[Cialug] apache2 authentication with Windows PDC

Christopher R. Rhodes arreyder at apache.org
Thu Dec 2 12:55:03 CST 2010


On 12/02/10 11:49, Tim Champion wrote:
> I've been banging my head against a wall for a day or so here.
> 
> I have an Ubuntu web server running apache2. What I want to do is have a
> certain directory path (this path is browse-able, anybody is currently
> able to view and download raw files) and I want a specific directory
> protected with http authentication, and for that authentication to be
> against the Windows PDC (in the same network). 
> 
> I've found this:
> http://manpages.ubuntu.com/manpages/maverick/man3/Apache2::AuthenNTLM.3pm.html
> which tells me to use NTLM authentication, there's not enough
> information here to get things working. 
> 
> What I have now is a <Location> section in apache2.conf that looks
> similar to what is in the above link.  I am, of course, plugging in all
> my network specific stuff (pdc, domain name, etc) I'm not really seeing
> anything in error logs, I just get a Internal Server error on
> Firefox/Ubuntu, and a "Forbidden" page on IE/Windows when I try and
> browse to the path.
> 
> so, I guess I'm asking if anybody had done this sort of thing before,
> and if so, can you point me in the right direction here?  I just don't
> have any feeling for how to troubleshoot this. No logs I can find are
> updating on failure.
> 


I use this:  http://modauthkerb.sourceforge.net/


Works great.

Create a user to represent your service in AD, and export the keytab for placement on the HTTPD server.

After configuring krb5.conf  and testing with kinit add this stuff to your httpd.conf in the appropriate area:
eg.

        <Location />
         AuthType Kerberos
         AuthName "Kerberos Login"
         KrbMethodNegotiate On
         KrbMethodK5Passwd On
         KrbAuthRealms SOME.REALM.COM
         Krb5KeyTab /usr/local/apache2/conf/SOME.REALM.COM.keytab
         KrbServiceName HTTP/some.realm.com at SOME.REALM.COM
         require valid-user
        </Location>


If you'd like to go this route I will try and get a more complete howto for you.



crr
arreyder at apache.org
chris at ia.gov








More information about the Cialug mailing list