lugh.ch

Home Knowledgebase Tools Services About Statistics

SSO with Samba, winbind, NTLM, Apache and Kerberos

Last updated on 16 September 2010.

Goal: Automatically log-in users from an Active Directory to a website. In this note it's mediawiki, but anything capable of interpreting the variable REMOTE_USER is possible. Note that I don't really like this setup, it's rather to avoid future headache if a customer wants such an implementation. I don't guarantee that this works for you. There might even be unneccessary steps etc.

Authentication overview

1. Samba/winbind gets all necessary objects from Active Directory (users, groups) on startup (if a valid Kerberos ticket exists and domain was joined)
2. Apache then tries to authenticate a user based on mod_auth_ntlm directives
3. PHP or whatever language grants access based on that and gets the username from REMOTE_USER

Requirements

• Samba 3.xx (here: 3.4.2) and winbind
• Kerberos
• Apache 2.x
• mod_auth_ntlm_winbind for Apache

Configuration

Samba

[global]
    workgroup = FOO
    realm = KERBEROS.EXAMPLE.ORG
    security = ADS
    encrypt passwords = yes
    password server = kerberos-server.example.org
    winbind enum groups = yes
    winbind enum users = yes
    winbind nested groups = yes
    winbind offline logon = yes
    winbind use default domain = no
    winbind nss info = sfu
    winbind cache time = 60
    winbind refresh tickets = yes
    # winbind separator = + # this is set to / default, leave it
    idmap uid = 10000-20000
    idmap gid = 10000-20000

Apache

    AuthName "NTLM auth"
    NTLMAuth on
    NTLMAuthHelper "/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
    NTLMBasicAuthoritative on
    AuthType NTLM
    require valid-user

Installation of mod_auth_ntlm_winbind: see documentation.

/etc/nsswitch.conf

Just change these lines:

passwd:        compat winbind
group:      compat winbind

Kerberos

This snippet here is (I think) for Heimdal Kerberos (Solaris), most Linuxes use the Kerberos implementation of the MIT.

[libdefaults]
    default_realm = KERBEROS.EXAMPLE.ORG

FIXME: insert MIT Kerberos config here. (or mail me if you have one working)

Mediawiki integration

You'll need the plugins AutomaticREMOTE_USER and LDAP Authentication (Configuration for AD).

Let's start

1. Obtain Kerberos ticket:

   kinit administrator@KERBEROS.EXAMPLE.ORG

2. Join the domain:

   net ads join -U administrator

3. Then start Samba (smbd, nmbd), winbind and Apache

Testing

1. Verify that a Kerberos ticket exists:

   klist

2. Check the trust:

   wbinfo -t

3. Check domain join status:

   net getdomainsid

   (there must be an entry corresponding to your smb.conf "workgroup" setting)
4. Query users and groups:

   wbinfo -u
   wbinfo -g

5. Test NTLM auth:

   ntlm_auth --username DOMAIN+username

6. Fire up your browser and check if you're logged in automatically

Pitfalls/Troubleshooting

Check server response

Check with curl -I http://yourserver.example.org if the WWW-Authenticate: NTLM-header is sent. If not, either you didn't load the module, or your Apache configuration is wrong.

Kerberos, NTP and case sensitivity

You'll need to use NTP, as your Active Directory and your server must be in sync timewise. All Kerberos config files and commands like kinit are case-sensitive (hint: hostname/realm).

Firefox and NTLM

Enable NTLM authentication in about:config:

network.automatic-ntlm-auth.trusted-uris = site.example.org
network.negotiate-auth.trusted-uris = site.example.org

Internet Explorer

Make sure to allow automatic logon for the "zone" your server is in.

Valuable links

• www.linux-multimedia.ch (german)
• serverfault.com