Ubuntu 15.10 Apache SSO to Active Directory without being a Member Server
<#
In this example:
1. Active Directory domain: base.local
2. Domain controller 1: dc.base.local
3. Domain controller 2: bdc.base.local
4. Test username: base\chrissy
5. Test Ubuntu FQDN: web1.base.local
Note: Make sure your DNS servers are your AD DNS servers
#>
# Install required packages (ntp keeps your clock on time)
apt-get -y install krb5-user ntp ntpdate
# To add your DC to the time server list, edit /etc/ntp.conf
service ntp stop
ntpdate -s ntp.ubuntu.org
service ntp start
# Next, edit your kerberos conf
vi /etc/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = BASE.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
BASE.LOCAL = {
kdc = dc.base.local:88
kdc = bdc.base.local:88
}
[domain_realm]
.base.local = BASE.LOCAL
base.local = BASE.LOCAL
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
# Get a ticket
kinit chrissy
# Look at your ticket list
klist
<#
POWERSHELL UNTIL SPECIFIED OTHERWISE
#>
# Generate a new password
$randompass = -Join (48..120 | ForEach-Object {[char]$_} | Get-Random -Count 20)
$securepass = ConvertTo-SecureString -String $randompass -AsPlainText -Force
# Add a new user called ubuntuauth with the new password
Invoke-Command -Computer dc.base.local -ArgumentList $securepass -ScriptBlock { New-ADUser -Name UbuntuAuth -GivenName Ubuntu -Surname Auth -SamAccountName ubuntuauth -UserPrincipalName ubuntuauth@BASE.LOCAL -AccountPassword $args[0] -PassThru | Enable-ADAccount }
# Create a ticket
$principle = "HTTP/web1.base.local@BASE.LOCAL"
$keytab = "$env:temp\httpd.keytab"
Invoke-Command -Computer $dc -ArgumentList $principle, $randompass, $keytab -ScriptBlock { ktpass /princ $args[0] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass $args[1] /out $args[2] }
$copysession = New-PSSession -ComputerName $dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $copysession
# Now copy C:\temp\httpd.keytab to the Ubuntu server using WinSCP
<#
END POWERSHELL
#>
# Move keytab to etc and change permz
mv httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab
# Check key entries
klist -k /etc/httpd.keytab
# install apache and mod_auth_kerb
apt-get -y install apache2 libapache2-mod-auth-kerb
# edit apache config. Add this above the first <Directory
vi /etc/apache2/apache2.conf
<Location />
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd off
Krb5Keytab /etc/httpd.keytab
Require valid-user
</Location>
# Now reload apache and tail the error log
service apache2 force-reload
tail -f /var/log/apache2/error.log
# Open chrome and hit
web1.base.local