Active Directory and PHP on Apache on Bash on Ubuntu on Windows

Recently, I wrote about Joining Ubuntu to an Active Directory Domain. That was for an actual Ubuntu box and the plan was that the next post would be about adding Apache to the mix. But then I got distracted by Apache on Bash on Ubuntu on Windows (check out my gists for sneak peaks).

I should be practicing for my upcoming sessions for PowerShell Conference EU 2016, but look at the reward!

ubuntu

First a few things that I remember that I’ve learned in this 2 day journey

  • Apache is broken out of the box, but works if you mkdir /run/lock.
  • The Linux are in C:\Users\username\AppData\Local\lxss\rootfs but don’t try to edit them directly from Windows. They disappear from within bash or become corrupt.
  • Instead, access /mnt/c and copy from within Linux.
  • Samba doesn’t work, but you don’t need it for this. SSSD doesn’t either.
  • You can access bash’s Apache from Windows no sweat, but Kerberos within Linux doesn’t like localhost or the hostname when going between hosts. Make an extra A record to deal with that.

Getting Started

First, part of this is done in Windows because ktpass is required. The Ktpass command-line tool “allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.”

Basically, it creates a binary file that contains some encrypted stuff that authenticates as a valid AD user.

ktadd is Linux’s equivalent of ktpass. If you see it mentioned while you’re setting up interoperability, it’s not applicable to Active Directory. ktpass.exe is supposedly found Remote Server Administration Tools for Windows or RSAT, but that wasn’t my experience with Windows 10. It’s nowhere to be found on my 64-bit machine. Instead, I Enter-PSSession to my domain controller because all of my testing is done in a lab environment so it’s acceptable.

Now for my setup

  • Active Directory domain: base.local
  • Service acct: base\ubuntuauth
  • Service acct pass: SkiAlta2009
  • Win 10 w/bash workstation name: nimy.base.local
  • Secondary DNS name: localweb.base.local
  • Firewall allows port 80

“Wait, why is a secondary hostname needed? I just wanna hit http://localhost.” Because I think Bash on Windows confuses Kerberos. Or maybe that’s just the way it’s supposed to work, if anyone knows, feel free to comment.

In this example, open http://localweb in your browser. Since the localweb hostname set in my DNS, it worked both locally and remotely for me.

The Windows Part

The Bash on Ubuntu on Windows Part

Initially, you’ll install a few packages and krb5-user will actually prompt you for a few things then write it all out to /etc/krb5.conf

Capitalization is important for the default realm.

krb-1

krb-2

krb-3

If you don’t see this all in a row, don’t panic. It flips back to the default black screen while it sets up the configuration files. That’s actually it for the Kerberos part, mostly. Now it’s time to test and then setup Apache.

That’s it, now you can hit the service using a web browser :D Open up http://localweb in Chrome and check it.

Want the PHP part?

Ain’t she a beaut?
ubuntu

Wanna see this all in one shot? Here’s the Gist. If you’re into integrated authentication, there are other gists there that you may enjoy.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, and holds a number of certifications, including those relating to SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Security, Windows

Leave a Reply

Your email address will not be published. Required fields are marked *

*