Apache, authnz_ldap and Active Directory

Standard

After spending several hours of debugging into an Apache Active Directory LDAP authentication issue, I finally found the hint I was looking for. The error I was constantly getting in the error.log was:

[debug] mod_authnz_ldap.c(379): [client 192.168.182.23] [29481] auth_ldap authenticate: using URL ldap://dc001.mydomain.local:389/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)
[info] [client 192.168.182.23] [29481] auth_ldap authenticate: user tuxevara authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]

and regarding to some other sites [ldap_search_ext_s() for user failed][Operations error] must be related to authnz_ldap not handling referrals. The solution to this was just too obvious: Changing the LDAP port to 3268 (Global Catalog) solved it.

Here is the content of the htaccess file only grants access to members of a specific group:


AuthBasicProvider ldap
AuthType Basic
AuthName "Protected"
AuthLDAPURL "ldap://dc001.mydomain.local:3268/DC=mydomain,DC=local?sAMAccountName?sub?(objectClass=*)"
AuthzLDAPAuthoritative on

AuthLDAPBindDN "svc-apache@mydomain.local"
AuthLDAPBindPassword "thisissupposedtobesecret"

AuthLDAPGroupAttributeIsDN on
require ldap-group CN=Support,OU=Groups,DC=mydomain,DC=local

AIX5L with Samba 3.x and Kerberos 5 as a Windows 2003 ActiveDirctory Member Server

Standard

While cleaning up one of my other websites, I stumbled upon this guide I wrote  five years ago. Although the content of this guide is already five years old, I don’t want to remove it from the net. I suppose it should work also with a Windows 2008 Active Directory domain as well. But please do not ask me questions about AIX5L as I do not have access to any of those machines any more.


Preperations

First install some packages which are required for the setup. This includes the Kerberos Client as well as the Samba 3.x Server. They are called pware.samba-3.0.23d, krb5.client and strong>krb5.lic

Now make sure your system uses the same timeserver as your domain controller. On most systems this is done by making changes to the xntp server’s configuration file /etc/ntp.conf. Afterwards set up your active directory controller as your system’s nameserver in /etc/resolv.conf.

Kerberos 5 setup

Edit your Kerberos client configuration in /etc/krb5/krb5.conf, that it look similar to this one:

 
# /etc/krb5/krb5.conf
[libdefaults]
        default_realm = MYCOMPANY.LOCAL
        default_tkt_enctypes = des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
        MYCOMPANY.LOCAL = {
                kdc = dc.mycompany.local:88
                admin_server = dc.mycompany.local:749
                default_domain = mycompany.local
        }

[domain_realm]
        .mycompany.local = MYCOMPANY.LOCAL
        dc.mycompany.local = MYCOMPANY.LOCAL

[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/kdc.log
        admin_server = FILE:/var/log/kadmind.log

Add the KRB5 authentication methods to /usr/lib/security/methods.cfg.

 
[..]
KRB5A:
        program = /usr/lib/security/KRB5A
        options = authonly

KRB5Afiles:
        options = db=BUILTIN,auth=KRB5A
[..]

Now it is time to test your Kerberos 5 configuration by running kinit with an existing domain user as parameter e.g.

kinit Administrator

Samba 3.x server setup

Now that Kerberos is working for the underlying AIX System you can start to configure your Samba server. To make things easier, create the smb.conf in /etc and link it to the directory where samba expects it to be:

 
touch /etc/smb.conf
ln -s /etc/smb.conf /opt/pware/samba/3.0.23d/lib/smb.conf

Here is the beginning of a working /etc/smb.conf file.

 
# /etc/smb.conf
[global]
        workgroup = MYCOMPANY
        netbios name = AIXHOSTNAME
        security = ADS
        realm = MYCOMPANY.LOCAL
        password server = dc.mycompany.local
        client use spnego = yes
        client signing = yes
        encrypt passwords = yes
        printcap name = cups
        disable spoolss = Yes
        show add printer wizard = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +
        winbind use default domain = Yes
        winbind enum users = yes
        winbind enum groups = yes
        template homedir = /home/%U
        template shell = /bin/bash
        use sendfile = Yes
        printing = cups
        ldap suffix = "dc=mycompany,dc=local"
        winbind cache time = 0
        #Uncomment to allow these options
        log level = 5
        log file = /var/log/samba3/log.%m
        #max log size = 5000000
        #debug timestamp = yes
        browseable = yes
        obey pam restrictions = yes
        auth methods = winbind
[..]

If testparm is not complaining about any errors try joining your domain.

 
net join -S dc -UAdministrator

Putting it all together with winbind

In order to make WINBIND available to your AIX system copy the winbind security module to /usr/lib/security,

 
cp /opt/pware/samba/3.0.23d/lib/WINBIND /usr/lib/security/

and add WINBIND config to /usr/lib/security/methods.cfg

 
[..]
WINBIND:
        program = /usr/lib/security/WINBIND
        options = authonly
[..]

To make winbind the default user database change the SYSTEM value to WINBIND in the default section of /etc/security/user. You can check wether winbind is working with wbinfo.

After you successfully joined your domain and set up windbind, make sure that the smbd, nmbd and windbind gets started at system startup. The easiest way for me was to add the SysV init scripts to /etc/rc.tcpip.