Apache vs. AD

Karel Salavec karels na pc163.gr.ph.ct.cz
Středa Duben 11 07:48:02 CEST 2007 

Dne pátek 06 duben 2007 09:09 Marek Blasko napsal(a):
> Ing. Pavel PaJaSoft Janoušek wrote:
> > linux-bounces na linux.cz <mailto:linux-bounces na linux.cz> wrote:
> >> Nejaky napad jak 100hoven?
> >
> >  Existovalo cosi, co za autentizacni sluzbu dokazalo vyuzit Sambu -
> > takze na serveru s Apache hodit do domeny Sambu a overovat lokalne vuci
> > ni... - zda-li se to však ještě vyviji nevim.
> >
> >  Další moznost v teoreticke rovine, která mne z fleku napada je
> > vyuzit sluzeb Radiusu... - na Windows je to par kliku a v Linuxu existuji
> > siroke moznosti i za 0 penez.
>
> su 3 moznosti:
>
> Ldap: - staci pristup do ldapu. (autentifikacny mechanizmus Base)
> Radius: - klasicka radius infrastruktura. (transparentne)
>          - je este moznost overovania mechanizmom BASE ktory vyuziva
>            sluzieb radiusu. klienti nemusia mat radiusove tikety.
> Winbind: - treba mat sambu + radius (v pripade AD) vsetko
>             nakonfigurovane a pridane do domeny. odporucam winbind server
>             mat nakonfigurovany bez cache (pomalsia odozva pri
>             prihlasovani ale rychla na zmeny z AD) Zvlada mechanizmus
>             BASE aj NTLM (vsetky moznosti)
>
> Podrobnosti a konfiguraciu si nastudujte u prislusnej dokumentacii.
>
> Pokial su uzivatelia aj mimo domenu (z domenovymi uctamy) ja by som siel
> do LDAP a pokial su cisto v domene tak do Radiusu.
>
> Marek Blasko

Ono to tedy bylo popsano v puvodnim mailu, ale ...

Stav: samba rozchozena, winbind funkcni, pocitac uspesne zapojen do AD

Kdyz dam doporucene nastaveni do auth_ntlm_winbind.conf ve tvaru

LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so

<Directory "/var/www/html/private">
     AuthName "NTLM_Authentication_thingy"
     NTLMAuth on
     NTLMBasicRealm USER.CT.CZ
     NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--debuglevel=10"
     NTLMBasicAuthoritative on
     AuthType NTLM
     require valid-user
   </Directory>

tak se v logu /var/log/httpd/error_log objevi neco takovehleho:
[2007/04/10 09:53:19, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: True/10
    smb: True/10
    rpc_parse: True/10
    rpc_srv: True/10
    rpc_cli: True/10
    passdb: False/0
    sam: False/0
    auth: True/10
    winbind: True/10
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    pasdb: True/5
[2007/04/10 09:53:19, 10] utils/ntlm_auth.c:manage_squid_request(1615)
  Got 'YR TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=' from squid (length: 
47).
[2007/04/10 09:53:19, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
  got NTLMSSP packet:
[2007/04/10 09:53:19, 10] lib/util.c:dump_data(2237)
  [000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 08 00  NTLMSSP. ........
  [010] 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
[2007/04/10 09:53:19, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x00088207
    NTLMSSP_NEGOTIATE_UNICODE
    NTLMSSP_NEGOTIATE_OEM
    NTLMSSP_REQUEST_TARGET
    NTLMSSP_NEGOTIATE_NTLM
    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
    NTLMSSP_NEGOTIATE_NTLM2
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
  NTLMSSP challenge
[2007/04/10 09:53:21, 5] lib/debug.c:debug_dump_status(391)
  INFO: Current debug levels:
    all: True/10
    tdb: False/0
    printdrivers: False/0
    lanman: True/10
    smb: True/10
    rpc_parse: True/10
    rpc_srv: True/10
    rpc_cli: True/10
    passdb: False/0
    sam: False/0
    auth: True/10
    winbind: True/10
    vfs: False/0
    idmap: False/0
    quota: False/0
    acls: False/0
    locking: False/0
    msdfs: False/0
    dmapi: False/0
    pasdb: True/5
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_request(1615)
  Got 'YR 
TlRMTVNTUAADAAAAGAAYAGAAAAAYABgAeAAAAAYABgBAAAAAEAAQAEYAAAAKAAoAVgAAAAAAAAAAAAAABYIIAFAASABBAGsAYQAwADMANwAzADkAMABwAGMAMQA2ADMAZ4V6cP8ZQI4AAAAAAAAAAAAAAAAAAAAAGZ0sVUvRR3WGEEMCQw6owvcWkvp6yKB8' 
from squid (length: 195).
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
  got NTLMSSP packet:
[2007/04/10 09:53:21, 10] lib/util.c:dump_data(2237)
  [000] 4E 54 4C 4D 53 53 50 00  03 00 00 00 18 00 18 00  NTLMSSP. ........
  [010] 60 00 00 00 18 00 18 00  78 00 00 00 06 00 06 00  `....... x.......
  [020] 40 00 00 00 10 00 10 00  46 00 00 00 0A 00 0A 00  @....... F.......
  [030] 56 00 00 00 00 00 00 00  00 00 00 00 05 82 08 00  V....... ........
  [040] 50 00 48 00 41 00 6B 00  61 00 30 00 33 00 37 00  P.H.A.k. a.0.3.7.
  [050] 33 00 39 00 30 00 70 00  63 00 31 00 36 00 33 00  3.9.0.p. c.1.6.3.
  [060] 67 85 7A 70 FF 19 40 8E  00 00 00 00 00 00 00 00  g.zp.. na . ........
  [070] 00 00 00 00 00 00 00 00  19 9D 2C 55 4B D1 47 75  ........ ..,UK.Gu
  [080] 86 10 43 02 43 0E A8 C2  F7 16 92 FA 7A C8 A0 7C  ..C.C... ....z..|
[2007/04/10 09:53:21, 1] libsmb/ntlmssp.c:ntlmssp_update(267)
  got NTLMSSP command 3, expected 1
[2007/04/10 09:53:21, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(608)
  NTLMSSP NT_STATUS_INVALID_PARAMETER


A jsem v ...

Další informace o konferenci Linux