Active Directory and PHP on Apache on Bash on Ubuntu on Windows

Recently, I wrote about Joining Ubuntu to an Active Directory Domain. That was for an actual Ubuntu box and the plan was that the next post would be about adding Apache to the mix. But then I got distracted by Apache on Bash on Ubuntu on Windows (check out my gists for sneak peaks).

I should be practicing for my upcoming sessions for PowerShell Conference EU 2016, but look at the reward!


First a few things that I remember that I’ve learned in this 2 day journey

  • Apache is broken out of the box, but works if you mkdir /run/lock.
  • The Linux are in C:\Users\username\AppData\Local\lxss\rootfs but don’t try to edit them directly from Windows. They disappear from within bash or become corrupt.
  • Instead, access /mnt/c and copy from within Linux.
  • Samba doesn’t work, but you don’t need it for this. SSSD doesn’t either.
  • You can access bash’s Apache from Windows no sweat, but Kerberos within Linux doesn’t like localhost or the hostname when going between hosts. Make an extra A record to deal with that.

Getting Started

First, part of this is done in Windows because ktpass is required. The Ktpass command-line tool “allows non-Windows services that support Kerberos authentication to use the interoperability features provided by the Kerberos Key Distribution Center (KDC) service.”

Basically, it creates a binary file that contains some encrypted stuff that authenticates as a valid AD user.

ktadd is Linux’s equivalent of ktpass. If you see it mentioned while you’re setting up interoperability, it’s not applicable to Active Directory. ktpass.exe is supposedly found Remote Server Administration Tools for Windows or RSAT, but that wasn’t my experience with Windows 10. It’s nowhere to be found on my 64-bit machine. Instead, I Enter-PSSession to my domain controller because all of my testing is done in a lab environment so it’s acceptable.

Now for my setup

  • Active Directory domain: base.local
  • Service acct: base\ubuntuauth
  • Service acct pass: SkiAlta2009
  • Win 10 w/bash workstation name: nimy.base.local
  • Secondary DNS name: localweb.base.local
  • Firewall allows port 80

“Wait, why is a secondary hostname needed? I just wanna hit http://localhost.” Because I think Bash on Windows confuses Kerberos. Or maybe that’s just the way it’s supposed to work, if anyone knows, feel free to comment.

In this example, open http://localweb in your browser. Since the localweb hostname set in my DNS, it worked both locally and remotely for me.

The Windows Part

# Run this on a Domain Controller or a workstation with ktpass
$keytab = 'C:\temp\httpd.keytab'

ktpass /princ HTTP/[email protected] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /out $keytab
ktpass /princ HTTP/[email protected] /mapuser base\ubuntuauth /crypto ALL /ptype KRB5_NT_PRINCIPAL /mapop set /pass SkiAlta2009 /in $keytab /out $keytab

# Copy keytab to Windows 10 if you ran it on the DC. THIS IS SUPER COOL.
$session = New-PSSession -ComputerName dc
Copy-Item -Path $keytab -Destination C:\temp -FromSession $session

The Bash on Ubuntu on Windows Part

Initially, you’ll install a few packages and krb5-user will actually prompt you for a few things then write it all out to /etc/krb5.conf

# Install required packages kerb
# First prompt: BASE.LOCAL (in caps)
# Second and third prompt: lowercase FQDN of your domain controller(s)
apt-get -y install krb5-user apache2 libapache2-mod-auth-kerb

Capitalization is important for the default realm.




If you don’t see this all in a row, don’t panic. It flips back to the default black screen while it sets up the configuration files. That’s actually it for the Kerberos part, mostly. Now it’s time to test and then setup Apache.

# Get a ticket to confirm your krb is working
kinit ubuntuauth

# Look at your ticket list

# Move keytab to etc and change permz
cp /mnt/c/temp/httpd.keytab /etc/
chmod ugo+r /etc/httpd.keytab

# Check key entries
klist -k /etc/httpd.keytab

# Make Apache work

# mktemp: failed to create directory via template '/var/lock/apache2.xx': No such file or directory
# This is because /var/lock is a symbolic link to something that doesn't exist (/run/lock)
mkdir /run/lock

# make annoying warnings go away
echo "Listen" > /etc/apache2/ports.conf
echo "ServerName localhost" > /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn

# add kerb authentication to Apache and enable it
echo "
    <Location />
     AuthType Kerberos
     KrbMethodNegotiate on
     KrbMethodK5Passwd off
     Krb5Keytab /etc/httpd.keytab
     Require valid-user
"> /etc/apache2/conf-available/kerbauth.conf
a2enconf kerbauth

# Now start Apache!
service apache2 start

# Look at the logs if you'd like to see yourself authenticating
tail /var/log/apache2/access.log

That’s it, now you can hit the service using a web browser :D Open up http://localweb in Chrome and check it.

Want the PHP part?

apt-get -y install php5 libapache2-mod-php5

echo '<?php
        echo "<center>
			<strong><br>Welcome Active Directory user {$_SERVER['PHP_AUTH_USER']} 
			<br>to PHP on Apache on Bash on Ubuntu on Windows
			<br><br><img src=/icons/ubuntu-logo.png>
' > /var/www/html/test.php

service apache2 force-reload

# Then go to http://localweb/test.php in your browser

Ain’t she a beaut?

Wanna see this all in one shot? Here’s the Gist. If you’re into integrated authentication, there are other gists there that you may enjoy.

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory, Apache, Linux, Security, Windows