Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Feb 17, 2009, at 7:50 PM, Christopher Chan wrote: > >> If you have a lot of hosts that need access to winbind mapped >> UIDs/GIDs instead of setting up winbind everywhere and having a >> administrative headache if the RID mapping gets messed up on one >> host, >> setup a winbind to NIS server that puts the mappings into NIS maps >> and >> propagate the information that way. Only real difference on the other >> hosts is to switch 'winbind' to 'nis' in nsswitch.conf. >> > What's wrong with winbind on a ldap backend? I have winbind installed > everywhere...all pointing to a single ldap instance. Well yeah you can use ldap too to keep the rid mappings centralized. I just think configuring ldap, putting schema together and configuring samba everywhere is more work then nis, but to each their own. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
> If you have a lot of hosts that need access to winbind mapped > UIDs/GIDs instead of setting up winbind everywhere and having a > administrative headache if the RID mapping gets messed up on one host, > setup a winbind to NIS server that puts the mappings into NIS maps and > propagate the information that way. Only real difference on the other > hosts is to switch 'winbind' to 'nis' in nsswitch.conf. > What's wrong with winbind on a ldap backend? I have winbind installed everywhere...all pointing to a single ldap instance. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, Feb 17, 2009 at 2:59 PM, Kanwar Ranbir Sandhu wrote: > On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote: >> I haven't tried this one, but make note it lacks NTLMv2 and group support >> which made it non usable in my environment. Like Filipe suggested >> mod_auth_ntlm_winbind addresses this but it appears it's not actively >> maintained and I got stuck configuring it and gave up... > > I believe you can use kerberos auth and group lookups. For the group > support, you need to do direct LDAP lookups. Just run a google search > for 'kerberos apache group', or something along those lines, to find > some links discussing what I've mentioned here. If you have a lot of hosts that need access to winbind mapped UIDs/GIDs instead of setting up winbind everywhere and having a administrative headache if the RID mapping gets messed up on one host, setup a winbind to NIS server that puts the mappings into NIS maps and propagate the information that way. Only real difference on the other hosts is to switch 'winbind' to 'nis' in nsswitch.conf. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, Feb 17, 2009 at 12:24 PM, Joseph L. Casale wrote: >>Ok, here are the default settings that my kickstart file creates to >>allow me to join the domain and have samba manage the keytab. > > Ross, > I was out of town and missed this thread which is of great interest to me > as well. When you say "have samba manage the keytab" do you mean not use one > as have a dedicated service account on the DC and have it generate the keytab > and have it copied over? A lot of solution I have seen use that procedure > which > I have never wanted to do for obvious reasons. If you don't have a keytab file when you use samba to join to the domain and you have the 'use kerberos keytab = yes' set in your smb.conf, then samba creates one and populates it with the AD compatible host SPNs and machine password. From that point on it will keep the keytab in sync. I don't know if it will add these if SPNs already exist, I haven't tried it. > Also, I see you also configure ldap to point towards what looks like your AD > server as well. How come you use both Samba/Winbind and ldap? LDAP wasn't necessary, I use it for querying AD attributes using the OpenLDAP tools (I don't trust Microsoft and think they hide attributes in ADSIEdit!). Though I could have used NSS_LDAP instead of Winbind, I just would need to set UID/GID for every user and group in AD which was just too much of a PITA. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, Feb 17, 2009 at 2:18 PM, Kanwar Ranbir Sandhu wrote: > On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote: >> On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote: >> > In Firefox go to your about:config page and scroll down to: >> > >> > network.negotiate-auth.delegation-uris >> > >> > and >> > >> > network.negotiate-auth.trusted-uris >> > >> > and for their string values enter your DNS domain to allow kerberos >> > negotiation and delegation to occur. >> >> HA! I had these set already, but I still get prompted. So, today I >> decided I should delete the saved passwords for the apache hosted site I >> was trying to access, and viola, SSO worked! I can't believe I didn't >> remove the saved passwords before. > > I should have mentioned that I only set > "network.negotiate-auth.trusted-uris". I left the other one blank. > Setting it or not didn't seem to make a difference. But, based on this: > > https://developer.mozilla.org/en/Integrated_Authentication > > The apache server should have been able to handle the authentication. > Maybe I'm misunderstanding what "delegation" does. Delegation will allow a system or service to authenticate you to another system or service on your behalf. For example, say your apache server has a mysql database backend for an application that requires each user to authenticate individually, well without delegation the users would need to use another form of authentication such as HTTP basic authentication which would then pass it off to the mysql. Even if done over SSL this can open your application up to a man-in-the-middle attack. Kerberos delegation was designed to defeat the man-in-the-middle scenario through signing of the ticket request along the line and back. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, 2009-02-17 at 10:27 -0700, Joseph L. Casale wrote: > I haven't tried this one, but make note it lacks NTLMv2 and group support > which made it non usable in my environment. Like Filipe suggested > mod_auth_ntlm_winbind addresses this but it appears it's not actively > maintained and I got stuck configuring it and gave up... I believe you can use kerberos auth and group lookups. For the group support, you need to do direct LDAP lookups. Just run a google search for 'kerberos apache group', or something along those lines, to find some links discussing what I've mentioned here. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 14:58:02 up 6 days, 16:45, 4 users, load average: 1.32, 1.27, 1.21 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, 2009-02-17 at 14:07 -0500, Kanwar Ranbir Sandhu wrote: > On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote: > > In Firefox go to your about:config page and scroll down to: > > > > network.negotiate-auth.delegation-uris > > > > and > > > > network.negotiate-auth.trusted-uris > > > > and for their string values enter your DNS domain to allow kerberos > > negotiation and delegation to occur. > > HA! I had these set already, but I still get prompted. So, today I > decided I should delete the saved passwords for the apache hosted site I > was trying to access, and viola, SSO worked! I can't believe I didn't > remove the saved passwords before. I should have mentioned that I only set "network.negotiate-auth.trusted-uris". I left the other one blank. Setting it or not didn't seem to make a difference. But, based on this: https://developer.mozilla.org/en/Integrated_Authentication The apache server should have been able to handle the authentication. Maybe I'm misunderstanding what "delegation" does. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 14:12:01 up 6 days, 15:59, 4 users, load average: 1.11, 1.13, 0.87 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, 2009-02-16 at 20:36 -0500, Ross Walker wrote: > In Firefox go to your about:config page and scroll down to: > > network.negotiate-auth.delegation-uris > > and > > network.negotiate-auth.trusted-uris > > and for their string values enter your DNS domain to allow kerberos > negotiation and delegation to occur. HA! I had these set already, but I still get prompted. So, today I decided I should delete the saved passwords for the apache hosted site I was trying to access, and viola, SSO worked! I can't believe I didn't remove the saved passwords before. Anyway, thanks for pointing out the Firefox settings. I doubt I would have remembered they were there. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 14:04:07 up 6 days, 15:51, 4 users, load average: 0.92, 1.02, 0.69 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>Too bad. However, based on your information I found this on Google: > >http://sivel.net/2007/05/sso-apache-ad-1/ > >Thanks Filipe. Now I guess I can have a crack at this too. I haven't tried this one, but make note it lacks NTLMv2 and group support which made it non usable in my environment. Like Filipe suggested mod_auth_ntlm_winbind addresses this but it appears it's not actively maintained and I got stuck configuring it and gave up... jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>Ok, here are the default settings that my kickstart file creates to >allow me to join the domain and have samba manage the keytab. Ross, I was out of town and missed this thread which is of great interest to me as well. When you say "have samba manage the keytab" do you mean not use one as have a dedicated service account on the DC and have it generate the keytab and have it copied over? A lot of solution I have seen use that procedure which I have never wanted to do for obvious reasons. Also, I see you also configure ldap to point towards what looks like your AD server as well. How come you use both Samba/Winbind and ldap? Thanks for the info! jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>-Original Message- >From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf >Of Ross Walker >Sent: Tuesday, February 17, 2009 2:36 AM >To: CentOS mailing list >Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated >Authentication [Apache] > >In Firefox go to your about:config page and scroll down to: > >network.negotiate-auth.delegation-uris > >and > >network.negotiate-auth.trusted-uris > >and for their string values enter your DNS domain to allow kerberos >negotiation and delegation to occur. No way! This works in linux with Firefox?? I've only tried setting the string values to the Windows trivial names. Using the FQDN didn't even occur to me. I've got to try this. Thx for the hint. -- /Sorin smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, Feb 16, 2009 at 8:34 PM, Christopher Chan wrote: > Thanks Ross, much appreciated. > > > Now I have to see if I can translate the necessary stuff to Ubuntu > (Centos 5 did not cut it for desktop - cost me almost all the new Linux > desktops but it sure was the easiest to install and setup. Ubuntu is a > pain to get the debian-installer to do what kickstart does...still stuck > on the stupid disk part/RAID/LVM configuration) Yes, Ubuntu is nice, but the automated installer of Debian's still leaves a lot to be desired. Just use sed to edit the pam configs in the script section at the end. Below are what mine look like after authconfig was finished with them. == system-auth == #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so == nsswitch.conf == # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus or nis+ Use NIS+ (NIS version 3) # nis or yp Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd:db files nisplus nis #shadow:db files nisplus nis #group: db files nisplus nis passwd: files winbind shadow: files winbind group: files winbind #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc:nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc:files services: files netgroup: files publickey: nisplus automount: files aliases:files nisplus == krb5.conf == [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MFG.PRV dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = yes renewable = yes [realms] MFG.PRV = { kdc = mfg.prv admin_server = mfg.prv default_domain = mfg.prv } [domain_realm] .mfg.prv = MFG.PRV mfg.prv = MFG.PRV [kdc] profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults] pam = { debug = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true renewable = true krb4_convert = false } == smb.conf == [global] workgroup = MFG security = ads realm = MFG.PRV load printers = yes printing = cups max log size = 50 passdb backend = tdbsam use kerberos keytab = Yes allow trusted domains = no idmap backend = rid:"BUILTIN=10-10,MFG=11-99" winbind gid = 10-99 winbind uid = 10-99 template homedir = /home/%U template shell = /bin/bash winbind enum groups = yes winbind enum users = yes winbind use default domain = yes wins server = mfg.prv name resolve order = wins bcast host restrict anonymous = no domain master = no prefer
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, Feb 16, 2009 at 7:33 PM, Kanwar Ranbir Sandhu wrote: > On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote: >> Maybe kerberos authentication? >> >> I have winbind authentication working here but I have yet to get >> kerberos working to get SSO on Linux desktops. > > Isn't winbind enough? Afterall, winbind gets the kerberos ticket when > the user logs in. > > What's the difference between kerberos auth and winbind auth? The difference is that winbind authentication is NTLM and it's good for that endpoint only, but it can't be forwarded on to other services for a SSO experience (unless there is an NTLM session cache and the applications are written to use it ala Windows, but it is insecure). -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, Feb 16, 2009 at 6:03 PM, Kanwar Ranbir Sandhu wrote: > On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote: > >> Avoid NTLM all together and use Kerberos between apache/squid, Active >> Directory and the Windows and Linux clients. >> >> Firefox and IE both support Kerberos authentication. I believe apache/ >> squid do too, but you need a manually create the service principal >> names in AD for those. > > I was using NTLM at first, but then switched to Kerberos (on the CentOS > server side). The Windows users didn't see a difference. For them, SSO > works just as well as before, but I still get prompted to enter > user/password when I use my Fedora 10 desktop to browse to CentOS hosted > web sites. > > My Fedora desktop is joined to the domain. I can login with my AD > user/password. I even have caching working, which lets me sign on to my > laptop when it's not connected to the network. > > I suppose I've missed something, though I don't know what. In Firefox go to your about:config page and scroll down to: network.negotiate-auth.delegation-uris and network.negotiate-auth.trusted-uris and for their string values enter your DNS domain to allow kerberos negotiation and delegation to occur. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Thanks Ross, much appreciated. Now I have to see if I can translate the necessary stuff to Ubuntu (Centos 5 did not cut it for desktop - cost me almost all the new Linux desktops but it sure was the easiest to install and setup. Ubuntu is a pain to get the debian-installer to do what kickstart does...still stuck on the stupid disk part/RAID/LVM configuration) Christopher ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, Feb 16, 2009 at 7:07 PM, Christopher Chan wrote: > Ross Walker wrote: >> On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" >> wrote: >> >> >>>> -Original Message- >>>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On >>>> >>> Behalf >>> >>>> Of Christopher Chan >>>> Sent: Monday, February 16, 2009 8:53 AM >>>> To: CentOS mailing list >>>> Subject: Re: [CentOS] Practical experience with NTLM/Windows >>>> Integrated >>>> Authentication [Apache] >>>> >>>> >>>> >>>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >>>>>> don't think it will work in other platforms though). >>>>>> >>>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with >>>>> Firefox in >>>>> Windows. Setting the same things in Firefox under linux and having >>>>> it >>>>> >>> login >>> >>>>> to sharepoint doesn't. >>>>> >>>> I don't think any other OS other than Windows has NTLM bindings. >>>> >>> Probably not, but I was thinking there may be some obscure package >>> somewhere >>> on the 'net to do this. >>> >> >> Avoid NTLM all together and use Kerberos between apache/squid, Active >> Directory and the Windows and Linux clients. >> >> Firefox and IE both support Kerberos authentication. I believe apache/ >> squid do too, but you need a manually create the service principal >> names in AD for those. >> >> Use pam_krb5 on the Linux clients to get a ticket on login. >> > Mind sharing the pam config for that? I have something setup but things > don't seem to work. >> Use samba client on Linux hosts to join to domain and manage the >> Kerberos keytab file for the machine passwords. >> > Hmm...maybe I should not have manually created the credentials. Ok, here are the default settings that my kickstart file creates to allow me to join the domain and have samba manage the keytab. # Default Kerberos configuration mv /etc/krb5.conf /etc/krb5.conf.orig cat >/etc/krb5.conf </etc/samba/smb.conf </etc/ldap.conf <ldap://example.com/ base dc=example,dc=com timelimit 30 bind_timelimit 30 idle_timelimit 3600 ssl start_tls tls_checkpeer no use_sasl yes sasl_secprops maxssf=0 krb5_ccname FILE:/tmp/krb5.ldap pam_filter objectClass=User pam_passwordcrypt nss_map_objectclass posixAccountUser nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup Group nss_map_attribute homeDirectory unixHomeDirectory nss_map_attribute uniqueMembermsSFU30PosixMember nss_map_attribute userPasswordunixUserPassword nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman EOF # Default OpenLDAP configuration mv /etc/openldap/ldap.conf /etc/openldap/ldap.conf.orig cat >/etc/openldap/ldap.conf <ldap://example.com BASE dc=example, dc=com SASL_SECPROPS maxssf=0 TLS_REQCERTallow EOF authconfig --kickstart --ldapserver=mfg.prv --ldapbasedn="DC=mfg,DC=prv" # Add an entry for pam_mkhomedir in system-auth sed -i -e 's/\(session required pam_limits.so\)/session required pam_mkhomedir.so skel=\/etc\/skel umask=0077 silent\n\1/' /etc/pam.d/system-auth By using authconfig I avoid having to manually edit the PAM stuff which can get clobbered after an upgrade. After configured I do have to manually join the domain, and enable/restart winbind. # net ads join -U # chkconfig winbind restart -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Kanwar Ranbir Sandhu wrote: > On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote: > >> Maybe kerberos authentication? >> >> I have winbind authentication working here but I have yet to get >> kerberos working to get SSO on Linux desktops. >> > > Isn't winbind enough? Afterall, winbind gets the kerberos ticket when > the user logs in. > ??? That's new to me...are you sure? > What's the difference between kerberos auth and winbind auth? kerberos auth...should be the one that gets the ticket for you. Winbind servers to both authenticate you and provide user/group account info. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Tue, 2009-02-17 at 08:05 +0800, Christopher Chan wrote: > Maybe kerberos authentication? > > I have winbind authentication working here but I have yet to get > kerberos working to get SSO on Linux desktops. Isn't winbind enough? Afterall, winbind gets the kerberos ticket when the user logs in. What's the difference between kerberos auth and winbind auth? Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 19:32:30 up 5 days, 21:19, 3 users, load average: 0.30, 0.24, 0.21 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Ross Walker wrote: > On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" > wrote: > > >>> -Original Message- >>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On >>> >> Behalf >> >>> Of Christopher Chan >>> Sent: Monday, February 16, 2009 8:53 AM >>> To: CentOS mailing list >>> Subject: Re: [CentOS] Practical experience with NTLM/Windows >>> Integrated >>> Authentication [Apache] >>> >>> >>> >>>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >>>>> don't think it will work in other platforms though). >>>>> >>>> It doesn't. NTLM auth to eg Sharepoint sites works fine with >>>> Firefox in >>>> Windows. Setting the same things in Firefox under linux and having >>>> it >>>> >> login >> >>>> to sharepoint doesn't. >>>> >>> I don't think any other OS other than Windows has NTLM bindings. >>> >> Probably not, but I was thinking there may be some obscure package >> somewhere >> on the 'net to do this. >> > > Avoid NTLM all together and use Kerberos between apache/squid, Active > Directory and the Windows and Linux clients. > > Firefox and IE both support Kerberos authentication. I believe apache/ > squid do too, but you need a manually create the service principal > names in AD for those. > > Use pam_krb5 on the Linux clients to get a ticket on login. > Mind sharing the pam config for that? I have something setup but things don't seem to work. > Use samba client on Linux hosts to join to domain and manage the > Kerberos keytab file for the machine passwords. > Hmm...maybe I should not have manually created the credentials. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Kanwar Ranbir Sandhu wrote: > On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote: > > >> Avoid NTLM all together and use Kerberos between apache/squid, Active >> Directory and the Windows and Linux clients. >> >> Firefox and IE both support Kerberos authentication. I believe apache/ >> squid do too, but you need a manually create the service principal >> names in AD for those. >> > > I was using NTLM at first, but then switched to Kerberos (on the CentOS > server side). The Windows users didn't see a difference. For them, SSO > works just as well as before, but I still get prompted to enter > user/password when I use my Fedora 10 desktop to browse to CentOS hosted > web sites. > > My Fedora desktop is joined to the domain. I can login with my AD > user/password. I even have caching working, which lets me sign on to my > laptop when it's not connected to the network. > > I suppose I've missed something, though I don't know what. Maybe kerberos authentication? I have winbind authentication working here but I have yet to get kerberos working to get SSO on Linux desktops. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
> -Original Message- > From: centos-boun...@centos.org > [mailto:centos-boun...@centos.org] On Behalf Of Kanwar Ranbir Sandhu > Sent: Monday, February 16, 2009 5:56 PM > To: centos@centos.org > Subject: Re: [CentOS] Practical experience with NTLM/Windows > Integrated Authentication [Apache] > > On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote: > > Probably not, but I was thinking there may be some obscure > package somewhere > > on the 'net to do this. > > There is - I found it last year, and it works. I have > everything on my > work PC, so I'll let the list know tomorrow or later this week. If you can, provide a link to it please or if the link is no longer valid can you some how send me a mail personally so I could receive it from you to provide it to interested people? That is if you still have the src or binary. JohnStanley ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, 2009-02-16 at 15:21 -0500, Ross Walker wrote: > Avoid NTLM all together and use Kerberos between apache/squid, Active > Directory and the Windows and Linux clients. > > Firefox and IE both support Kerberos authentication. I believe apache/ > squid do too, but you need a manually create the service principal > names in AD for those. I was using NTLM at first, but then switched to Kerberos (on the CentOS server side). The Windows users didn't see a difference. For them, SSO works just as well as before, but I still get prompted to enter user/password when I use my Fedora 10 desktop to browse to CentOS hosted web sites. My Fedora desktop is joined to the domain. I can login with my AD user/password. I even have caching working, which lets me sign on to my laptop when it's not connected to the network. I suppose I've missed something, though I don't know what. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 17:57:09 up 5 days, 19:44, 3 users, load average: 0.21, 1.13, 1.00 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Mon, 2009-02-16 at 09:13 +0100, Sorin Srbu wrote: > Probably not, but I was thinking there may be some obscure package somewhere > on the 'net to do this. There is - I found it last year, and it works. I have everything on my work PC, so I'll let the list know tomorrow or later this week. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 17:54:53 up 5 days, 19:41, 3 users, load average: 1.20, 1.70, 1.14 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Sat, 2009-02-14 at 09:14 -0600, Jeff wrote: > OK, so you say it's possible, but how about some hints? You're leaving > us completely in the dark here. The problem is I don't have a step-by-step procedure to give you because I didn't document as I went along. Working in smaller company usually means documentation gets delayed or not done at all, unfortunately (not enough time to do it!). I'll see if I saved the links I found the most useful when I did the integration (on my work PC, so has to wait until Feb 17th, at least). The websites I used will hopefully be useful to you, too. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 17:50:59 up 5 days, 19:38, 3 users, load average: 2.08, 1.78, 0.98 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Feb 16, 2009, at 3:13 AM, "Sorin Srbu" wrote: >> -Original Message- >> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf >> Of Christopher Chan >> Sent: Monday, February 16, 2009 8:53 AM >> To: CentOS mailing list >> Subject: Re: [CentOS] Practical experience with NTLM/Windows >> Integrated >> Authentication [Apache] >> >> >>>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >>>> don't think it will work in other platforms though). >>> >>> It doesn't. NTLM auth to eg Sharepoint sites works fine with >>> Firefox in >>> Windows. Setting the same things in Firefox under linux and having >>> it > login >>> to sharepoint doesn't. >> >> I don't think any other OS other than Windows has NTLM bindings. > > Probably not, but I was thinking there may be some obscure package > somewhere > on the 'net to do this. Avoid NTLM all together and use Kerberos between apache/squid, Active Directory and the Windows and Linux clients. Firefox and IE both support Kerberos authentication. I believe apache/ squid do too, but you need a manually create the service principal names in AD for those. Use pam_krb5 on the Linux clients to get a ticket on login. Use samba client on Linux hosts to join to domain and manage the Kerberos keytab file for the machine passwords. Use winbind to get passwd/group files via nsswitch. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>> I don't think any other OS other than Windows has NTLM bindings. >> > > Probably not, but I was thinking there may be some obscure package somewhere > on the 'net to do this. > Hahaha, and I was hoping to flush it/them out. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>-Original Message- >From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf >Of Christopher Chan >Sent: Monday, February 16, 2009 8:53 AM >To: CentOS mailing list >Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated >Authentication [Apache] > > >>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >>> don't think it will work in other platforms though). >> >> It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in >> Windows. Setting the same things in Firefox under linux and having it login >> to sharepoint doesn't. > >I don't think any other OS other than Windows has NTLM bindings. Probably not, but I was thinking there may be some obscure package somewhere on the 'net to do this. -- /Sorin smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>> No, NTLM auth works in Firefox (at least on Firefox on Windows, I >> don't think it will work in other platforms though). >> > > It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in > Windows. Setting the same things in Firefox under linux and having it login > to sharepoint doesn't. > I don't think any other OS other than Windows has NTLM bindings. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
>-Original Message- >From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf >Of Filipe Brandenburger >Sent: Monday, February 16, 2009 3:58 AM >To: CentOS mailing list >Subject: Re: [CentOS] Practical experience with NTLM/Windows Integrated >Authentication [Apache] > >No, NTLM auth works in Firefox (at least on Firefox on Windows, I >don't think it will work in other platforms though). It doesn't. NTLM auth to eg Sharepoint sites works fine with Firefox in Windows. Setting the same things in Firefox under linux and having it login to sharepoint doesn't. -- /Sorin smime.p7s Description: S/MIME cryptographic signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Filipe Brandenburger wrote: > Hi, > > On Sun, Feb 15, 2009 at 19:02, Christopher Chan > wrote: > >> Have fun. Oh, I believe this will only work with IE clients on the >> desktop side of things unless Mozilla or whatever else out there has >> kerberos support too. >> > > No, NTLM auth works in Firefox (at least on Firefox on Windows, I > don't think it will work in other platforms though). > Okay. > I tested configuring Firefox on Windows to do NTLM auth, and it worked > with the IIS sites my company had. As I said before, unfortunately I > couldn't get Apache on Linux to work with NTLM authentication. > Too bad. However, based on your information I found this on Google: http://sivel.net/2007/05/sso-apache-ad-1/ Thanks Filipe. Now I guess I can have a crack at this too. Christopher ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Hi, On Sun, Feb 15, 2009 at 19:02, Christopher Chan wrote: > Have fun. Oh, I believe this will only work with IE clients on the > desktop side of things unless Mozilla or whatever else out there has > kerberos support too. No, NTLM auth works in Firefox (at least on Firefox on Windows, I don't think it will work in other platforms though). I tested configuring Firefox on Windows to do NTLM auth, and it worked with the IIS sites my company had. As I said before, unfortunately I couldn't get Apache on Linux to work with NTLM authentication. See: http://www.crossedconnections.org/w/?p=89 http://www.cauldwell.net/patrick/blog/PermaLink,guid,c7f1e799-c4ae-4758-9de7-5c3e7a16f3da.aspx http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Sven wrote: > Hi folks > > I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is > SSO with Windows Integrated Authentication[0]. > Cor...you are asking for a tough one here. > Anyone have experience with such a setup and can say a few sentences > how to do that and if its stable? > > No experience with apache in particular but for SSO to work, Kerberos will have to be involved. Hmm, a Google on apache kerberos produced this: http://blog.scottlowe.org/2006/08/10/kerberos-based-sso-with-apache/ Have fun. Oh, I believe this will only work with IE clients on the desktop side of things unless Mozilla or whatever else out there has kerberos support too. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Fri, Feb 13, 2009 at 8:22 PM, Kanwar Ranbir Sandhu wrote: > On Fri, 2009-02-13 at 12:11 +0100, Sven wrote: >> I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is >> SSO with Windows Integrated Authentication[0]. >> >> Anyone have experience with such a setup and can say a few sentences >> how to do that and if its stable? > > I've done this on a few servers at work and it works great. Stable and > essentially hands off after the initial config. The very first time I > set it up, I had a tough time figuring out all the bits that were > necessary to make it work, but I guess that's true of anything you do > the first time. > > You know what the best part is? Nothing was documented. HA! It's > actually quite horrible. My plan is to set up the Apache/Windows AD > integration again on another box and to document it at that time. > > Your two keys to success: > > 1. you better have a solid understanding of administering a CentOS > system. You don't have to know Apache inside and out, but good > grasp of how to configure apache is a plus. > > 2. make sure your Windows ADS is configured properly. If there's > anything that will throw off your project, it's the Windows server. > Your Windows admin better know his stuff! > OK, so you say it's possible, but how about some hints? You're leaving us completely in the dark here. -- Jeff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Hi, Last year I tried to get this working on a CentOS 4 server, but I could not get it running. I used this module at the time: http://adldap.sourceforge.net/wiki/doku.php?id=mod_auth_ntlm_winbind I spent some time trying to figure out what was the issue, but eventually I just gave up. I believe I had some problem on the Samba config somewhere... My current job is Linux only so I never tried this again, maybe it would work under CentOS 5, it might be worth the try... HTH, Filipe ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
On Fri, 2009-02-13 at 12:11 +0100, Sven wrote: > I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is > SSO with Windows Integrated Authentication[0]. > > Anyone have experience with such a setup and can say a few sentences > how to do that and if its stable? I've done this on a few servers at work and it works great. Stable and essentially hands off after the initial config. The very first time I set it up, I had a tough time figuring out all the bits that were necessary to make it work, but I guess that's true of anything you do the first time. You know what the best part is? Nothing was documented. HA! It's actually quite horrible. My plan is to set up the Apache/Windows AD integration again on another box and to document it at that time. Your two keys to success: 1. you better have a solid understanding of administering a CentOS system. You don't have to know Apache inside and out, but good grasp of how to configure apache is a plus. 2. make sure your Windows ADS is configured properly. If there's anything that will throw off your project, it's the Windows server. Your Windows admin better know his stuff! Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.27.12-170.2.5.fc10.x86_64 x86_64 GNU/Linux 21:12:14 up 2 days, 22:59, 4 users, load average: 0.22, 0.21, 0.29 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Practical experience with NTLM/Windows Integrated Authentication [Apache]
Hi folks I wish to migrate Windows IIS webserver to CentOS. Killer-Feature is SSO with Windows Integrated Authentication[0]. Anyone have experience with such a setup and can say a few sentences how to do that and if its stable? kind regards Sven Aluoor (Please CC me I am not on the list) [0] http://bayimg.com/image/hanogaabi.jpg ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos