SUSE Conversations


Adding NT Domain Authentication to Apache and Samba on SLES\openSUSE Servers



By: brownc4

April 10, 2008 7:31 am

Reads:812

Comments:5

Rating:0

The purpose of this document is to detail the steps necessary to add a SLES 10 or openSUSE server to an existing NT domain. This will enable us to configure both Samba and Apache to authenticate users from the domain instead of using local accounts. PAM for Linux would allow this but would also allow anyone to login to the Linux server as well, something we do not want. Using this process, only local server accounts can login to the server console but any Samba shares and Apache web pages are authenticated using Domain credentials.

Configuring Samba

First, we need to edit Samba’s configuration to prepare to join the domain. For reference, we’ll use MOUSE as our domain and CAT.COM as our entity. These of course need to be replaced with your domain and entity settings.

  1. Open your favorite text editor and open /etc/samba/smb.conf
  2. Add the following lines to the [global] config section for the domain to join:

[global]
workgroup = MOUSE
realm = MOUSE.CAT.COM
netbios name = CHEESE
server string = CHEESE
security = domain
password server = domaincontroller1.CAT.COM domaincontroller2.CAT.COM
wins server = IP.of.WINS.server
idmap uid = 10000-20000
idmap gid = 30000-40000
winbind enum users = yes
winbind enum groups = yes
obey pam restrictions = yes
Note: netbios name = What will be reported to the domain and also what users can access with the Windows standard \\SERVERNAME file browsing. server string = What is shown in the NT Domain administration console for this server and can be anything of your choosing. It is not necessary for netbios name and server string to match.

While Samba does not use PAM directly, obey pam restrictions is necessary for the Apache module to function properly.

  1. Open the file /etc/nsswitch.conf and add winbind to the following lines as shown below:
    image001.png
  2. Save both files and restart Samba by entering /etc/rc.d/smb restart in a terminal.
  3. In a terminal window, type the command net join –U ADMINACCOUNT. In our example, ADMINACCOUNT is an account with permission to join the domain. Type the password for the account at the prompt and hit enter. Once entered, you should receive a message stating:
    “Joined domain MOUSE”
  4. Verify the Domain trust is valid by typing the command wbinfo –u. After a few seconds, you should have a list of all the Domain user accounts. Similarly, wbinfo –g will give you a list of all the Domain groups. If either command fails to return the list of Domain users or groups, double check the entries in your smb.conf file.
  5. Provided your domain trust is valid, it’s necessary to start the winbind daemon to resolve Domain usernames/groups as UNIX user IDs and group IDs. Start winbind with the command /etc/rc.d/winbind
    start
    .

Samba is now configured and able to use NT Domain authentication for shares. You should also see your server in the NT Domain management console. Shares can be secured with valid users = MOUSE\account1 MOUSE\account2, etc. To use an NT group name, type an @ sign instead like so: valid users = @MOUSE\sales. Group names with a space can be used if you encapsulate it in quotes, like so: “@MOUSE\sales execs”.

Configuring Apache

Apache itself requires little configuration other than telling it what modules we need it to load. Unfortunately, the PAM module for Apache is not included nor available from the install
media. Mod_auth_PAM is simple enough to compile and install though. Before beginning, make sure your server has the C/C++ Compiler and Tools package pattern installed. You will also need the following packages:

  • pam
  • pam_apparmor
  • pam-devel
  • pam-modules
  • pam_smb
  • yast2-pam
  1. Download mod_auth_pam from the project’s website located at: <a
    href=”http://pam.sourceforge.net/mod_auth_pam/download.html”>http://pam.sourceforge.net/mod_auth_pam/download.html. The Apache 2.0 module is what you’ll need.
    For the purpose of user account or primary group authentication, the three patches are not needed.
  2. Uncompress the module using the command tar –xzf mod_auth_pam-2.0-1.1.1.tar.gz. This will create a new folder called mod_auth_pam.
  3. In a terminal window, navigate to the folder mod_auth_pam and run the command make && make
    install
    . This will compile the module and install it into the necessary locations.
  4. Using your favorite text editor, open the file /etc/pam.d/httpd.
    Comment out the two lines created by the mod_auth_pam’s install process and add:
    auth required /lib/security/pam_winbind.so
    account required /lib/security/pam_permit.so
    session required /lib/security/pam_permit.soTo enable logging, add debug after pam_winbind.so. This will record any errors from PAM into
    the file /var/log/messages.
  5. Open the file /etc/sysconfig/apache2. Scroll through the document and find the section beginning with APACHE_MODULES. Add auth_sys_group and auth_pam inside the list contained within the double quotations. For example: “actions include expires” would become “actions include expires auth_sys_group
    auth_pam”
  6. Save both files and restart Apache by running the command /etc/rc.d/apache2 restart.The module supports two methods to add/change Domain authentication to folders served by Apache.

    Method 1 is to place the necessary parameters within the <Directory></Directory> declaration in your /etc/apache2/httpd.conf or /etc/apache2/vhosts.d/sitename.conf. This method requires Apache to be restarted when a change is made to take effect.

    Method 2 is to place the parameters inside a .htaccess file that’s located in the folder you wish to add authentication. Method 2 is easier for troubleshooting but can be circumvented by simply deleting the .htaccess file.

    My recommendation is to use a .htaccess file to test and setup the permissions the way you like, then copy and place the parameters within your <Directory> definition. This will give your site the added security without the need to restart Apache multiple times while testing.

    In either method chosen, you will need the following parameters:

    AuthPAM_Enabled On
    AuthPAM_FallThrough Off
    AuthBasicAuthoritative Off
    AuthGROUP_Enabled On
    AuthUserFile /dev/null
    AuthType Basic
    AuthName “Login”
    require group MOUSE\sales

    If you want to specify users to have access instead of a group, omit AuthGROUP_Enabled and use require user instead. As with Samba, groups or usernames with spaces will need to be encapsulated with double quotations.

    Depending on your chosen method, you may need to restart Apache. Now, when you try to view a page within the protected folder, you should receive a login prompt. If you are unable to login, check the error log for the site as specified by your <Directory> definition and enable logging mode within the file /etc/pam.d/httpd.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: , , ,
Categories: openSUSE, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

5 Comments

  1. By:mfaris01

    Here is a helpful link with a list of pam related mods for Linux.

    http://www.kernel.org/pub/linux/libs/pam/modules.html

    Good job!

    Mike…

  2. By:ericgearhart

    I can personally attest that winbind works awesome for authenticating Linux to AD in general. Much simpler than wrestling with LDAP and kerberos

    One huge caveat that I’m pretty sure is true: If you have “promoted” Active Directory to “native mode” then authentication with winbind won’t as, as far as I know. If AD is in native mode then your only option is to go to a Kerberos/LDAP based authentcation method

    Back to winbind – In my experience you don’t even need to start Samba at boot (i.e. from /etc/init.d) if you’re only using winbind for authentication and you’re not trying to share files with Samba.

    Nice tip.

  3. By:kamaleon50

    Hi. I’m running opensuse 10.3 and samba-3.0.26a-3.5. I’m trying to make Windbind and Active Directory work together.When I run smb -b |grep LDAP I don’t get HAVE_LDAP_DOMAIN2HOSTLIST

    host:/etc/samba # smbd -b | grep LDAP
    HAVE_LDAP_H
    HAVE_LDAP
    HAVE_LDAP_ADD_RESULT_ENTRY
    HAVE_LDAP_INIT
    HAVE_LDAP_INITIALIZE
    HAVE_LDAP_SET_REBIND_PROC
    HAVE_LIBLDAP
    LDAP_SET_REBIND_PROC_ARGS

    Should I necessarily have it listed?.

    However trying:
    host:/etc/samba # kinit -V admin@PRUEBA
    Password for admin@PRUEBA:
    Authenticated to Kerberos v5

    host:/etc/samba # net ads join -U admin
    admin’s password:
    Using short domain name — MAIN
    Joined ‘HOST’ to realm ‘PRUEBA’

    host:/etc/samba # net ads testjoin
    Join is OK

    When I run wbinfo -u

    host:/etc/samba # wbinfo -u
    Error looking up domain users

    And I see the message in the log file and when I run
    2008/05/02 13:32:30, 1] libads/cldap.c:recv_cldap_netlogon(247) Failed to parse cldap reply

    It seems it’s working, but I just keep getting those errors in the log files and of course it won’t work. Can anybody help me?

    Thank you in advance.

  4. By:brownc4

    kamaleon50, these instructions will only work with NT based domains or mixed mode Windows 2000 domains.
    If you are using a Windows 2000 domain in Native mode or a Windows 2003 Active Directory domain, you have to use Kerberos. Winbind does not support the Kerberos protocals needed.

  5. By:mdemoulin

    It is really important to notice that you need to use the domain name / realm name in UPPERCASE (ex: MYDOMAIN.LOCAL), or else Kerberos will cause problems.

Comment

RSS