Howtos:Ocsreports transparent login in MS AD domain on ubuntu server

From OCS Inventory NG
Jump to: navigation, search

Task

Setup transparent login of local MS Active directory domain user to OCSReports web console

Start point

  • OS: Ubuntu Lucid LTS
  • installed OCS_UNIX_SERVER version: 2.0.4.0
  • local domain dns/active directory: domain.tld
  • domain controllers: dc1 - 192.168.0.1 and dc2 - 192.168.1.1
  • domain administrator login: domain_admin
  • ubuntu server box name: ocsng.domain.tld

Setup kerberos on Ubuntu Lucid server

  • Time synchronization

For kerberos works properly we need same time as on domain controllers. Best way is to setup server to sync its time with onw of domain controllers Any method could be used. For example cron job for command

   ntpdate -s dc1.domain.tld
  • Next we need to install packages: smbclient, samba-common, samba-common-bin, krb5-user, libapache2-mod-auth-kerb
   sudo apt-get install smbclient samba-common samba-common-bin krb5-user libapache2-mod-auth-kerb

In Lucid repository libapache-mod-auth-kerb has version 5.3. From Maverick goes version 5.4, which supports new parameter KrbLocalUserMapping. It allows to get user login without domain part, otherwise login soul looks like (case sensitive): login@DOMAIN.TLD

  • Package configuration

Here examples of config files for Samba and Kerberos:

   =============== smb.conf ===============
   [global]
       dos charset = CP866
       display charset = UTF-8
       netbios name = ocsng
       workgroup = DOMAIN
       realm = DOMAIN.TLD
       security = ADS
       password server = domain.tld
       encrypt passwords = true
       restrict anonymous = 2
       lanman auth = No
       client NTLMv2 auth = Yes
       client lanman auth = No
       client plaintext auth = No
       kerberos method = system keytab
   
       load printers = no
       show add printer wizard = no
       printcap name = /dev/null
       disable spoolss = yes
   ==============================
   =============== krb5.conf ===============
   [libdefaults]
       default_realm = DOMAIN.TLD
       kdc_timesync = 1
       ccache_type = 4
       forwardable = true
       proxiable = true
       fcc-mit-ticketflags = true
       default_keytab_name = FILE:/etc/krb5.keytab
   
   [realms]
       DOMAIN.TLD = {
           kdc = 192.168.0.1
           kdc = 192.168.1.1
           kpasswd_server = 192.168.0.1
           kpasswd_server = 192.168.1.1
           admin_server = 192.168.0.1
           default_domain = DOMAIN.TLD
           }
   
   [domain_realm]
       domain.tld = DOMAIN.TLD
       .domain.tld = DOMAIN.TLD
   
   [logging]
       default = FILE:/var/log/krb5/kdc.log
       kdc = FILE:/var/log/krb5/kdc.log
       kdc_rotate = {
           period = 1d
           versions = 10
       }
   
   [appdefaults]
       kinit = {
           renewable = true
           forwardable= true
       }
   ==============================
  • Join our domain
   sudo net ads join -U domain_admin
  • Create keytab file
   sudo net ads keytab create -U domain_admin
   sudo net ads keytab add HTTP -U domain_admin
  • Change permissions of keytab file (allow webserver to read it)
   sudo chown :www-data /etc/krb5.keytab
   sudo chmod g+r /etc/krb5.keytab
  • Configure apache to do kerberos authentification for OCS GUI. Default config location is "/etc/apache2/conf.d/ocsinventory-ocsreports.conf"

Add parameters

   =============== ocsreports.conf ===============
       ...
   <Directory /usr/share/ocsinventory-reports/ocsreports>
       ...
       AuthType Kerberos
       AuthName "Kerberos Login"
       KrbMethodNegotiate On
       KrbMethodK5Passwd On
       KrbServiceName HTTP
       KrbAuthRealms DOMAIN.TLD
       Krb5KeyTab /etc/krb5.keytab
       require valid-user
   </Directory>
       ...
   ==============================

web server restrat needed!

  • Allow browser to send auth info to server

- IE ocsng.domain.tld should be added to "Local intranet" Zone.

- FireFox open page "about:config" (type in URL bar, without quotes). config page will be shown in filter field type "trusted" (without quotes). two parameters should appear. for both values type ".domain.tld" (without quotes)

Configure OCSReports users

Do it before next step. User id must be the same, as provided by Apache. It could be "login@DOMAIN.TLD" or "login", if using option "KrbLocalUserMapping On" Also user perimeter must be defined. Click on user id in OCS GUI, or add in table "tags" in mysql database.


Setup transparent login to OCS GUI

  • Edit auth parameters

File /usr/share/ocsinventory-reports/ocsreports/backend/AUTH/auth.php Comment out

   $affich_method='HTML';
   ...
   $list_methode=array(0=>"local.php");

and uncomment

   $affich_method='SSO';
   $list_methode=array(0=>"always_ok.php");

Also order of checking affich_method MUST be changed! It must looks like (see https://bugs.launchpad.net/ocsinventory-ocsreports/+bug/936795):

   if ($affich_method == 'HTML' and isset($protectedPost['Valid_CNX']) and trim($protectedPost['LOGIN']) != ""){
       $login=$protectedPost['LOGIN'];
       $mdp=$protectedPost['PASSWD'];
   }elseif ($affich_method == 'CAS'){
       require_once('methode/cas.php');
   }elseif($affich_method == 'SSO' and isset($_SERVER['REMOTE_USER'])){
       $login=$_SERVER['REMOTE_USER'];
       $mdp='NO_PASSWD';
   }elseif ($affich_method != 'HTML' and isset($_SERVER['PHP_AUTH_USER'])){
       $login=$_SERVER['PHP_AUTH_USER'];
       $mdp=$_SERVER['PHP_AUTH_PW'];
   }