Active Directory and PHP on Apache on Bash on Ubuntu on Windows

Apr 12, 2016 · 4 min read  ·
Share on:

Recently, I wrote about Joining Ubuntu to an Active Directory Domain. That was for an actual Ubuntu box and the plan was that the next post would be about adding Apache to the mix. But then I got distracted by Apache on Bash on Ubuntu on Windows (check out my gists for sneak peaks).

I should be practicing for my upcoming sessions for PowerShell Conference EU 2016, but look at the reward!

ubuntu

First a few things that I remember that I've learned in this 2 day journey

  • Apache is broken out of the box, but works if you mkdir /run/lock.
  • The Linux are in C:\Users\username\AppData\Local\lxss\rootfs but don't try to edit them directly from Windows. They disappear from within bash or become corrupt.
  • Instead, access /mnt/c and copy from within Linux.
  • Samba doesn't work, but you don't need it for this. SSSD doesn't either.
  • You can access bash's Apache from Windows no sweat, but Kerberos within Linux doesn't like localhost or the hostname when going between hosts. Make an extra A record to deal with that.

Getting Started

First, part of this is done in Windows because ktpass is required. The Ktpass command-line tool "allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service."

Basically, it creates a binary file that contains some encrypted stuff that authenticates as a valid AD user.

ktadd is Linux's equivalent of ktpass. If you see it mentioned while you're setting up interoperability, it's not applicable to Active Directory. ktpass.exe is supposedly found Remote Server Administration Tools for Windows or RSAT, but that wasn't my experience with Windows 10. It's nowhere to be found on my 64-bit machine. Instead, I Enter-PSSession to my domain controller because all of my testing is done in a lab environment so it's acceptable.

Now for my setup

  • Active Directory domain: base.local
  • Service acct: base\ubuntuauth
  • Service acct pass: SkiAlta2009
  • Win 10 w/bash workstation name: nimy.base.local
  • Secondary DNS name: localweb.base.local
  • Firewall allows port 80

"Wait, why is a secondary hostname needed? I just wanna hit https://localhost." Because I think Bash on Windows confuses Kerberos. Or maybe that's just the way it's supposed to work, if anyone knows, feel free to comment.

In this example, open https://localweb in your browser. Since the localweb hostname set in my DNS, it worked both locally and remotely for me.

The Windows Part

# Run this on a Domain Controller or a workstation with ktpass $keytab = 'C:\temp\httpd.keytab'

ktpass /princ HTTP/[email protected] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab ktpass /princ HTTP/[email protected] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab

Copy keytab to Windows 10 if you ran it on the DC. THIS IS SUPER COOL.

$session = New-PSSession -ComputerName dc Copy-Item -Path $keytab -Destination C:\temp -FromSession $session

The Bash on Ubuntu on Windows Part

Initially, you'll install a few packages and krb5-user will actually prompt you for a few things then write it all out to /etc/krb5.conf

# Install required packages kerb

First prompt: BASE.LOCAL (in caps)

Second and third prompt: lowercase FQDN of your domain controller(s)

apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb

Capitalization is important for the default realm.

krb-1

krb-2

krb-3

If you don't see this all in a row, don't panic. It flips back to the default black screen while it sets up the configuration files. That's actually it for the Kerberos part, mostly. Now it's time to test and then setup Apache.

# Get a ticket to confirm your krb is working kinit ubuntuauth

Look at your ticket list

klist

Move keytab to etc and change permz

cp /mnt/c/temp/httpd.keytab /etc/ chmod ugo+r /etc/httpd.keytab

Check key entries

klist -k /etc/httpd.keytab

Make Apache work

mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory

This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)

mkdir /run/lock

make annoying warnings go away

echo "Listen 0.0.0.0:80" > /etc/apache2/ports.conf echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf a2enconf fqdn

add kerb authentication to Apache and enable it

echo " AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd off Krb5Keytab /etc/httpd.keytab Require valid-user "> /etc/apache2/conf-available/kerbauth.conf a2enconf kerbauth

Now start Apache!

service apache2 start

Look at the logs if you'd like to see yourself authenticating

tail /var/log/apache2/access.log

That's it, now you can hit the service using a web browser :D Open up https://localweb in Chrome and check it.

Want the PHP part?

apt-get -y install php5 libapache2-mod-php5

echo '
Welcome Active Directory user {$\_SERVER\['PHP\_AUTH\_USER'\]}
to PHP on Apache on Bash on Ubuntu on Windows

"; ?> ' > /var/www/html/test.php

service apache2 force-reload

Then go to https://localweb/test.php in your browser

Ain't she a beaut?

ubuntu

Wanna see this all in one shot? Here's the Gist. If you're into integrated authentication, there are other gists there that you may enjoy.