Apache vs. AD
Karel Salavec
karels na pc163.gr.ph.ct.cz
Středa Duben 11 07:48:02 CEST 2007
Dne pátek 06 duben 2007 09:09 Marek Blasko napsal(a):
> Ing. Pavel PaJaSoft Janoušek wrote:
> > linux-bounces na linux.cz <mailto:linux-bounces na linux.cz> wrote:
> >> Nejaky napad jak 100hoven?
> >
> > Existovalo cosi, co za autentizacni sluzbu dokazalo vyuzit Sambu -
> > takze na serveru s Apache hodit do domeny Sambu a overovat lokalne vuci
> > ni... - zda-li se to však ještě vyviji nevim.
> >
> > Další moznost v teoreticke rovine, která mne z fleku napada je
> > vyuzit sluzeb Radiusu... - na Windows je to par kliku a v Linuxu existuji
> > siroke moznosti i za 0 penez.
>
> su 3 moznosti:
>
> Ldap: - staci pristup do ldapu. (autentifikacny mechanizmus Base)
> Radius: - klasicka radius infrastruktura. (transparentne)
> - je este moznost overovania mechanizmom BASE ktory vyuziva
> sluzieb radiusu. klienti nemusia mat radiusove tikety.
> Winbind: - treba mat sambu + radius (v pripade AD) vsetko
> nakonfigurovane a pridane do domeny. odporucam winbind server
> mat nakonfigurovany bez cache (pomalsia odozva pri
> prihlasovani ale rychla na zmeny z AD) Zvlada mechanizmus
> BASE aj NTLM (vsetky moznosti)
>
> Podrobnosti a konfiguraciu si nastudujte u prislusnej dokumentacii.
>
> Pokial su uzivatelia aj mimo domenu (z domenovymi uctamy) ja by som siel
> do LDAP a pokial su cisto v domene tak do Radiusu.
>
> Marek Blasko
Ono to tedy bylo popsano v puvodnim mailu, ale ...
Stav: samba rozchozena, winbind funkcni, pocitac uspesne zapojen do AD
Kdyz dam doporucene nastaveni do auth_ntlm_winbind.conf ve tvaru
LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory "/var/www/html/private">
AuthName "NTLM_Authentication_thingy"
NTLMAuth on
NTLMBasicRealm USER.CT.CZ
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--debuglevel=10"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
tak se v logu /var/log/httpd/error_log objevi neco takovehleho:
[2007/04/10 09:53:19, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: True/10
smb: True/10
rpc_parse: True/10
rpc_srv: True/10
rpc_cli: True/10
passdb: False/0
sam: False/0
auth: True/10
winbind: True/10
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
pasdb: True/5
[2007/04/10 09:53:19, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=' from squid (length:
47).
[2007/04/10 09:53:19, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
got NTLMSSP packet:
[2007/04/10 09:53:19, 10] lib/util.c:dump_data(2237)
[000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 82 08 00 NTLMSSP. ........
[010] 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
[2007/04/10 09:53:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0x00088207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
NTLMSSP challenge
[2007/04/10 09:53:21, 5] lib/debug.c:debug_dump_status(391)
INFO: Current debug levels:
all: True/10
tdb: False/0
printdrivers: False/0
lanman: True/10
smb: True/10
rpc_parse: True/10
rpc_srv: True/10
rpc_cli: True/10
passdb: False/0
sam: False/0
auth: True/10
winbind: True/10
vfs: False/0
idmap: False/0
quota: False/0
acls: False/0
locking: False/0
msdfs: False/0
dmapi: False/0
pasdb: True/5
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR
TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAYABgBAAAAAEAAQAEYAAAAKAAoAVgAAAAAAAAAAAAAABYIIAFAASABBAGsAYQAwADMANwAzADkAMABwAGMAMQA2ADMAZ4V6cP8ZQI4AAAAAAAAAAAAAAAAAAAAAGZ0sVUvRR3WGEEMCQw6owvcWkvp6yKB8'
from squid (length: 195).
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
got NTLMSSP packet:
[2007/04/10 09:53:21, 10] lib/util.c:dump_data(2237)
[000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
[010] 60 00 00 00 18 00 18 00 78 00 00 00 06 00 06 00 `....... x.......
[020] 40 00 00 00 10 00 10 00 46 00 00 00 0A 00 0A 00 @....... F.......
[030] 56 00 00 00 00 00 00 00 00 00 00 00 05 82 08 00 V....... ........
[040] 50 00 48 00 41 00 6B 00 61 00 30 00 33 00 37 00 P.H.A.k. a.0.3.7.
[050] 33 00 39 00 30 00 70 00 63 00 31 00 36 00 33 00 3.9.0.p. c.1.6.3.
[060] 67 85 7A 70 FF 19 40 8E 00 00 00 00 00 00 00 00 g.zp.. na . ........
[070] 00 00 00 00 00 00 00 00 19 9D 2C 55 4B D1 47 75 ........ ..,UK.Gu
[080] 86 10 43 02 43 0E A8 C2 F7 16 92 FA 7A C8 A0 7C ..C.C... ....z..|
[2007/04/10 09:53:21, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
got NTLMSSP command 3, expected 1
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(608)
NTLMSSP NT_STATUS_INVALID_PARAMETER
A jsem v ...
Další informace o konferenci Linux