Kanwar Ranbir Sandhu wrote:
> On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
>
>> Maybe kerberos authentication?
>>
>> I have winbind authentication working here but I have yet to get
>> kerberos working to get SSO on Linux desktops.
>>
>
> Isn't winbind enough? Afterall, winbind gets the kerberos ticket when
> the user logs in.
>
??? That's new to me...are you sure?
> What's the difference between kerberos auth and winbind auth?
kerberos auth...should be the one that gets the ticket for you. Winbind
servers to both authenticate you and provide user/group account info.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan
<christopher.chan@bradbury.edu.hk> wrote:
> Ross Walker wrote:
>> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" <sorin.srbu@orgfarm.uu.se>
>> wrote:
>>
>>
>>>> -----Original Message-----
>>>> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
>>>>
>>> Behalf
>>>
>>>> Of Christopher Chan
>>>> Sent: Monday, February 16, 2009 8:53 AM
>>>> To: CentOS mailing list
>>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows
>>>> Integrated
>>>> Authentication [Apache]
>>>>
>>>>
>>>>
>>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I
>>>>>> don't think it will work in other platforms though).
>>>>>>
>>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with
>>>>> Firefox in
>>>>> Windows. Setting the same things in Firefox under linux and having
>>>>> it
>>>>>
>>> login
>>>
>>>>> to sharepoint doesn't.
>>>>>
>>>> I don't think any other OS other than Windows has NTLM bindings.
>>>>
>>> Probably not, but I was thinking there may be some obscure package
>>> somewhere
>>> on the 'net to do this.
>>>
>>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>>
>> Use pam_krb5 on the Linux clients to get a ticket on login.
>>
> Mind sharing the pam config for that? I have something setup but things
> don't seem to work.
>> Use samba client on Linux hosts to join to domain and manage the
>> Kerberos keytab file for the machine passwords.
>>
> Hmm...maybe I should not have manually created the credentials.

Ok, here are the default settings that my kickstart file creates to
allow me to join the domain and have samba manage the keytab.

# Default Kerberos configuration
mv /etc/krb5.conf /etc/krb5.conf.orig

cat >/etc/krb5.conf <<EOF
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
krb4_convert = false
}

EOF

authconfig --kickstart --enablekrb5 --krb5realm=MFG.PRV
--krb5kdc=mfg.prv --krb5adminserver=mfg.prv --enablekrb5kdcdns
--enablekrb5realmdns

# Default Samba configuration
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig

cat >/etc/samba/smb.conf <<EOF
[global]
workgroup = EXAMPLE
realm = EXAMPLE.COM
security = ads
password server = *
use kerberos keytab = yes
passdb backend = tdbsam
allow trusted domains = no
idmap domains = default
idmap config default:default = yes
idmap config default:backend = rid
idmap uid = 100000 - 999999
idmap gid = 100000 - 999999
template homedir = /home/%U
template shell = /bin/bash
winbind use default domain = true
winbind enum groups = yes
winbind enum users = yes
name resolve order = wins bcast host

[homes]
comment = Home Directories
read only = no
browseable = no

[printers]
comment = All Printers
path = /var/spool/samba
printable = yes
browseable = no

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
admin users = @"MFGPrinter Admins"
write list = @"MFGPrinter Admins"
force user = root
force group = root
create mask = 0664
directory mask = 0775
EOF

mkdir -p /var/lib/samba/drivers/W32ALPHA
mkdir -p /var/lib/samba/drivers/W32MIPS
mkdir -p /var/lib/samba/drivers/W32PPC
mkdir -p /var/lib/samba/drivers/W32X86
mkdir -p /var/lib/samba/drivers/WIN40
chown -R root:root /var/lib/samba/drivers
chmod -R 775 /var/lib/samba/drivers

authconfig --kickstart --smbworkgroup=MFG --smbservers=*
--enablewinbind --smbsecurity=ads --smbrealm=MFG.PRV
--smbidmapuid=100000-999999 --smbidmapgid=100000-999999
--winbindtemplatehomedir=/home/%U --winbindtemplateshell=/bin/bash
--enablewinbindusedefaultdomain

# Default NSS_LDAP configuration
mv /etc/ldap.conf /etc/ldap.conf.orig

cat >/etc/ldap.conf <<EOF
uri ldap://example.com/
base dc=example,dc=com
timelimit 30
bind_timelimit 30
idle_timelimit 3600
ssl start_tls
tls_checkpeer no
use_sasl yes
sasl_secprops maxssf=0
krb5_ccname FILE:/tmp/krb5.ldap

pam_filter objectClass=User
pam_password crypt

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group

nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute userPassword unixUserPassword

nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat, radiusd,news,mailman
EOF

# Default OpenLDAP configuration
mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig

cat >/etc/openldap/ldap.conf <<EOF
URI ldap://example.com
BASE dc=example, dc=com
SASL_SECPROPS maxssf=0
TLS_REQCERT allow
EOF

authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv"

# Add an entry for pam_mkhomedir in system-auth
sed -i -e 's/(session required pam_limits.so)/session
required pam_mkhomedir.so skel=/etc/skel umask=0077
silent
1/' /etc/pam.d/system-auth

By using authconfig I avoid having to manually edit the PAM stuff
which can get clobbered after an upgrade.

After configured I do have to manually join the domain, and
enable/restart winbind.

# net ads join -U <admin user>
# chkconfig winbind restart

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Thanks Ross, much appreciated.


Now I have to see if I can translate the necessary stuff to Ubuntu
(Centos 5 did not cut it for desktop - cost me almost all the new Linux
desktops but it sure was the easiest to install and setup. Ubuntu is a
pain to get the debian-installer to do what kickstart does...still stuck
on the stupid disk part/RAID/LVM configuration)


Christopher
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, Feb 16, 2009 at 6:03 PM, Kanwar Ranbir Sandhu
<m3freak@thesandhufamily.ca> wrote:
> On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote:
>
>> Avoid NTLM all together and use Kerberos between apache/squid, Active
>> Directory and the Windows and Linux clients.
>>
>> Firefox and IE both support Kerberos authentication. I believe apache/
>> squid do too, but you need a manually create the service principal
>> names in AD for those.
>
> I was using NTLM at first, but then switched to Kerberos (on the CentOS
> server side). The Windows users didn't see a difference. For them, SSO
> works just as well as before, but I still get prompted to enter
> user/password when I use my Fedora 10 desktop to browse to CentOS hosted
> web sites.
>
> My Fedora desktop is joined to the domain. I can login with my AD
> user/password. I even have caching working, which lets me sign on to my
> laptop when it's not connected to the network.
>
> I suppose I've missed something, though I don't know what.

In Firefox go to your about:config page and scroll down to:

network.negotiate-auth.delegation-uris

and

network.negotiate-auth.trusted-uris

and for their string values enter your DNS domain to allow kerberos
negotiation and delegation to occur.

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, Feb 16, 2009 at 7:33 PM, Kanwar Ranbir Sandhu
<m3freak@thesandhufamily.ca> wrote:
> On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote:
>> Maybe kerberos authentication?
>>
>> I have winbind authentication working here but I have yet to get
>> kerberos working to get SSO on Linux desktops.
>
> Isn't winbind enough? Afterall, winbind gets the kerberos ticket when
> the user logs in.
>
> What's the difference between kerberos auth and winbind auth?

The difference is that winbind authentication is NTLM and it's good
for that endpoint only, but it can't be forwarded on to other services
for a SSO experience (unless there is an NTLM session cache and the
applications are written to use it ala Windows, but it is insecure).

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan
<christopher.chan@bradbury.edu.hk> wrote:
> Thanks Ross, much appreciated.
>
>
> Now I have to see if I can translate the necessary stuff to Ubuntu
> (Centos 5 did not cut it for desktop - cost me almost all the new Linux
> desktops but it sure was the easiest to install and setup. Ubuntu is a
> pain to get the debian-installer to do what kickstart does...still stuck
> on the stupid disk part/RAID/LVM configuration)

Yes, Ubuntu is nice, but the automated installer of Debian's still
leaves a lot to be desired.

Just use sed to edit the pam configs in the script section at the end.

Below are what mine look like after authconfig was finished with them.

== system-auth ==
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so

== nsswitch.conf ==
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# compat Use NIS on compat mode
# hesiod Use Hesiod for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd: db files nisplus nis
#shadow: db files nisplus nis
#group: db files nisplus nis

passwd: files winbind
shadow: files winbind
group: files winbind

#hosts: db files nisplus nis dns
hosts: files dns

# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus


== krb5.conf ==
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = MFG.PRV
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
renewable = yes

[realms]
MFG.PRV = {
kdc = mfg.prv
admin_server = mfg.prv
default_domain = mfg.prv
}

[domain_realm]
.mfg.prv = MFG.PRV
mfg.prv = MFG.PRV

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
renewable = true
krb4_convert = false
}


== smb.conf ==
[global]
workgroup = MFG
security = ads
realm = MFG.PRV
load printers = yes
printing = cups
max log size = 50
passdb backend = tdbsam
use kerberos keytab = Yes
allow trusted domains = no
idmap backend = rid:"BUILTIN=100000-109999,MFG=110000-999999"
winbind gid = 100000-999999
winbind uid = 100000-999999
template homedir = /home/%U
template shell = /bin/bash
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
wins server = mfg.prv
name resolve order = wins bcast host
restrict anonymous = no
domain master = no
preferred master = no
printer admin = @"MFGPrinter Admins"

[printers]
path = /var/spool/samba
printable = yes

[print$]
path = /var/lib/samba/print
write list = @"MFGPrinter Admins"
force user = root
force group = "printer admins"
create mask = 0664
directory mask = 0775

== ldap.conf ==
URI ldap://mfg.prv/
BASE DC=mfg,DC=prv
SASL_SECPROPS maxssf=0
TLS_REQCERT allow
TLS_CACERTDIR /etc/openldap/cacerts


The LDAP stuff really wasn't necessary to get things working, I just
like the ldapsearch tool for exploring attributes in AD and it works
with GSSAPI (oh you need the GSSAPI/SASL packages installed for SSO to
work).

On Redhat these are:

cyrus-sasl-gssapi-2.1.22-4
libgssapi-0.10-2
cyrus-sasl-2.1.22-4
cyrus-sasl-gssapi-2.1.22-4
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-md5-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4
cyrus-sasl-plain-2.1.22-4

-Ross
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

>-----Original Message-----
>From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
Behalf
>Of Ross Walker
>Sent: Tuesday, February 17, 2009 2:36 AM
>To: CentOS mailing list
>Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated
>Authentication [Apache]
>
>In Firefox go to your about:config page and scroll down to:
>
>network.negotiate-auth.delegation-uris
>
>and
>
>network.negotiate-auth.trusted-uris
>
>and for their string values enter your DNS domain to allow kerberos
>negotiation and delegation to occur.

No way! This works in linux with Firefox??

I've only tried setting the string values to the Windows trivial names.
Using the FQDN didn't even occur to me. I've got to try this.

Thx for the hint.
--
/Sorin
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

>Ok, here are the default settings that my kickstart file creates to
>allow me to join the domain and have samba manage the keytab.

Ross,
I was out of town and missed this thread which is of great interest to me
as well. When you say "have samba manage the keytab" do you mean not use one
as have a dedicated service account on the DC and have it generate the keytab
and have it copied over? A lot of solution I have seen use that procedure which
I have never wanted to do for obvious reasons.

Also, I see you also configure ldap to point towards what looks like your AD
server as well. How come you use both Samba/Winbind and ldap?

Thanks for the info!
jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

>Too bad. However, based on your information I found this on Google:
>
>http://sivel.net/2007/05/sso-apache-ad-1/
>
>Thanks Filipe. Now I guess I can have a crack at this too.

I haven't tried this one, but make note it lacks NTLMv2 and group support
which made it non usable in my environment. Like Filipe suggested
mod_auth_ntlm_winbind addresses this but it appears it's not actively
maintained and I got stuck configuring it and gave up...

jlc
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote:
> In Firefox go to your about:config page and scroll down to:
>
> network.negotiate-auth.delegation-uris
>
> and
>
> network.negotiate-auth.trusted-uris
>
> and for their string values enter your DNS domain to allow kerberos
> negotiation and delegation to occur.

HA! I had these set already, but I still get prompted. So, today I
decided I should delete the saved passwords for the apache hosted site I
was trying to access, and viola, SSO worked! I can't believe I didn't
remove the saved passwords before.

Anyway, thanks for pointing out the Firefox settings. I doubt I would
have remembered they were there.

Regards,

Ranbir

--
Kanwar Ranbir Sandhu
Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux
14:04:07 up 6 days, 15:51, 4 users, load average: 0.92, 1.02, 0.69


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos