06.06.2017
Kerberos auth mit Apache/PHP
Winodws SSO auf einem Linux Webserver
Warum
When users log in on their Windows computers, they can access the Intranet-webpage without having to authenticate themselves one more time.
Vorraussetzung:
- Windows AD
- Linux webserver mit Apache and PHP
Setup:
- CentOS 7 (Apache 2.4.6 / PHP 5.6.26)
- Domain controller (Windows server 2008 R2)
Before you start:
The commands and images are masked from all that are related to my work-infrastructure. Remember to change it matching your own network and domain. Contoso.com is the example domain and http://website.contoso.com is the website DNS. Use the images for illustration for what the output should look like.
As kerberos already was in use on other services in my case, I am not sure if any changes need to be made at the domain-structure.
1. Firewall und SELinux ausschalten
$ setenforce 0
$ systemctl stop firewalld
2. Install mod_auth_kerb
You need the mod_auth_kerb module for apache, so apache can handle the kerberos tickets.
$ yum install mod_auth_kerb
$ systemctl restart httpd.service
3. Join the Linux server into the domain
Source: http://www.hexblot.com/blog/centos-7-active-directory-and-samba
Installiere benötigte Pakete:
$ yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp
3.1 Zeit Syncronisation mit der Domaine
$ systemctl enable ntpd.service $ ntpdate domaincontroller-01.contoso.com $ systemctl start ntpd.service
3.2 Beitreten der Domaine
$ realm join --user=adminuser@contoso.com contoso.com
List the domain-data for the server to check if it works. This looked fine to me the first time, but the computer object did not show in AD. So I had to leave ($realm leave…) the domain and join it one more time for some reason.
$ realm list
$ realm list mydomain.local type: kerberos realm-name: CONTOSO.COM domain-name: mydomain.local configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common login-formats: %U@mydomain.local login-policy: allow-realm-logins
3.3 Samba Konfiguration
$ vi /etc/samba/smb.conf
Inhalt der Konfigdatei:
#======================= Global Settings ==================================== [ global ] #--authconfig--start-line-- # Generated by authconfig on 2015/01/13 17:14:47 # DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--) # Any modification may be deleted or altered by authconfig in future password server = domaincontroller-01.contoso.com security = domain idmap config * : range = 16777216-33554431 kerberos method = secrets only winbind use default domain = false winbind offline logon = true #--authconfig--end-line--
4. Computerobjekt im AD
AD Öffnen und prüfen ob das Computerobjekt erstellt wurde.
Sicherstellen das bei der Computer Delegierung aller Dienste vertrauen( Nur Kerberos verwenden) ausgewählt ist.
[spoiler title=’bash_history’]
echo $ORACLE_BASE echo $ld_library_path export ld_library_path=/usr/lib/oracle/12.1/client64/lib export TNS_ADMIN=/usr/lib/oracle/12.1/client64 echo $ld_library_path echo $TNSADMIN echo $TNS_ADMIN sysctl httpd status service httpd restart export ld_library_path=/usr/lib/oracle/12.1/client64/lib export TNS_ADMIN=/usr/lib/oracle/12.1/client64/ service httpd stop cd /var/tmp /var/tmp/rpm -Uvh oracle-instantclient12.1-sqlplus-12.1.0.2.0-1.x86_64.rpm rpm -Uvh oracle-instantclient12.1-sqlplus-12.1.0.2.0-1.x86_64.rpm rpm -Uvh oracle-instantclient12.1-tools-12.1.0.2.0-1.x86_64.rpm sqlplus64 man sqlplus64 /usr/lib/oracle/12.1/client64/bin/sqlplus echo $LD_LIBRARY_PATH export LD_LIBRARY_PATH=/usr/lib/oracle/12.1/client64/lib echo $LD_LIBRARY_PATH sqlplus64 sqlplus64 system@hauck service httpd stop service httpd start export TNS_ADMIN=/usr/lib/oracle/12.1/client64 sqlplus64 system@hauck service httpd stop service httpd service httpd start service httpd status service httpd stop service httpd status service httpd stop service httpd status service httpd start service httpd status service httpd stop service httpd start service httpd status date service httpd stop service httpd start service httpd status ORACLE_HOME=/usr/lib/oracle/12.1/client64 LD_LIBRARY_PATH=/usr/lib/oracle/12.1/client64/lib TNS_ADMIN=/usr/lib/oracle/12.1/client64/network/admin export ORACLE_HOME LD_LIBRARY_PATH TNS_ADMIN echo $ORACLE_HOME $LD_LIBRARY_PATH $TNS_ADMIN service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd status service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd status service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status date service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status vi /etc/hosts service httpd stop service httpd start service httpd status vi /etc/hosts service httpd stop service httpd start service httpd status service httpd stop vi /etc/hosts ping -a itmonitoring ping -a itmonitoring.ads.lan ping -a svnmanager ping -a svnmanager.ads.lan service httpd status service httpd start service httpd status exit sqlplus64 export LD_LIBRARY_PATH=/usr/lib/oracle/12.1/client64/lib sqlplus64 sqlplus64 system@hauck kill -9 %1 sqlplus64 system@hauck kill -9 %1 export ORACLE_BASE=/usr/lib/oracle/12.1/client64 sqlplus64 system@hauck kill -9 %1 export ORACLE_HOME=/usr/lib/oracle/12.1/client64 sqlplus64 system@hauck sqlplus64 monitoring/getmonitoring@hauck NLS_LANG=AMERICAN_AMERICA.UTF8 export NLS_LANG sqlplus64 monitoring/getmonitoring@hauck exit tail -20f /etc/httpd/logs/error_log date exit service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd stop service httpd status service httpd start vi /etc/hosts service httpd stop service httpd start service httpd status service httpd stop service httpd start service httpd status service httpd restart service httpd status exit tail -20f /var/log/httpd/error_log ls -ltrh /bin/rotatelogs which rotatelogs ls -ltrh /bin/rotatelogs tail -20f /var/log/httpd/error_log exit hostname setenforce 0 systemctl stop firewalld export http_proxy=http://vmiap-wg.ads.lan:9090 export ftp_proxy=http://vmiap-wg.ads.lan:9090 export https_proxy=https://vmiap-wg.ads.lan:9090 yum install mod_auth_kerb systemctl status httpd.service yum install mod_auth_kerb yum install realmd samba samba-common oddjob oddjob-mkhomedir sssd ntpdate ntp systemctl enable ntpd.service ntpdate ntpdate ntp.ads.lan ntpdate systemctl start ntpd.service date ntpdate ntp.ads.lan systemctl stop ntpd.service ntpdate ntp.ads.lan date systemctl start ntpd.service date ping -a ntp.ads.lan realm list ls -l /etc/localtime timedatectl list-timezones | grep -i germ timedatectl list-timezones | grep -i berl timedatectl set-timezone Europe/Berlin date ls -l /etc/localtime realm list realm join --user=a0009210@ads.lan ads.lan realm list vi /etc/samba/smb.conf realm list yum list krb5-workstation yum install krb5-workstation klist yum list *http* yum install httpd yum list *svn* yum install subversion mod_dav_svn service httpd restart chkconfig httpd on ls -ltrh /etc/httpd/conf.d vim /etc/httpd/conf.d/subversion.conf yum install vim vim /etc/httpd/conf.d/subversion.conf cd /var/svn mkdir -p /srv/svn/repos/ chow -R apache:apache /srv/svn chown -R apache:apache /srv/svn ls -ltrh /srv/ ls -ltrh /srv/svn/ ls -ltrh /var/ ls -ltrh /var/www/ ls -ltrh /var/www/html/ tar xfz /var/www/html.tar.gz / pwd tar xfz /var/www/html.tar.gz . cd / tar xfz /var/www/html.tar.gz df -h mount df -h cd /srv/ scp vmlli-svn01:/srv/svn.tar.gz ./ pwd cd / tar xfz /srv/svn.tar.gz ls -ltrh /srv/svn/ rm -f /srv/svn/full.dump ls -ltrh /srv/svn/repos/ ls -ltrh /srv/svn/repos/hua/ du -hs /srv/svn/repos/hua/ du -hs /srv/svn/repos/hua/* service httpd restart service httpd status service httpd restart systemctl status httpd.service yum list *authn_alias* yum list *authns* yum list *authn* service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service yum provides '*/modules/mod_ldap.so' yum list '*/modules/mod_ldap.so' yum list '*mod_ldap*' yum install '*mod_ldap*' service httpd restart systemctl status httpd.service grep perfork /etc/httpd/conf.modules.d/* grep perfork /etc/httpd/conf/* grep perfork /etc/httpd/conf/*.conf grep perfork /etc/httpd/conf/httpd.conf grep prefork /etc/httpd/conf/httpd.conf grep prefork /etc/httpd/conf/*.conf grep prefork /etc/httpd/conf.modules.d/* grep mpm /etc/httpd/conf.modules.d/* service httpd restart systemctl status httpd.service grep mpm /etc/httpd/* grep mpm /etc/httpd/conf/* grep mpm /etc/httpd/conf.d/* grep mpm /etc/httpd/conf.modules.d/* service httpd restart systemctl status httpd.service egrep "mpm|worker|prefork" /etc/httpd/conf.modules.d/* egrep "mpm|worker|prefork" /etc/httpd/conf.d/* egrep "mpm|worker|prefork" /etc/httpd/conf/* yum help yum list httpd yum clean httpd yum list httpd service httpd restart /usr/sbin/httpd -l service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart systemctl status httpd.service service httpd restart service httpd stop service httpd start yum -y install php export http_proxy=http://vmiap-wg.ads.lan:9090 export ftp_proxy=http://vmiap-wg.ads.lan:9090 export https_proxy=https://vmiap-wg.ads.lan:9090 yum -y install php yum install php55-php-ldap yum search *ldap* yum search ldap yum install mod_ldap php-ldap service httpd restart yum install php-mbstring service httpd restart yum search mysql yum install php-mysql service httpd restart more /var/www/html/prado-2.0.3/framework/Data/adodb/drivers/adodb-mysql.inc.php yum search mysql yum install mariadb service httpd restart yum install php-xml yum install sendmail-devel sendmail yum install python yum install pearl yum install peral yum install perl yum list perl yum list *perl* yum list *mod*perl* yum list *php*perl* yum search *php*perl* yum search *mod*perl* yum search *perl*mod* yum search *perl*php* yum install gcc make unzip yum install zip yum -y install mariadb-server mariadb systemctl enable mariadb systemctl start mariadb mysql mysql -u root -p mysql -u root systemctl restart mysqld systemctl restart mariadb mysql -u root -p yum search *mysql* yum search mysql yum install mariadb-devel mariadb-libs systemctl restart mariadb yum search phpmyadmin yum update yum -y install phpmyadmin cd /var/www/html unzip phpMyAdmin-4.6.4-all-languages.zip chown -R apache.apche phpMyAdmin chown -R apache.apache phpMyAdmin yum update php yum search php rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm yum search php yum search php56 yum remove php yum install php56 yum search php56 yum install php56w php56w-xml php56w-phpdbg php56w-pear php56w-mysql php56w-mcrypt php56w-mbstring php56w-ldap php56w-imap php56w-devel php56w-cli yum list php yum list php* yum list php-common yum erase php-common yum install php56w php56w-xml php56w-phpdbg php56w-pear php56w-mysql php56w-mcrypt php56w-mbstring php56w-ldap php56w-imap php56w-devel php56w-cli yum install php56w-pecl-memcache yum update service httpd restart yum install phpmyadmin systemctl restart httpd yum search adob systemctl restart mysqld systemctl restart mysql systemctl restart mariadb chown -R apache:apache /var/www/html systemctl status svn ls -ltrh /srv/svn/repos ls -ltrh /srv/svn/repos/ ls -ltrh /srv/svn/repos/hua/ ls -ltrh /srv/svn/repos/hua/db/ yum install mod_dav_svn yum search pear yum install php56w-pear cd /srv/svn/ pear install ./VersionControl_SVN-0.5.2.tgz chown -R apache:apache /usr/share/pear systemctl restart httpd cat /srv/svn/config cat /srv/svn/config/config cat /srv/svn/config/ ls -ltrh /srv/svn/config/ cat /srv/svn/config/auth/ ls -ltrh /srv/svn/config/ cat /srv/svn/config/servers man sendmail echo -e "Subject: Test\nhier inhalt" | sendmail -v Benjamin.Schneider@hauck-aufhaeuser.lu echo -e "Subject: Test\nhier inhalt" | sendmail -t ls -ltrh /etc/mail/sendmail.cf vi /etc/mail/sendmail.cf grep -i mailserver /etc/mail/sendmail.cf which sendmail echo -e "From: benjamin.schneider@hauck-aufhaeuser.lu To: benjamin.schneider@hauck-aufhaeuser.lu Subject: Test\nhier inhalt" | /usr/bin/sendmail -t echo -e "From: benjamin.schneider@hauck-aufhaeuser.lu To: benjamin.schneider@hauck-aufhaeuser.lu Subject: Test\nhier inhalt" | sendmail -t echo "Importance: High" | echo "X-Priority: 1" | echo "From: benjamin.schneider@hauck-aufhaeuser.lu " | echo "To: benjamin.schneider@hauck-aufhaeuser.lu " | echo "MIME-Version: 1.0" | echo "Content-Type: multipart/alternative; " | echo ' boundary="PAA08673.1018277622/MAILSERVER"' | echo "Subject: TEST SVN-SRV" | echo "" | echo "This is a MIME-encapsulated message" | echo "" | echo "--PAA08673.1018277622/MAILSERVER" | echo "Content-Type: text/html; charset=UTF-8" | echo "" | echo " <html> ter> oooooooo sendmail -t echo -e "Importance: High" | echo -e "X-Priority: 1" | echo -e "From: benjamin.schneider@hauck-aufhaeuser.lu " | echo -e "To: benjamin.schneider@hauck-aufhaeuser.lu " | echo -e "MIME-Version: 1.0" | echo -e "Content-Type: multipart/alternative; " | echo -e ' boundary="PAA08673.1018277622/MAILSERVER"' | echo -e "Subject: TEST SVN-SRV" | echo -e "" | echo -e "This is a MIME-encapsulated message" | echo -e "" | echo -e "--PAA08673.1018277622/MAILSERVER" | echo -e "Content-Type: text/html; charset=UTF-8" | echo -e "" | echo -e " <html> ter> oooooooo "--PAA08673.1018277622/MAILSERVER" | sendmail -t echo -e 'Importance: High \n X-Priority: 1 \n From: benjamin.schneider@hauck-aufhaeuser.lu \n To: benjamin.schneider@hauck-aufhaeuser.lu \n MIME-Version: 1.0 \n Content-Type: multipart/alternative; \n boundary="PAA08673.1018277622/MAILSERVER" \n Subject: TEST SVN-SRV \n \n This is a MIME-encapsulated message \n \n --PAA08673.1018277622/MAILSERVER \n Content-Type: text/html; charset=UTF-8 \n \n <html> <head> <title>TAAAAAA</title> </head> <body> <center> <h1><u><b>Status ÄÖÜ</b></u></h1> </center> noooooooo <br /> </body> </html> --PAA08673.1018277622/MAILSERVER' | sendmail -t echo -e 'Importance: High \n X-Priority: 1 \n From: benjamin.schneider@hauck-aufhaeuser.lu \n To: benjamin.schneider@hauck-aufhaeuser.lu \n MIME-Version: 1.0 \n Content-Type: multipart/alternative; \n boundary="PAA08673.1018277622/MAILSERVER"\n Subject: TEST SVN-SRV\n \n This is a MIME-encapsulated message\n \n --PAA08673.1018277622/MAILSERVER\n Content-Type: text/html; charset=UTF-8\n \n <html><head><title>TAAAAAA</title></head><body><center><h1><u><b>Status ÄÖÜ</b></u></h1></center>noooooooo<br /></body></html>--PAA08673.1018277622/MAILSERVER'| sendmail -t ps faux | grep sendmail cd ~ vi mail.txt sendmail -vt < ~/mail.txt sendmail -V tail -200 /var/log/messages date cat /var/log/messages | grep sendmail grep -i smart_host /etc/mail/sendmail.mc service httpd restart grep -i smart_host /etc/mail/sendmail.mc ls -ltrh /etc/mail/sendmail.cf m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf service httpd restart ping -a vmlli-apsp01 service httpd restart realm list vi /etc/samba/smb.conf cat /etc/samba/smb.conf id -a apache vi /etc/krb5.conf realm list vi /etc/samba/smb.conf service httpd restart kadmin man kadmin klist ktutil rkt /etc/krb5.keytab rkt /etc/httpd/conf/webpage.HTTP.keytab yum install rkt klist -e -k -t yum install unzip gcc gcc-c++ ksh glibc-devel libaio-devel sysstat service httpd restart wbinfo -t yum install wbinfo klist kinit HTTP/vmlli-apsp01.ads.lan kvno HTTP/vmlli-apsp01.ads.lan kinit -V -k -t /etc/httpd/conf/webpage.HTTP.keytab HTTP/vmlli-apsp01.ads.lan kinit -V -k -t /etc/httpd/conf/webpage.HTTP.keytab HTTP/ads.lan@ADS.LAN kinit -V -k -t /etc/httpd/conf/webpage.HTTP.keytab HTTP/vmlli-apsp01.ads.lan kinit -V -k -t /etc/httpd/conf/webpage.HTTP.keytab HTTP/ads.lan@ADS.LAN kinit -V -k -t /etc/httpd/conf/webpage.HTTP.keytab HTTP/vmlli-apsp01.ads.lan service httpd restart service httpd status service httpd restart chown -R apache:apache /var/www/html service httpd restart chown -R apache:apache /var/www/html pecl install oci8 pecl install oci8-2.0.12' pecl install oci8-2.0.12 pwd cd /var/tmp/ ls -ltrh rpm -Uvh oracle-instantclient12.1-devel-12.1.0.2.0-1.x86_64.rpm pecl install oci8-2.0.12 service httpd restart ls -ltrh /usr/lib/oracle/12.1/client64/lib/ service httpd restart php-config --extension-dir ls -ltrh /usr/lib64/php/modules service httpd restart service httpd stop service httpd start journalctl -xe service httpd start export ld_library_path=/usr/lib/oracle/12.1/client64/lib service httpd restart tnsping hauck service httpd restart journalctl -xe service httpd restart service httpd status service httpd stop service httpd start service httpd status tail -20f /var/log/httpd/error_log export http_proxy=http://vmiap-wg.ads.lan:9090 export ftp_proxy=http://vmiap-wg.ads.lan:9090 export https_proxy=https://vmiap-wg.ads.lan:9090 yum list *gnu* yum install gnuplot yum list *expect* yum install expect yum list *fpdf* yum list *plotting* yum list *pdf* yum list *lib*png* yum install libpng-devel gawk yum install libpng-devel libpng yum install libpng yum install gawk yum list *core*utils* yum install coreutils service httpd status tail -20f /srv/www/vhosts/_logs/sar2html-error.2016-10-20-13_54_26.log yum install sar service httpd status service httpd start service httpd stop service httpd status service httpd start service httpd status yum install sysstat yum install libsysstat ls -ltrh /tmp/sar* df -h /usr/lib64/nagios/plugins/check_http -H http://vmlli-apsp01/repos/hua -p 80 /usr/lib64/nagios/plugins/check_http -H http://vmlli-apsp01/repos/hua -p 80 -a nagios:checkme /usr/lib64/nagios/plugins/check_http -I 127.0.0.1 -u /repos/hua -p 80 /usr/lib64/nagios/plugins/check_http -I 127.0.0.1 -u /repos/hua -p 80 -a nagios:checkme /usr/lib64/nagios/plugins/check_http -I 127.0.0.1 -u /repos/hua -a nagios:checkme vi /etc/nagios/nrpe.cfg systemctl restart nrpe.service systemctl status nrpe.service [/spoiler]
About Author
