Install mod_auth_ntlm_winbind on CentOS 6.0

Step 1. Install ntp and synchronize clocks

We'll be using winbind, kerberos and ntlm to authenticate the user. This requires the clocks of the AD server and the proxy server to be synchronized.

yum -y install ntp
sed -i "s/^server /#server /g" /etc/ntp.conf
echo "server YOURSERVERNAME" >> /etc/ntp.conf
ntpdate YOURSERVERNAME #synchronize right now
service ntpd start #and keep in sync
chkconfig ntpd on #after reboot as well

Step 2. Update system and install required software

yum update
yum install mc vim httpd php svn httpd-devel make autoconf gcc ntp krb5-workstation \
samba-common authconfig samba-winbind

Step 3. Connect to active directory

Please note that MYCOMPANY.local and mycompany.local may be different domains due to the upper/lowercase.

ADSERVER=sbs.MYCOMPANY.local
DOMAIN=MYCOMPANY.local
WORKGROUP=MYCOMPANY
authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=$ADSERVER \
--krb5realm=$DOMAIN --smbservers=$ADSERVER --smbworkgroup=$WORKGROUP \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall
service winbind start ; chkconfig winbind on
setsebool -P allow_httpd_mod_auth_ntlm_winbind on

Now check your winbind connection using the following commands:

wbinfo -u
wbinfo -g

The socket /var/lib/samba/winbindd_privileged/pipe should be writable by the webserver. To allow that access, I add user apache to the group wbpriv: usermod -G wbpriv apache

Step 4. Download and compile mod_auth_ntlm_winbind

svn co svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind
cd mod_auth_ntlm_winbind/
autoconf
./configure
apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c

Step 5. Configure it

In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf I put the following configuration

LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
<Directory "/var/www/html">
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "NTLM Authentication"
AuthType NTLM
Require valid-user
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
</Directory>

In /etc/httpd/conf/httpd.conf, change KeepAlive Off to KeepAlive On. Preferably, also set MaxKeepAliveRequests and KeepAliveTimeout to a high value. On my intranet server, they're set to 1000 requests and 600 seconds.:w

Step 6. Change your firewall to enable incoming HTTP

iptables -I INPUT -p tcp --dport 80 -j ACCEPT
service iptables save

Step 7. Go!

Run service httpd restart, make httpd start on reboot using chkconfig httpd on and test your configuration.

© GeekLabInfo Install mod_auth_ntlm_winbind on CentOS 6.0 is a post from GeekLab.info. You are free to copy materials from GeekLab.info, but you are required to link back to http://www.geeklab.info
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5,00 out of 5)
Loading...

8 gedachten over “Install mod_auth_ntlm_winbind on CentOS 6.0

  1. sulman

    Hi,
    i am in need of your assistance, i have followed your instructions. however, when i reach to STEP: 5

    "In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf I put the following configuration
    LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so
    <Directory "/var/www/html">
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "NTLM Authentication"
    AuthType NTLM
    Require valid-user
    NTLMAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative on
    </Directory>

    I get following error message when i restart httpd services:
    "[root@Centos conf.d]# service httpd restart
    Stopping httpd: [FAILED]
    Starting httpd: Syntax error on line 2 of /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf:
    Invalid command '<Directory', perhaps misspelled or defined by a module not included in the server configuration
    [FAILED]

    Will be much apprecited for your help and assistance on this matter.

  2. David (admin) Bericht auteur

    Please change the &lt; and &gt; to < and >
    Apparently, WordPress rendered them wrong.

  3. sulman

    i manage to start httpd service by following ammendment in mod_auth_ntlm_winbind.conf

    LoadModule auth_ntlm_winbind_module /usr/lib64/httpd/modules/mod_auth_ntlm_winbind.so

    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthName "NTLM Authentication"
    AuthType NTLM
    Require valid-user
    NTLMAuth on
    NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative on

    Having said that this file "mod_auth_ntlm_winbind.conf" was not under "/etc/httpd/conf.d/" at the time of following above setup, so i created it and added above information then applied chown apache to this file. not really sure if its going to work but i am going to give it a try.

  4. David (admin) Bericht auteur

    @Alex: You modify no files. The command authconfig does modify files for you. But the very point of using authconfig is just that you don't have to think of which files to modify yourself.

  5. Alex

    Thanks David for the previous response,

    Already make the indicated configurations:

    * Install and configure ntp

    * Install the packages: mc vim httpd php svn httpd-devel make autoconf gcc ntp krb5-workstation samba-common authconfig samba-winbind

    * Connect linux server to domino ...
    Authconfig --enableshadow --enablemd5 --passalgo = md5 --krb5kdc = cgadpijao.cgfm.col \
    --krb5realm = CGFM.col --smbservers = cgadpijao.cgfm.col --smbworkgroup = CGSFM \
    --enablewinbind --enablewinbindauth --smbsecurity = ads --smbrealm = CGFM.col \
    --smbidmapuid = "16777216-33554431" --smbidmapgid = "16777216-33554431" --winbindseparator = "+" \
    --winbindtemplateshell = "/ bin / false" --enablewinbindusedefaultdomain --disablewinbindoffline \
    --winbindjoin = supportj8 --disablewins --disablecache --enablelocauthorize --updateall

    * Add the apache user the wbpriv group

    * Download and compile mod_auth_ntlm_winbind https://download.samba.org/pub/unpacked/lorikeet/mod_auth_ntlm_winbind/

    In /etc/httpd/conf.d/mod_auth_ntlm_winbind.conf the lines indicated ...

    KeepAlive and KeepAlive do not have them in my apache (2.4) :(

    * Firewall permission ok

    But I do not work authentication, in the error log httpd shows me:

    [Suexec: notice] [pid 5868] AH01232: suEXEC mechanism enabled (wrapper: / usr / sbin / suexec)
    [Mon Jan 16 16: 18: 58.513747 2017] [auth_digest: notice] [pid 5868] AH01757: generating secret for digest authentication ...
    [Mon Jan 16 16: 18: 58.514349 2017] [lbmethod_heartbeat: notice] [pid 5868] AH02282: No slotmem from mod_heartmonitor
    [Hint: SSLSessionCache] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
    [Mon Apr 16 16: 18: 58.526113 2017] [mpm_prefork: notice] [pid 5868] AH00163: Apache / 2.4.6 () OpenSSL / 1.0.1e-fips mod_auth_gssapi / 1.4.0 PHP / 5.4.16 mod_jk / 1.2. 42 configured - resuming normal operations
    AH00094: Command line: '/ usr / sbin / httpd -D FOREGROUND'
    [Mon Jan 16 16: 29: 18.885520 2017] [authn_file: error] [pid 5883] [client xx.xx.xx.xx: 64908] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 20.323816 2017] [auth_file: error] [pid 5885] [client xx.xx.xx.xx: 64910] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 20.698886 2017] [auth_file: error] [pid 5886] [client xx.xx.xx.xx: 64911] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 20.914654 2017] [authn_file: error] [pid 5882] [client xx.xx.xx.xx: 64912] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 21.098360 2017] [auth_file: error] [pid 6192] [client xx.xx.xx.xx: 64913] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 21.258675 2017] [auth_file: error] [pid 5884] [client xx.xx.xx.xx: 64917] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 21.538686 2017] [authn_file: error] [pid 5883] [client xx.xx.xx.xx: 64918] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 21.714836 2017] [auth_file: error] [pid 5885] [client xx.xx.xx.xx: 64919] AH01619: AuthUserFile not specified in the configuration
    [Mon Jan 16 16: 29: 21.866855 2017] [authn_file: error] [pid 5886] [client xx.xx.xx.xx: 64920] AH01619: AuthUserFile not specified in the configuration

  6. David (admin) Bericht auteur

    @Alex: The setup I did was for Apache 2.2, which is included with CentOS 6.x by default. Looks like you're running Apache 2.4. I'm not sure if that's even compatible.

    - You could try adding "AuthUserFile /dev/null" somewhere to fix the errors you're getting.
    - I think you *need* some keepalive command as NTLM requires keep-alive sessions, I believe.

  7. Hema

    I get the error "NA NT_STATUS_UNSUCCESSFUL" in apache logs when trying to authenticate.
    [Mon Jul 17 08:11:38 2017] [debug] src/mod_auth_kerb.c(1953): [client ] kerb_authenticate_user entered with user (NULL) and auth_type NTLM
    [Mon Jul 17 08:11:38 2017] [debug] mod_auth_ntlm_winbind.c(1008): [client ] doing ntlm auth dance
    [Mon Jul 17 08:11:38 2017] [debug] mod_auth_ntlm_winbind.c(485): [client ] Using existing auth helper 2429
    [Mon Jul 17 08:11:38 2017] [debug] mod_auth_ntlm_winbind.c(704): [client ] parsing reply from helper to KK TlRMTVNTUAADAAAACsAQAABYKIoAAAAAAAAAAAAAAAAAAAAAACQAgAEgAVABUAFAALwBuAGsAbABpAHQAcgBoAGUAbAAwADEAAAAAAAAAAAA=\n
    [Mon Jul 17 08:11:38 2017] [debug] mod_auth_ntlm_winbind.c(742): [client ] got response: NA NT_STATUS_UNSUCCESSFUL
    [Mon Jul 17 08:11:38 2017] [debug] mod_auth_ntlm_winbind.c(766): [client ] user not authenticated: NT_STATUS_UNSUCCESSFUL

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *

*

code