potatoqualitee/ad-php-kerberos-apache-bash-windows.txt

## ad-php-kerberos-apache-bash-windows.txt
<#
  In this example:
  1. Active Directory domain: base.local
  2. Service acct: base\ubuntuauth
  3. Service acct pass: SkiAlta2009
  4. Win 10 workstation name: nimy.base.local
  5. Secondary DNS name: localweb.base.local
  6. Firewall allows port 80

  Kerberos doesn't allow you to do http://localhost if you want
  to authenticate with Windows creds. So you have to trick it by
  adding an A record, then going to that locally instead.

  In this example, open http://localweb in your browser.

   BEGIN  POWERSHELL UNTIL SPECIFIED OTHERWISE
#>

# Run this on a Domain Controller or a workstation with ktpass
$keytab = 'C:\temp\httpd.keytab'

ktpass /princ HTTP/nimy.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab
ktpass /princ HTTP/localweb.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab

# Copy keytab to Windows 10 if you ran it on the DC
$session = New-PSSession -ComputerName dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $session

<#
    END POWERSHELL, BEGIN UBUNTU
#>

# Install required packages kerb
# First prompt: BASE.LOCAL (in caps)
# Second and third prompt: lowercase FQDN of DC
apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb

# Get a ticket to confirm your krb is working
kinit ubuntuauth

# Look at your ticket list
klist

# Move keytab to etc and change permz
cp /mnt/c/temp/httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab

# Check key entries
klist -k /etc/httpd.keytab

# Make Apache work

# mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory
# This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)
mkdir /run/lock

# make annoying warnings go away
echo "Listen 0.0.0.0:80" > /etc/apache2/ports.conf
echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn

# add kerb authentication to Apache and enable it
echo "
    <Location />
     AuthType Kerberos
     KrbMethodNegotiate on
     KrbMethodK5Passwd off
     Krb5Keytab /etc/httpd.keytab
     Require valid-user
     </Location>
"> /etc/apache2/conf-available/kerbauth.conf
a2enconf kerbauth

# Now start Apache!
service apache2 start

# Show it works: load up http://nimy from remote computer or http://localweb from nimy itself
# Look at the logs if you'd like to see yourself authenticating
tail /var/log/apache2/access.log

# Want to see PHP in action?
apt-get -y install php5 libapache2-mod-php5

echo '<?php
        echo "<center>
			<strong><br>Welcome Active Directory user {$_SERVER['PHP_AUTH_USER']}
			<br>to PHP on Apache on Bash on Ubuntu on Windows
			<br><br><img src=/icons/ubuntu-logo.png>
		</center>";
?>
' > /var/www/html/test.php

service apache2 force-reload

# Then go to http://localweb/test.php in your browser
	<#
	In this example:
	1. Active Directory domain: base.local
	2. Service acct: base\ubuntuauth
	3. Service acct pass: SkiAlta2009
	4. Win 10 workstation name: nimy.base.local
	5. Secondary DNS name: localweb.base.local
	6. Firewall allows port 80

	Kerberos doesn't allow you to do http://localhost if you want
	to authenticate with Windows creds. So you have to trick it by
	adding an A record, then going to that locally instead.

	In this example, open http://localweb in your browser.

	BEGIN POWERSHELL UNTIL SPECIFIED OTHERWISE
	#>

	# Run this on a Domain Controller or a workstation with ktpass
	$keytab = 'C:\temp\httpd.keytab'

	ktpass /princ HTTP/nimy.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab
	ktpass /princ HTTP/localweb.base.local@BASE.LOCAL /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab

	# Copy keytab to Windows 10 if you ran it on the DC
	$session = New-PSSession -ComputerName dc
	Copy-Item -Path $keytab -Destination C:\temp -FromSession $session

	<#
	END POWERSHELL, BEGIN UBUNTU
	#>

	# Install required packages kerb
	# First prompt: BASE.LOCAL (in caps)
	# Second and third prompt: lowercase FQDN of DC
	apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb

	# Get a ticket to confirm your krb is working
	kinit ubuntuauth

	# Look at your ticket list
	klist

	# Move keytab to etc and change permz
	cp /mnt/c/temp/httpd.keytab /etc/
	chmod ugo+r /etc/httpd.keytab

	# Check key entries
	klist -k /etc/httpd.keytab

	# Make Apache work

	# mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory
	# This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)
	mkdir /run/lock

	# make annoying warnings go away
	echo "Listen 0.0.0.0:80" > /etc/apache2/ports.conf
	echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf
	a2enconf fqdn

	# add kerb authentication to Apache and enable it
	echo "
	<Location />
	AuthType Kerberos
	KrbMethodNegotiate on
	KrbMethodK5Passwd off
	Krb5Keytab /etc/httpd.keytab
	Require valid-user
	</Location>
	"> /etc/apache2/conf-available/kerbauth.conf
	a2enconf kerbauth

	# Now start Apache!
	service apache2 start

	# Show it works: load up http://nimy from remote computer or http://localweb from nimy itself
	# Look at the logs if you'd like to see yourself authenticating
	tail /var/log/apache2/access.log

	# Want to see PHP in action?
	apt-get -y install php5 libapache2-mod-php5

	echo '<?php
	echo "<center>
	<strong><br>Welcome Active Directory user {$_SERVER['PHP_AUTH_USER']}
	<br>to PHP on Apache on Bash on Ubuntu on Windows
	<br><br><img src=/icons/ubuntu-logo.png>
	</center>";
	?>
	' > /var/www/html/test.php

	service apache2 force-reload

	# Then go to http://localweb/test.php in your browser
No results found