Active Directory and PHP on Apache on Bash on Ubuntu on Windows
<#
In this example:
1. Active Directory domain: base.local
2. Service acct: base\ubuntuauth
3. Service acct pass: SkiAlta2009
4. Win 10 workstation name: nimy.base.local
5. Secondary DNS name: localweb.base.local
6. Firewall allows port 80
Kerberos doesn't allow you to do http://localhost if you want
to authenticate with Windows creds. So you have to trick it by
adding an A record, then going to that locally instead.
In this example, open http://localweb in your browser.
BEGIN POWERSHELL UNTIL SPECIFIED OTHERWISE
#>
# Run this on a Domain Controller or a workstation with ktpass
$keytab = 'C:\temp\httpd.keytab'
ktpass /princ HTTP/nimy.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab
ktpass /princ HTTP/localweb.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab
# Copy keytab to Windows 10 if you ran it on the DC
$session = New-PSSession -ComputerName dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $session
<#
END POWERSHELL, BEGIN UBUNTU
#>
# Install required packages kerb
# First prompt: BASE.LOCAL (in caps)
# Second and third prompt: lowercase FQDN of DC
apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb
# Get a ticket to confirm your krb is working
kinit ubuntuauth
# Look at your ticket list
klist
# Move keytab to etc and change permz
cp /mnt/c/temp/httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab
# Check key entries
klist -k /etc/httpd.keytab
# Make Apache work
# mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory
# This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)
mkdir /run/lock
# make annoying warnings go away
echo "Listen 0.0.0.0:80" > /etc/apache2/ports.conf
echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn
# add kerb authentication to Apache and enable it
echo "
<Location />
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/httpd.keytab
Require valid-user
</Location>
"> /etc/apache2/conf-available/kerbauth.conf
a2enconf kerbauth
# Now start Apache!
service apache2 start
# Show it works: load up http://nimy from remote computer or http://localweb from nimy itself
# Look at the logs if you'd like to see yourself authenticating
tail /var/log/apache2/access.log
# Want to see PHP in action?
apt-get -y install php5 libapache2-mod-php5
echo '<?php
echo "<center>
<strong><br>Welcome Active Directory user {$_SERVER['PHP_AUTH_USER']}
<br>to PHP on Apache on Bash on Ubuntu on Windows
<br><br><img src=/icons/ubuntu-logo.png>
</center>";
?>
' > /var/www/html/test.php
service apache2 force-reload
# Then go to http://localweb/test.php in your browser