NTLM Authentication (Active Directory) on Apache (Linux)
July 3rd, 2007
Here is a quick guide to enabling NTLM authentication for Apache 2.
I generally use Ubuntu, so I am a heavy apt-get’er, but I prefer to build my apache from source.Here goes…
Make sure you change the ‘domain-name’ and ‘domain-controller’ to suit your enviroment. It is case sensitive.
Install Samba & Kerberos
apt-get install samba winbind krb5-config krb5-user smbfs
Replace /etc/krb5.conf with the following file,
--
[libdefaults]
default_realm = DOMAIN-NAME.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
HILLHIREPLC.LOCAL = {
kdc = domain-controller.domain.local
}
[domain_realm]
.kerberos.server = DOMAIN-NAME.LOCAL
[login]
krb4_convert = true
krb4_get_tickets = false
–
Run the following;
kinit Administrator@DOMAIN-NAME.LOCAL
* This command will return nothing if successful.
Replace /etc/samba/smb.conf with the following
--
[global]
workgroup = DOMAIN-NAME
realm = DOMAIN-NAME.LOCAL
preferred master = no
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba.log
max log size = 50
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
–
Add any shares that you want visible to your Windows uers if you wish.
/etc/init.d/samba restart
Now you can join your Windows domain. You’ll be prompted to put in the Domain Administrator password.
net ads join -U Administrator
/etc/init.d/winbind start
Edit /etc/nsswitch.conf
Replace
passwd: compat
group: compat
With
passwd: compat winbind
group: compat winbind
You can test if everything went OK with the following
wbinfo –g
wbinfo -u
Theset two commands should list all the users & groups in your Active Directory.
Install Apache
Download the latest apache source package. I assume you know how to do this.
Download mod_ntlm_winbind.zip from here. Or you can download the latest unpacked source from the Samba site.
unzip mod_ntlm_winbind.zip
cd mod_ntlm_winbind/
autoconf
./configure
ln -s mod_ntlm_winbind.c mod_auth_ntlm_winbind.c
/usr/local/apache2/bin/apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
make install
‘make install’ sometimes returns an error but it does complete the required tasks successfully.
Add the following into your httpd.conf
–
LoadModule ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory />
Options FollowSymLinks Multiviews Indexes
AllowOverride All
AuthName "Authentication"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
–
I used <Directory /> as an example for NTLM authentication server wide. For example an Intranet server. But you can apply it to any directory, <Directory /var/www/some-dir>
Restart apache to finish off.
/etc/init.d/apachectl restart
Sometimes winbindd doesn’t set it’s privileges to world read able. So apache may throw an error, you may get an ‘Internal Server Error’. The following will do the trick.
chmod 777 /var/run/samba/winbindd_privileged
I like to add ‘chmod 777 /var/run/samba/winbindd_privileged’ to the /etc/rc.local or equivelant.
| Bookmark it del.icio.us | Reddit | Slashdot | Digg | Facebook | Technorati | Google | StumbleUpon | Window Live | Tailrank | Furl | Propeller | Yahoo |
Was this post useful to you? Let me know, buy me a beer!
Alternatively, if you're feeling impecunious, you may like to subscribe to my RSS feed, or see other articles in the Linux category.
August 17th, 2007 at 13:13
[...] I use this on Internet based sites with Google Analytics * It’s AJAX just doesn’t like mod_auth_ntlm or the other way [...]