Apache – AD – Linux

I have recently started to experiment with getting a linux webserver to allow for Active Directory users to connect with their own username passed to the web server.

This is proving to be very difficult. It shouldn’t be that hard to get the username in the linux server for the windows intranet user that is connecting.

One of the challenges is that there are so many variables to consider. Version of OS, Version of apache.

What is my linux version?

I’m currently using Centos 8.1. I was able to determine this because I did the install, but if you did it a while ago, or did several other servers since then and you are not sure what version you are on, then use this command.

https://linuxconfig.org/how-to-check-centos-version

cat /etc/centos-release

CentOS Linux release 8.1.1911 (Core)

What is my Apache version?

httpd -v

Server version: Apache/2.4.37 (centos)
Server built: Sep 15 2020 15:41:16

What Apache modules are needed for HTTP Authentication?

This might not be correct, but all indicators seem to point to this.

I have gone down a lot of rabbit holes. I don’t know whether every avenue that I explored is necessary or not.

https://computingforgeeks.com/install-apache-with-ssl-http2-on-rhel-centos/

The mod_auth_kerb module has been replaced by the mod_auth_gssapi module.

http://www.jfcarter.net/~jimc/documents/bugfix/41-auth-kerb.html

Apache2-mod_auth_kerb Is Dead, Use Mod_auth_gssapi

https://jaosorior.dev/2018/keberos-for-keystone-with-mod_auth_gssapi/

Where can I find documentation for mod_auth_gssapi?

https://github.com/gssapi/mod_auth_gssapi

What is the difference between HTTP Auth and Web Application Login?

I do not want Web Application logon, I want HTTP Auth to populate the user variable so that the user does not need to enter their username as long as they are logged into their windows machine.

What does the Apache Documenation say about Authentication and Authorization?

http://httpd.apache.org/docs/current/howto/auth.html

Do I really need SSL in order to get the AD username on the web server?

I sure hope not! Still looking into this.

A very dark place…

http://modauthkerb.sourceforge.net/configure.html

I probably should read this page, but I’m not ready to understand that yet…

What is the difference between HOST and HTTP Service Principals?

https://sssd.io/docs/users/ldap_with_ad.html

This is still a big mystery to me… I believe that HTTP is for the web server authentication and HOST is for users on the machine. I’m concerned with HTTP authentication.

What is SetSpn for Windows Active Directory?

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241(v=ws.11)

What is a Active Directory SPN?

A Service Principal Name (SPN) is a name in Active Directory that a client uses to uniquely identify an instance of a service. An SPN combines a service name with a computer and user account to form a type of service ID.

How can I use VBScript to list all my SPNs?

https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.vbs

Yes. This script works.

How to Display the Keylist (Principals) in a Keytab File

This may be a bit early, but I’ll move it later. The keytab file can be viewed on Linux using ktutil.

The command to start ktutil to get to the ktutil prompt.

https://docs.oracle.com/cd/E19683-01/806-4078/6jd6cjs1q/index.html

Are there any good walkthroughs that come close?

https://imatviyenko.github.io/blog/2018/09/11/Apache-AD-kerberos

This one comes very close, but I’m still having trouble getting it working.

Troubleshooting

https://serverfault.com/questions/680289/kerberos-kdc-has-no-support-for-encryption-type-while-getting-credentials

https://stackoverflow.com/questions/23801169/kdc-has-no-support-for-encryption-type-14

What encryption types can windows do?

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ktpass

Random kerberos links

https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html

https://community.spiceworks.com/how_to/91377-implementing-single-sign-on-on-windows-with-apache

https://github.com/nextcloud/user_saml/issues/250

If I cannot get SSO working, I’ll use a logon page… :/

https://httpd.apache.org/docs/2.4/mod/mod_auth_form.html

MariaDB list Functions and Stored Procedures with parameters

Using awk and SQLite

I have recently had the opportunity to use awk and sqlite on a project that I’m working on.

My first thought was that awk should be able to do that. I found some code that someone else did that parses quote and comma delimited.

I started off installing sqlite on cygwin.

After getting sqlite installed, I felt that I needed some test data in order to work with so I did a search and found this site:

https://www.briandunning.com/sample-data/

I grabbed the free file for testing.

The file is comma delimited file that has these fields:

  • First Name
  • Last Name
  • Company
  • Address
  • City
  • County (where applicable)
  • State/Province (where applicable)
  • ZIP/Postal Code
  • Phone 1
  • Phone 2
  • Email
  • Web

Here I used the SQLite command line to issue the command to create the table.

I attempted to import the csv file but got an error.

I can tell that the records are from a Macintosh system because the file has a carriage return record delimiter.

so I wanted to view a hexdump of the file.  I used cat, tr , head and hexdump.

You can see in the HEX dump below that the file now has hex 09 line feeds.

The problem is how to handle quote comma delimited files. I did a search to see if someone already had a solution for that and found this:

AWK CSV Parser

The code contains a function called parse_csv(). You can look at the usage of the parameters on the link above. The important part is how to call this function.

I’m using AWK to convert the CSV file into a pipe delimited file.

I then imported the data into the database.

I’m seeing the first row has the column titles. I’ll look into how to import without that line later.