kieranbarnes do you know where your towel is?

NTLM Authentication (Active Directory) on Apache (Linux)

Here is a quick guide to enabling NTLM authentication for Apache 2.
I generally use Ubuntu, so I am a heavy apt-get'er, but I prefer to build my apache from source.Here goes...

Make sure you change the 'domain-name' and 'domain-controller' to suit your enviroment. It is case sensitive.

Install Samba & Kerberos

apt-get install samba winbind krb5-config krb5-user smbfs

Replace /etc/krb5.conf with the following file,

--
[libdefaults]
default_realm = DOMAIN-NAME.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
HILLHIREPLC.LOCAL = {
kdc = domain-controller.domain.local
}
[domain_realm]
.kerberos.server = DOMAIN-NAME.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
--

Run the following;

kinit Administrator@DOMAIN-NAME.LOCAL

* This command will return nothing if successful.

Replace /etc/samba/smb.conf with the following

--
[global]
workgroup = DOMAIN-NAME
realm = DOMAIN-NAME.LOCAL
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba.log
max log size = 50
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
--

Add any shares that you want visible to your Windows uers if you wish.

/etc/init.d/samba restart

Now you can join your Windows domain. You'll be prompted to put in the Domain Administrator password.

net ads join -U Administrator

/etc/init.d/winbind start

Edit /etc/nsswitch.conf

Replace

passwd: compat
group: compat

With

passwd: compat winbind
group: compat winbind

You can test if everything went OK with the following

wbinfo –g
wbinfo -u

Theset two commands should list all the users & groups in your Active Directory.

Install Apache

Download the latest apache source package. I assume you know how to do this.

Download mod_ntlm_winbind.zip from here. Or you can download the latest unpacked source from the Samba site.

unzip mod_ntlm_winbind.zip
cd mod_ntlm_winbind/
autoconf
./configure
ln -s mod_ntlm_winbind.c mod_auth_ntlm_winbind.c
/usr/local/apache2/bin/apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
make install

'make install' sometimes returns an error but it does complete the required tasks successfully.

Add the following into your httpd.conf

--
LoadModule ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
--

I used <Directory /> as an example for NTLM authentication server wide. For example an Intranet server. But you can apply it to any directory, <Directory /var/www/some-dir>

Restart apache to finish off.

/etc/init.d/apachectl restart
Sometimes winbindd doesn't set it's privileges to world read able. So apache may throw an error, you may get an 'Internal Server Error'. The following will do the trick.

chmod 777 /var/run/samba/winbindd_privileged

I like to add 'chmod 777 /var/run/samba/winbindd_privileged' to the /etc/rc.local or equivelant.

Related posts:

1. Super simple Active Directory with Samba
   I needed a super simple, straight forward way of installing samba on Ubuntu and joining...
2. NTLM Authentication on Ubuntu and Apache2 Revisited
   It's been a while since I've had to build an NTLM integrated Apache2 server. So...
3. Ridiculously simple NTLM Authentication for Apache (Ubuntu)
   We all know Ubuntu makes things amazingly simple. This is the best I've found so...
4. NTLM Authentication for apt-get’ed Ubuntu
   Following on from NTLM Authentication on Ubuntu and Apache2 Revisited this morning, this is how...
5. Active Directory DHCP Authorisation Issues
   So you just deleted a DHCP server in your Active Directory site and can't authorise...

What this article useful to you?

Let me know, buy me a beer!
Alternatively, if you're feeling impecunious, you may like to subscribe to my RSS feed, or see other articles in the Linux category.