Friday, August 12, 2011

Apache on Linux and Single-Sign-On with Active Directory

There are many howtos and blog posts that describe how to get Apache on Linux to work against Active Directory with single-sign-on. I found none of them to be current and complete. After tinkering with this topic for a while and getting it to work on my Centos 5.4 box, I wanted to post what I did here.
In my case, I wanted single-sign-on to work for agents in OTRS
  1. Use samba to join the AD
    No need to create a special user account and tinker with ktpass and the likes on windows. Everything that needs to be done in AD can be done from Linux through samba, and it works fine.
    I've tried to go down the route with the user-service account in AD and it was troublesome, to say the least. There is no resource kit for Windows 7 anymore, so there is no way to get ktpass.exe. The version from the Windows Server 2003 resource kit doesn't work in Windows 7 x64. In the end I had to run ktpass in the domain controller directly, which I'm sure isn't possible in all environments.
  2. Compile mod_auth_kerb from source, as described by Ben Chapman here. Unfortunately the link he cites is no longer available. While authentication works with the mod_auth_kerb in the centos repositories, authorization seems to be troublesome.
  3. Configure Kerberos and Apache accordingly.
    My config files are attached. krb5.conf is complete, the rest are just the relevant parts. Case matters to krb5! I tried to define aliases so it would be less picky about that, but to no avail. Test kerberos functionality with klist and kinit.
    kinit username@DOMAIN.LOCAL
    Should prompt for password, and exit silently if all worked. If not, go through your config again. I've set Apaches loglevel to debug, otherwise there is no useful output in case of errors with mod_auth_kerb. I had many issues of
    gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No principal in keytab matches desired name)
    In my Apache error_log. It took me a while to figure them out. Somehow mod_auth_kerb wasn't using the correct name for the kerberos service principal, despite me using canonical names. I had to override it, and this finally worked.
  4. Configure OTRS
    I first decided to set up authorization in OTRS via Active Directory through LDAP. The OTRS Wiki provides an excellent article that outlines the necessary changes in Kernel/ This will not only authenticate existing users through AD, but also create new OTRS users and sync them from AD. For this to work no special Apache configuration is required. If this works, move on to enable Single-Sign-On in Apache for the otrs directory.
    Because I want to enable SSO for agents only, I had to use .htaccess files to specify security. So the only change in the Apache config for OTRS from the default is this:

    <Directory "/opt/otrs/bin/cgi-bin/">

        AllowOverride All
        Options +ExecCGI -Includes
        Order allow,deny
        Allow from all

    This enables us to comfortable change security settings in a .htaccess file placed in /opt/otrs/bin/cgi-bin. Here it is:

      AuthType Kerberos
      AuthName "OTRS Kerberos Login"
      KrbMethodNegotiate On
      KrbMethodK5Passwd On
      KrbAuthRealms DOMAIN.LOCAL
      KrbServiceName HTTP/webserver.domain.local
      Krb5KeyTab /etc/krb5.keytab
      KrbSaveCredentials Off
      KrbAuthoritative off
      KrbVerifyKDC off
    #  KerbLocalUserMapping on
      PerlAddVar ntdomain "DOMAIN.LOCAL pdc bdc"
      PerlSetVar defaultdomain DOMAIN.LOCAL
      PerlSetVar splitdomainprefix 1
      require valid-user

    With these settings in place, we only need to adapt OTRS to use Apaches authentication. Add these lines to OTRS's Config/
    $Self-&gt;{'AuthModule'} = 'Kernel::System::Auth::HTTPBasicAuth';
    $Self-&gt;{'AuthModule::HTTPBasicAuth::ReplaceRegExp'} ='@DOMAIN.LOCAL';
    Despite the manually compiled mod_auth_kerb I still found that Apache passed through the users with the domain name. The easy fix in OTRS is to replace that part via regex, and all is peachy. As of now I'm happy it's working and don't want to spend more time finding out why this fix is required. ;-)
  5. Client settings
    This may be obvious to some, but here it is anyway. In Internet Explorer you have to add the webserver.domain.local to the Local Intranet. Also, you have to enable Integrated Windows Authentication in the Advanced Settings. In Firefox you need to make sure to add "domain.local" to the config value network.negotiate-auth.trusted-uris. This will cause firefox to authenticate using SSPI. I use Firefox 5 and this worked like a charm. Specifying webserver.domain.local under network.automatic-ntlm-auth.trusted-uris alone will not work, as this uses NTLM, which is not Kerberos! Also, by using canonical names in Apache, it doesn't matter whether the clients access the serber by hostname alone, or by FQDN. I've had too many users who don't seem to care, so this is a good thing. Of course, when you add SSL to the equation, things look differently. YMMV.

   workgroup = DOMAIN
   password server = pdc_fqdn bdc_fqdn
   realm = DOMAIN.LOCAL
   security = ads
   template shell = /sbin/nologin
   winbind use default domain = false
   winbind offline logon = false
   use kerberos keytab = true
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = DOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

 domain.local = DOMAIN
.domain.local = DOMAIN
domain = DOMAIN
.domain = DOMAIN

  kdc = pdc_fqdn
  admin_server = pdc_fqdn

  kdc = pdc_fqdn
  kdc = pdc_fqdn

  pam = {
     debug = true
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
#     krb4_convert = true
     krb5_get_tickets = false
    krb4_convert = true
    krb4_get_tickets = false

Where pdc_fqdn would be somthing like DomainController.domain.local.

These are only the relevant parts, the rest is the default config.
KeepAlive On
ServerName webserver.domain.local
UseCanonicalName On
LogLevel debug

LoadModule auth_kerb_module modules/
Alias /private/ /path/to/my/folder

<location private="">

  Options Indexes
# SSLRequireSSL
  AuthType Kerberos
  AuthName "webserver Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbServiceName HTTP/webserver.domain.local
  Krb5KeyTab /etc/krb5.keytab
  KrbSaveCredentials On
  KrbAuthoritative off
  KrbVerifyKDC off
#  KerbLocalUserMapping on
  require valid-user


1 comment:

Anonymous said...

Very good writeup! I know how difficult it is getting the whole Linux <<>> AD, OTRS + SSO going from firsthand experience.