add debug after pam_winbind.so. This will record any errors from PAM into
the file /var/log/messages. - Open the file /etc/sysconfig/apache2. Scroll through the document and find the section beginning with APACHE_MODULES. Add auth_sys_group and auth_pam inside the list contained within the double quotations. For example: “actions include expires” would become “actions include expires auth_sys_group
auth_pam” - Save both files and restart Apache by running the command /etc/rc.d/apache2 restart.The module supports two methods to add/change Domain authentication to folders served by Apache.
Method 1 is to place the necessary parameters within the <Directory></Directory> declaration in your /etc/apache2/httpd.conf or /etc/apache2/vhosts.d/sitename.conf. This method requires Apache to be restarted when a change is made to take effect.
Method 2 is to place the parameters inside a .htaccess file that’s located in the folder you wish to add authentication. Method 2 is easier for troubleshooting but can be circumvented by simply deleting the .htaccess file.
My recommendation is to use a .htaccess file to test and setup the permissions the way you like, then copy and place the parameters within your <Directory> definition. This will give your site the added security without the need to restart Apache multiple times while testing.
In either method chosen, you will need the following parameters:
AuthPAM_Enabled On AuthPAM_FallThrough Off AuthBasicAuthoritative Off AuthGROUP_Enabled On AuthUserFile /dev/null AuthType Basic AuthName “Login” require group MOUSE\sales
If you want to specify users to have access instead of a group, omit AuthGROUP_Enabled and use require user instead. As with Samba, groups or usernames with spaces will need to be encapsulated with double quotations.
Depending on your chosen method, you may need to restart Apache. Now, when you try to view a page within the protected folder, you should receive a login prompt. If you are unable to login, check the error log for the site as specified by your <Directory> definition and enable logging mode within the file /etc/pam.d/httpd.
Comments
Here is a helpful link with a list of pam related mods for Linux.
http://www.kernel.org/pub/linux/libs/pam/modules.html
Good job!
Mike…
I can personally attest that winbind works awesome for authenticating Linux to AD in general. Much simpler than wrestling with LDAP and kerberos
One huge caveat that I’m pretty sure is true: If you have “promoted” Active Directory to “native mode” then authentication with winbind won’t as, as far as I know. If AD is in native mode then your only option is to go to a Kerberos/LDAP based authentcation method
Back to winbind – In my experience you don’t even need to start Samba at boot (i.e. from /etc/init.d) if you’re only using winbind for authentication and you’re not trying to share files with Samba.
Nice tip.
Hi. I’m running opensuse 10.3 and samba-3.0.26a-3.5. I’m trying to make Windbind and Active Directory work together.When I run smb -b |grep LDAP I don’t get HAVE_LDAP_DOMAIN2HOSTLIST
host:/etc/samba # smbd -b | grep LDAP
HAVE_LDAP_H
HAVE_LDAP
HAVE_LDAP_ADD_RESULT_ENTRY
HAVE_LDAP_INIT
HAVE_LDAP_INITIALIZE
HAVE_LDAP_SET_REBIND_PROC
HAVE_LIBLDAP
LDAP_SET_REBIND_PROC_ARGS
Should I necessarily have it listed?.
However trying:
host:/etc/samba # kinit -V admin@PRUEBA
Password for admin@PRUEBA:
Authenticated to Kerberos v5
host:/etc/samba # net ads join -U admin
admin’s password:
Using short domain name — MAIN
Joined ‘HOST’ to realm ‘PRUEBA’
host:/etc/samba # net ads testjoin
Join is OK
When I run wbinfo -u
host:/etc/samba # wbinfo -u
Error looking up domain users
And I see the message in the log file and when I run
2008/05/02 13:32:30, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply
It seems it’s working, but I just keep getting those errors in the log files and of course it won’t work. Can anybody help me?
Thank you in advance.
kamaleon50, these instructions will only work with NT based domains or mixed mode Windows 2000 domains.
If you are using a Windows 2000 domain in Native mode or a Windows 2003 Active Directory domain, you have to use Kerberos. Winbind does not support the Kerberos protocals needed.
It is really important to notice that you need to use the domain name / realm name in UPPERCASE (ex: MYDOMAIN.LOCAL), or else Kerberos will cause problems.