opexxx
11/3/2016 - 11:44 AM

Active Directory and PHP on Apache on Bash on Ubuntu on Windows

Active Directory and PHP on Apache on Bash on Ubuntu on Windows

ad-php-kerberos-apache-bash-windows.txt
content_copyfile_download
<#
  In this example:
  1. Active Directory domain: base.local
  2. Service acct: base\ubuntuauth
  3. Service acct pass: SkiAlta2009
  4. Win 10 workstation name: nimy.base.local
  5. Secondary DNS name: localweb.base.local
  6. Firewall allows port 80

  Kerberos doesn't allow you to do http://localhost if you want
  to authenticate with Windows creds. So you have to trick it by 
  adding an A record, then going to that locally instead.
  
  In this example, open http://localweb in your browser.
  
   BEGIN  POWERSHELL UNTIL SPECIFIED OTHERWISE
#>

# Run this on a Domain Controller or a workstation with ktpass
$keytab = 'C:\temp\httpd.keytab'

ktpass /princ HTTP/nimy.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab
ktpass /princ HTTP/localweb.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab

# Copy keytab to Windows 10 if you ran it on the DC
$session = New-PSSession -ComputerName dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $session

<#
    END POWERSHELL, BEGIN UBUNTU
#>

# Install required packages kerb
# First prompt: BASE.LOCAL (in caps)
# Second and third prompt: lowercase FQDN of DC
apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb

# Get a ticket to confirm your krb is working
kinit ubuntuauth

# Look at your ticket list
klist

# Move keytab to etc and change permz
cp /mnt/c/temp/httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab

# Check key entries
klist -k /etc/httpd.keytab

# Make Apache work

# mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory
# This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)
mkdir /run/lock

# make annoying warnings go away
echo "Listen 0.0.0.0:80" > /etc/apache2/ports.conf
echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn

# add kerb authentication to Apache and enable it
echo "
    <Location />
     AuthType Kerberos
     KrbMethodNegotiate on
     KrbMethodK5Passwd off
     Krb5Keytab /etc/httpd.keytab
     Require valid-user
     </Location>
"> /etc/apache2/conf-available/kerbauth.conf
a2enconf kerbauth

# Now start Apache!
service apache2 start

# Show it works: load up http://nimy from remote computer or http://localweb from nimy itself
# Look at the logs if you'd like to see yourself authenticating
tail /var/log/apache2/access.log

# Want to see PHP in action?
apt-get -y install php5 libapache2-mod-php5

echo '<?php
        echo "<center>
			<strong><br>Welcome Active Directory user {$_SERVER['PHP_AUTH_USER']} 
			<br>to PHP on Apache on Bash on Ubuntu on Windows
			<br><br><img src=/icons/ubuntu-logo.png>
		</center>";
?>
' > /var/www/html/test.php

service apache2 force-reload

# Then go to http://localweb/test.php in your browser