There are many howtos and blog posts that describe how to get Apache on Linux to work against Active Directory with single-sign-on. I found none of them to be current and complete. After tinkering with this topic for a while and getting it to work on my Centos 5.4 box, I wanted to post what I did here.
In my case, I wanted single-sign-on to work for agents in OTRS.
In my case, I wanted single-sign-on to work for agents in OTRS.
- Use samba to join the AD
No need to create a special user account and tinker with ktpass and the likes on windows. Everything that needs to be done in AD can be done from Linux through samba, and it works fine.
I've tried to go down the route with the user-service account in AD and it was troublesome, to say the least. There is no resource kit for Windows 7 anymore, so there is no way to get ktpass.exe. The version from the Windows Server 2003 resource kit doesn't work in Windows 7 x64. In the end I had to run ktpass in the domain controller directly, which I'm sure isn't possible in all environments. - Compile mod_auth_kerb from source, as described by Ben Chapman here. Unfortunately the link he cites is no longer available. While authentication works with the mod_auth_kerb in the centos repositories, authorization seems to be troublesome.
- Configure Kerberos and Apache accordingly.
My config files are attached. krb5.conf is complete, the rest are just the relevant parts. Case matters to krb5! I tried to define aliases so it would be less picky about that, but to no avail. Test kerberos functionality with klist and kinit.kinit username@DOMAIN.LOCAL
Should prompt for password, and exit silently if all worked. If not, go through your config again. I've set Apaches loglevel to debug, otherwise there is no useful output in case of errors with mod_auth_kerb. I had many issues ofgss_acquire_cred() failed: Unspecified GSS failure. Minor code may provide more information (, No principal in keytab matches desired name)
In my Apache error_log. It took me a while to figure them out. Somehow mod_auth_kerb wasn't using the correct name for the kerberos service principal, despite me using canonical names. I had to override it, and this finally worked. - Configure OTRS
I first decided to set up authorization in OTRS via Active Directory through LDAP. The OTRS Wiki provides an excellent article that outlines the necessary changes in Kernel/Config.pm. This will not only authenticate existing users through AD, but also create new OTRS users and sync them from AD. For this to work no special Apache configuration is required. If this works, move on to enable Single-Sign-On in Apache for the otrs directory.
Because I want to enable SSO for agents only, I had to use .htaccess files to specify security. So the only change in the Apache config for OTRS from the default is this:
This enables us to comfortable change security settings in a .htaccess file placed in /opt/otrs/bin/cgi-bin. Here it is:
<Directory "/opt/otrs/bin/cgi-bin/">
AllowOverride All
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
With these settings in place, we only need to adapt OTRS to use Apaches authentication. Add these lines to OTRS's Config/Kernel.pm:
<files index.pl>
AuthType Kerberos
AuthName "OTRS Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL
KrbServiceName HTTP/webserver.domain.local
Krb5KeyTab /etc/krb5.keytab
KrbSaveCredentials Off
KrbAuthoritative off
KrbVerifyKDC off
# KerbLocalUserMapping on
PerlAddVar ntdomain "DOMAIN.LOCAL pdc bdc"
PerlSetVar defaultdomain DOMAIN.LOCAL
PerlSetVar splitdomainprefix 1
require valid-user
</files>$Self->{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
Despite the manually compiled mod_auth_kerb I still found that Apache passed through the users with the domain name. The easy fix in OTRS is to replace that part via regex, and all is peachy. As of now I'm happy it's working and don't want to spend more time finding out why this fix is required. ;-)
$Self->{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN.LOCAL'; - Client settings
This may be obvious to some, but here it is anyway. In Internet Explorer you have to add the webserver.domain.local to the Local Intranet. Also, you have to enable Integrated Windows Authentication in the Advanced Settings. In Firefox you need to make sure to add "domain.local" to the config value network.negotiate-auth.trusted-uris. This will cause firefox to authenticate using SSPI. I use Firefox 5 and this worked like a charm. Specifying webserver.domain.local under network.automatic-ntlm-auth.trusted-uris alone will not work, as this uses NTLM, which is not Kerberos! Also, by using canonical names in Apache, it doesn't matter whether the clients access the serber by hostname alone, or by FQDN. I've had too many users who don't seem to care, so this is a good thing. Of course, when you add SSL to the equation, things look differently. YMMV.
/etc/samba/smb.conf
[global]
workgroup = DOMAIN
password server = pdc_fqdn bdc_fqdn
realm = DOMAIN.LOCAL
security = ads
template shell = /sbin/nologin
winbind use default domain = false
winbind offline logon = false
use kerberos keytab = true
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[domain_realm]
MYSERVER.DOMAIN.LOCAL = DOMAIN
DOMAIN.LOCAL = DOMAIN
.DOMAIN.LOCAL = DOMAIN
domain.local = DOMAIN
.domain.local = DOMAIN
DOMAIN = DOMAIN
.DOMAIN = DOMAIN
domain = DOMAIN
.domain = DOMAIN
[realms]
DOMAIN= {
kdc = pdc_fqdn
admin_server = pdc_fqdn
}
DOMAIN.LOCAL = {
kdc = pdc_fqdn
kdc = pdc_fqdn
}
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
# krb4_convert = true
krb5_get_tickets = false
}
[login]
krb4_convert = true
krb4_get_tickets = false
Where pdc_fqdn would be somthing like DomainController.domain.local.
/etc/httpd/conf/httpd.conf
These are only the relevant parts, the rest is the default config.KeepAlive On
ServerName webserver.domain.local
UseCanonicalName On
LogLevel debug
LoadModule auth_kerb_module modules/mod_auth_kerb.so
Alias /private/ /path/to/my/folder
<location private="">
Options Indexes
# SSLRequireSSL
AuthType Kerberos
AuthName "webserver Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.LOCAL DOMAIN
KrbServiceName HTTP/webserver.domain.local
Krb5KeyTab /etc/krb5.keytab
KrbSaveCredentials On
KrbAuthoritative off
KrbVerifyKDC off
# KerbLocalUserMapping on
require valid-user
</location>