opexxx
11/3/2016 - 11:45 AM

Ubuntu 15.10 Apache SSO to Active Directory without being a Member Server

Ubuntu 15.10 Apache SSO to Active Directory without being a Member Server

<#
  In this example:
  1. Active Directory domain: base.local
  2. Domain controller 1: dc.base.local
  3. Domain controller 2: bdc.base.local
  4. Test username: base\chrissy
  5. Test Ubuntu FQDN: web1.base.local
  
  Note: Make sure your DNS servers are your AD DNS servers
#>

# Install required packages (ntp keeps your clock on time)
apt-get -y install krb5-user ntp ntpdate 

# To add your DC to the time server list, edit /etc/ntp.conf
service ntp stop
ntpdate -s ntp.ubuntu.org
service ntp start

# Next, edit your kerberos conf
vi /etc/krb5.conf

[libdefaults]
 ticket_lifetime = 24000
 default_realm = BASE.LOCAL
 dns_lookup_realm = false
 dns_lookup_kdc = false
 
[realms]
 BASE.LOCAL = {
  kdc = dc.base.local:88
  kdc = bdc.base.local:88
 }
 
[domain_realm]
 .base.local = BASE.LOCAL
 base.local = BASE.LOCAL
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

# Get a ticket 
kinit chrissy

# Look at your ticket list
klist

<#
     POWERSHELL UNTIL SPECIFIED OTHERWISE
#>

# Generate a new password
$randompass = -Join (48..120 | ForEach-Object {[char]$_} | Get-Random -Count 20)
$securepass = ConvertTo-SecureString -String $randompass -AsPlainText -Force

# Add a new user called ubuntuauth with the new password
Invoke-Command -Computer dc.base.local -ArgumentList $securepass -ScriptBlock { New-ADUser -Name UbuntuAuth -GivenName Ubuntu -Surname Auth -SamAccountName ubuntuauth -UserPrincipalName ubuntuauth@BASE.LOCAL -AccountPassword $args[0] -PassThru | Enable-ADAccount  }

# Create a ticket
$principle = "HTTP/web1.base.local@BASE.LOCAL"
$keytab = "$env:temp\httpd.keytab"

Invoke-Command -Computer $dc -ArgumentList $principle, $randompass, $keytab -ScriptBlock { ktpass /princ $args[0] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass $args[1] /out $args[2] }

$copysession = New-PSSession -ComputerName $dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $copysession

# Now copy C:\temp\httpd.keytab to the Ubuntu server using WinSCP

<#
    END POWERSHELL
#>

# Move keytab to etc and change permz
mv httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab

# Check key entries
klist -k /etc/httpd.keytab

# install apache and mod_auth_kerb
apt-get  -y install apache2 libapache2-mod-auth-kerb

# edit apache config. Add this above the first <Directory
vi /etc/apache2/apache2.conf

    <Location />
     AuthType Kerberos
     KrbMethodNegotiate on
     KrbMethodK5Passwd off
     Krb5Keytab /etc/httpd.keytab
     Require valid-user
     </Location>

# Now reload apache and tail the error log
service apache2 force-reload
tail -f /var/log/apache2/error.log

# Open chrome and hit 
web1.base.local