Enabling Apache SSL via Microsoft Certificate Server
The paths for this example are based on FreeBSD 7.2. You’ll notice extra lines inserted into the sequence of commands below. You’ll need to enter the key file password either once or twice for each command preceding an extra line. Also, replace URL with your server’s internet name (e.g. www.nosam.com) wherever it is used below since this will allow you to support several virtual server certificates:
cd /usr/local/etc/apache22
openssl genrsa -des3 -out URL.key 1024
openssl rsa -in URL.key -out URL.pem
openssl req -new -key URL.key -out URL.csr
Get a “Web Server” certificate from Microsoft Certificate Server.
- Using the URL.csr file contents.
- Download just the certificate (not the certificate chain) in “Base 64 encoded” format.
- Save with the filename URL.crt file into the /usr/local/etc/apache22 directory
chmod 0400 /usr/local/etc/apache22/URL.pem
chmod 0400 /usr/local/etc/apache22/URL.key
chmod 0400 /usr/local/etc/apache22/URL.crt
chmod 0400 /usr/local/etc/apache22/URL.csr
Next, edit the httpd.conf file in /usr/local/etc/apache22 and uncomment the “Include” line:
# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf
Finally, edit the httpd-ssl.conf in /usr/local/etc/apache22/extra:
SSLCertificateFile “/usr/local/etc/apache22/URL.crt”
SSLCertificateKeyFile “/usr/local/etc/apache22/URL.pem”
Restart Apache via the “apachectl restart” command.
Integrating FreeBSD 7.x Into Windows Server 2003/2008 Active Directory As A Domain Member Server
I have spent more than 15 hours trying to integrate FreeBSD servers and Microsoft Active Directory. Any successes have come from hours of googling and trying to patch together information from pages about several versions of FreeBSD and Samba to get a working system. These instructions represent my notes on the process and were tested on a FreeBSD 7.1 amd64 system with the Samba 3.0.34 port. I also tried the 3.2.8 and 3.3.2 ports but was unable to successfully integrate with an Active Directory domain.
Steps:
- Enter: cd /usr/ports/security/krb5 && make KRB5_HOME=/usr/local install clean
- Don’t change any config options
- Enter: cd /usr/ports/net/samba3 && make KRB5_HOME=/usr/local install clean
- Select LDAP, ADS, CUPS, WINBIND, ACL_SUPPORT, FAM_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, DNSUPDATE, EXP_MODULES & POPT. Deselect all other options.
- Enter: vi /etc/krb5.conf
- Many sources say this step is optional. I think it’s mandatory with Windows Server 2003 & 2008 servers.
- Make it look similar to below. Wherever you see DOMAIN.INT, replace with your active directory domain – but absolutely maintain the upper and lower case as specificed below. For instance, if your AD domain controller is ad1.example.dom, you would substitue “example.dom” for all occurences of “domain.int” maintaining the capitalization below.
- Also replace server in “server.domain.int” with the FQDN of your active directory controller. If you have more than one, you may add additional kdc and admin_server lines for each controller, substituting the hostname for each domain controller.
- Enter: kinit Administrator
- You should see: kinit: NOTICE: ticket renewable lifetime is 1 week
- If not, check your capitalization and the names of your kdc and admin_server entries.
- While you may enter: mv /usr/local/etc/smb.conf-dist /usr/local/etc/smb.conf && vi /usr/local/etc/smb.conf, I suggest entering vi /usr/local/etc/smb.conf to create a blank config file and adding the following lines.
- Replace DOMAIN, DOMAIN.INT and server.domain.int with the FQDN of your active directory controller. If you have more than one, you may add them to the password server line separated by spaces. Replace workgroup with the uppercase NETBIOS name of your domain, realm with the Active Directory domain, password server with the FQDN of your Active Directory domain controller, and wins server with the IP address of your WINS server if present on your network. Comment it out if you don’t have a WINS server.
- Enter: net ads join -U Administrator
- You should be prompted for the password to the Administrator account in your Active Directory domain.
- You should then see the following where DOMAIN is the NETBIOS name of your Active directory domain, FREEBSD is the hostname of your FreeBSD server, and DOMAIN.INT is your Active Directory domain used when configuring your /etc/krb5.conf file:
- Enter: mkdir /home/DOMAIN
- Where DOMAIN is the NETBIOS name of your Active Directory domain. The FreeBSD user /home directory is linked to /home.
- Enter: vi /etc/rc.conf
- Add the following lines to enable the various samba servers:
- Enter: /usr/local/etc/rc.d/samba start
- Start the Samba daemons.
- Enter: vi /etc/nsswitch.conf
- Make the existing lines match the following by making the highlighted changes:
- Enter: cd /usr/ports/security/pam_mkhomedir && make install clean
- This port will allow your system to automatically create user directories when combined with the next step.
- Enter: vi /etc/pam.d/sshd
- Make the existing lines match the following by adding the highlighted lines:
- Enter: /usr/local/etc/rc.d/samba start
- Enter: /usr/local/etc/rc.d/samba start
[logging]
default = SYSLOG:INFO:LOCAL7
default_realm = DOMAIN.INT[libdefaults]
clock_skew = 300
default_realm = DOMAIN.INT
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
ticket_lifetime = 24000[realms]
DOMAIN.INT = {
kdc = server.domain.int:88
admin_server = server.domain.int:464
default_domain = domain.int
}[domain_realm]
.domain.int = DOMAIN.INT
domain.int = DOMAIN.INT
[global]
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
workgroup = DOMAIN
realm = DOMAIN.INT
server string = FreeBSD Server %v
security = ADS
allow trusted domains = no
password server = server.domain.int
restrict anonymous = 2
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = no
server signing = auto
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
dns proxy = no
wins server = 192.168.1.x
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/tcsh
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
winbind separator = +
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes
Using short domain name — DOMAIN
Joined ‘FREEBSD’ to realm ‘DOMAIN.INT’
nmbd_enable=”YES”
samba_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”
group: winbind files
group_compat: nis
hosts: files dns
networks: files
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
shadow: winbind files
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the “sshd” service# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
Please comment if you would like to see any corrections made to this guide.
Suggested Reading Material:
- FreeBSD Single Sign on with Active Directory and Access Control by Chris Edwards.
- There’s a lot of stuff in the krb5.conf and kdc.conf files. What does it all mean, and what do I really need?
My Son Joined the Navy
- Justin wants to repair aircraft avionics aboard a carrier.
One of the proudest moments for a father is when his son or daughter goes off to start their life and you can sense their commitment. I always knew this but never really felt it like I do now. Justin enlisted in the Navy this month and I miss him after only two weeks at boot camp. In his first letter to me today he wrote ”yesterday they tried to break us during PT but it wasn’t happening for me. I’m so dedicated there’s nothing they can do to get into my head.” I have waited a long time to hear him utter words like that! Go Justin!
New Blog
Welcome to my new blog. I plan to update the site frequently so check back often to see what’s happening.
Qwest Signs Multimillion-Dollar Data Networking Agreement with Leading Managed Dental Care Provider in Northwest
DENVER — Qwest Communications International Inc. (NYSE: Q) today announced that it has signed a three-year data networking and voice over Internet Protocol (VoIP) agreement worth $3.8 million with Willamette Dental, one of the largest managed dental care providers in the Northwest. Willamette Dental provides full-service dentistry at office locations in Idaho, Oregon and Washington state.
Using its iQ Networking, Qwest’s wide-area network (WAN) solution, Qwest will connect 64 Willamette Dental locations and be the company’s exclusive network provider for voice and data services. Qwest iQ Networking service will enable Willamette to better manage call volumes and transfer large amounts of complex data over a secure and reliable network, offering the practice’s clients a higher level of customer service. Additionally, Qwest services will enhance Willamette’s VoIP applications, managed by Qwest. Willamette uses VoIP to transfer calls to its call center, from which the dental provider can manage customer requests.
“The deployment of Qwest’s next-generation technology brings a great deal of flexibility and efficiency to our business, resulting in improvements in the way our patients are served,” said Don Mason, director of information technology for Willamette Dental. “Qwest was easy to work with throughout the deployment process, and we see the return on investment from upgrading our telecommunications infrastructure.”
“Willamette Dental is a longtime Qwest customer, and transitioning to a WAN solution will allow the company to better serve customers and improve operations,” said Tom Richards, executive vice president, Qwest business markets group. “Migrating from a frame relay network to Qwest iQ Networking service will allow Willamette to enhance many of its business needs, and Qwest is pleased to provide all of the benefits of a centralized voice and data infrastructure.”
Qwest launched iQ Networking in early 2004 as the company’s convergence platform supporting any number of applications, such as VoIP, messaging and other IP communications. Qwest iQ Networking focuses on solving business problems, reducing total cost and delivering an unparalleled customer service experience.
About Qwest
Qwest offers a unique and powerful combination of voice and data solutions for businesses, government agencies and consumers – locally and throughout the country. Customers coast to coast are turning to Qwest’s industry-leading national fiber optic network and its Spirit of Service for quality products and superior customer experience. For more information on Qwest, and its various operating subsidiaries, please go to www.qwest.com.
The Qwest logo is a registered trademark of Qwest Communications International Inc. in the U.S. and certain other countries.
COPYRIGHT 2006 Business Wire