Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora Resources > Guides & Solutions (No Questions)
FedoraForum Search

Forgot Password? Join Us!

Guides & Solutions (No Questions) Post your guides here (No links to Blogs accepted). You can also append your comments/questions to a guide, but don't start a new thread to ask a question. Use another forum for that.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 24th April 2012, 04:23 PM
Teibidh Offline
Registered User
 
Join Date: Nov 2010
Posts: 16
windows_7firefox
Post Apache AD authentication via PAM/Kerberos

In progress due to time restrictions. Feedback on more efficient/secure configuration is absolutely welcome, and I will attempt to revise the guide over the course of next couple of weeks accordingly.

I spent the last few days piecing together information from various sources to get a couple of web sites we're using for our intranet configured to use Kerberos and winbind to limit their availability to members of specific Windows Active Directory groups within our organization. Since we require that all of our Linux systems allow administrators to logon with their AD credentials, it seemed natural to me to extend this same capability and have a single authentication system interacting with AD instead of using several different LDAP configurations. Below is a series of steps required to add a Fedora (16, but I used pretty much the same steps for 14 and 15 at various times in various pieces) installation to an AD domain, configure authentication via PAM and then extend PAM authentication to SSH and Apache.

First, packages that will need to be installed... I use a "Minimal" installation so you may find you have some of these installed already:

Quote:
httpd
krb5-workstation *
mod_auth_pam
mod_ssl
pam_krb5
pam_ssh
samba-winbind
samba-winbind-clients
Definitions
  • Authentication - This is verifying that someone is who they say they are. In the case of this guide this will be done via passwords checked against Active Directory accounts using Kerberos.
  • Authorization - This is determining what resources an authenticated user is or is not supposed to have access to. In this case we will differentiate based on AD security group membership.
  • Kerberos - Honestly, I know very little about Kerberos so I won't pretend to, for purposes of this guide suffice to say it is a protocol that is used to allow PAM to securely query Active Directory and authenticate a user.
  • PAM - Pluggable Authentication Modules is designed to allow applications to authenticate/authorize users without having to tangle with the actual user management back-end. A PAM aware program doesn't care whether you're using local users, LDAP users, Active Directory or a MySQL database for users, it just asks PAM to authenticate a user and (optionally) find out what groups a user is part of. PAM's job is to take those authentication requests and use any number of modules to access the necessary authentication/authorization information.
  • Winbind - Part of the Samba suite, used here to enumerate user accounts and groups from AD to usable UID and GIDs for authorization purposes.
  1. Make sure necessary services are started and are going to start automatically at system startup:
    Quote:
    systemctl enable winbind.service
    systemctl enable httpd.service
    systemctl start winbind.service
    systemctl start httpd.service
    Note: For some reason I have to restart after installing these via yum because the *.service files aren't in place yet, haven't bothered looking in to why or resolving it, but if you installed the packages and systemctl returns an error, try restarting.
  2. The following command will configure several files in the /etc folder that are necessary to allow the computer to join an AD domain. This is important because in any sane configuration Windows Active Directory doesn't allow anonymous queries and you would have to attach valid user credentials to any attempt to authenticate users at which point you might as well use LDAP.
    Quote:
    authconfig --update --enablewinbind --enablewinbindauth --smbsecurity=ads --winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/sh --enablewinbindusedefaultdomain --enablelocauthorize --enablemkhomedir --enablekrb5 --enablekrb5kdcdns --enablekrb5realmdns \
    --smbworkgroup=<NETBIOS Domain name>\
    --smbrealm=<FQDN of AD domain>\
    --smbservers=<List of AD domain controllers>\
    --krb5realm=<FQDN of AD domain>\
    --smbidmapuid=100000-200000 \
    --smbidmapgid=100000-200000 \
    Please note that some of these options may not be necessary for your environment and I encourage the use of man authconfig and authconfig --help to validate any command before you enter it. Also, there may be additional configuration required for Kerberos on your AD servers, my understanding is that it works out of the box, but our domain controllers were set up years before I started working here and we already had a couple of Linux boxes authenticating against them, it was just that no one knew how exactly.

    The above command configured a handful of files in /etc (nsswitch.conf, pam.d/system-auth-ac, krb5.conf, samba/smb.conf) but didn't actually DO anything (even though it probably resulted in a couple of not-so-savory looking warnings. To actually complete the process of joining the computer to the domain use the following command:

    Quote:
    net ads join -U <AD user name w/ Add A Computer to the Domain Right>
  3. Verify that the above stuff worked by using the following commands and getting output similar to what's listed:
    Quote:
    kinit <AD username>
    - Enter password when prompted, correct execution will return no output.
    Quote:
    klist
    - Correct output will show Kerberos ticket timestamp/expiration info.
    Quote:
    wbinfo -r <AD username>
    - Correct output will show a sequential enumerated list.
    Quote:
    wbinfo --gid-info=<one of the numbers from the output above>
    - Correct output will show you AD group name followed by the members.
  4. Because we need to configure it anyway, and because it's a good test that doesn't alter your ability to logon to the box (but could alter your ability to use sudo, so make sure you know the root password) run visudo and add the line %domain\ admins ALL=(ALL) ALL. Create a new logon session (I'd leave the current one alone and in place for the moment) using an account that's part of the group specified (Domain Admins in my example) and make sure that sudo works.
  5. Configure SSH to allow login only from specific groups, in our case, the Domain Admins group, by using vi or whatever text editor you choose to edit /etc/ssh/sshd_config. By default in a Fedora 16 installation SSH uses PAM, so UsePAM yes should already be present and not commented, fix it if it's not. Then add the line AllowGroups "domain admins", save and use the following to restart SSH:
    Quote:
    systemctl restart sshd.service
    .
  6. Create a file named httpd in /etc/pam.d and populate it with the following lines:
    Quote:
    #%PAM-1.0
    auth required pam_krb5.so
    auth sufficient pam_winbind.so
    account required pam_permit.so
    This will allow httpd (Apache) to use PAM and tell PAM what to say yes or no to. The use of pam_permit.so allows us to configure specifics within the Apache .conf files instead of having to specify allowed groups and the like within the PAM configuration directly (which would get messy if you wanted different sets of permissions for different pages).
  7. I will not get in to detail about how the Apache .conf files are laid out, however, please understand that the changes I'm making here are for the entirety of the Apache server instance. Any attempt to access any page within the site will require authentication against AD, but this will only provide for access to the .HTML/.PHP files on the server, it will not (automatically) handle authentication required for installed web-based applications such as phpMyAdmin which needs you to provide a password for your MySQL instance (though this can be done too...)

    Open /etc/httpd/conf/httpd.conf with your text editor of choice (make a backup first if you wish, though a smarter method might be to simply comment out lines using # and add a comment line before and after the lines you add so you know what to change in the future) and modify the <Directory> element to look like this:
    Quote:
    <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "Active Directory Authentication"
    AuthPAM_Enabled on
    AuthPAM_FallThrough off
    AuthBasicAuthoritative off
    AuthGROUP_Enabled on
    AuthUserFile /dev/null
    AuthType Basic
    Require valid-user
    </Directory>
    What we accomplish here is requiring that a user must provide valid AD credentials to access any web page hosted on our server. Now, to further secure specific pages you would place the following within the <Directory> element specific to that page to restrict access to it to members of the Domain Admins group specifically:
    Quote:
    <Directory /usr/share/phpMyAdmin>
    Order Deny,Allow
    ..
    ..
    Require group "domain admins"
    </Directory>

I'm a pretty smart guy, but I certainly didn't write any of the software being used and I didn't magically know how to get this done (in fact, I'm still not sure it's the best way ), I pulled info from ton of places and wish I could cite them all, but I didn't plan on writing this so I didn't keep track. Feel free to redistribute some or all of this information, if you do decide to actually copy parts of it I'd appreciate if you link back to this post more to support FedoraForum.org than for any need for personal credit.


Last edited by Teibidh; 24th April 2012 at 05:27 PM.
Reply With Quote
Reply

Tags
apache, authentication, pam or kerberos

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos authentication fails at boot! mirceas Using Fedora 1 11th September 2010 09:31 AM
Cups and Use Kerberos authentication. Please help mario60 Installation, Upgrades and Live Media 1 3rd January 2008 10:51 AM
Kerberos/Pam Authentication Single Login kleinerroemer Servers & Networking 2 31st July 2007 08:14 AM
Kerberos pam_krb5.so authentication in fedora 4 shrbusrdr Using Fedora 0 16th June 2005 08:39 PM
Help Needed for Kerberos Authentication tabascal Servers & Networking 1 18th October 2004 03:48 PM


Current GMT-time: 07:24 (Sunday, 23-11-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat
Sabinas Hidalgo Photos - Lom Sak Photos - Chetput Photos on Instagram