Enabling Apache SSL via Microsoft Certificate Server

Don — Thu, 02 Jul 2009 00:09:21 +0000

The paths for this example are based on FreeBSD 7.2. You’ll notice extra lines inserted into the sequence of commands below. You’ll need to enter the key file password either once or twice for each command preceding an extra line. Also, replace URL with your server’s internet name (e.g. www.nosam.com) wherever it is used below since this will allow you to support several virtual server certificates:

cd /usr/local/etc/apache22
openssl genrsa -des3 -out URL.key 1024
openssl rsa -in URL.key -out URL.pem
openssl req -new -key URL.key -out URL.csr

Get a “Web Server” certificate from Microsoft Certificate Server.

Using the URL.csr file contents.
Download just the certificate (not the certificate chain) in “Base 64 encoded” format.
Save with the filename URL.crt file into the /usr/local/etc/apache22 directory

chmod 0400 /usr/local/etc/apache22/URL.pem
chmod 0400 /usr/local/etc/apache22/URL.key
chmod 0400 /usr/local/etc/apache22/URL.crt
chmod 0400 /usr/local/etc/apache22/URL.csr

Next, edit the httpd.conf file in /usr/local/etc/apache22 and uncomment the “Include” line:

# Secure (SSL/TLS) connections
Include etc/apache22/extra/httpd-ssl.conf

Finally, edit the httpd-ssl.conf in /usr/local/etc/apache22/extra:

SSLCertificateFile “/usr/local/etc/apache22/URL.crt”
SSLCertificateKeyFile “/usr/local/etc/apache22/URL.pem”

Restart Apache via the “apachectl restart” command.

Integrating FreeBSD 7.x Into Windows Server 2003/2008 Active Directory As A Domain Member Server

Don — Sat, 20 Sep 2008 06:25:12 +0000

I have spent more than 15 hours trying to integrate FreeBSD servers and Microsoft Active Directory. Any successes have come from hours of googling and trying to patch together information from pages about several versions of FreeBSD and Samba to get a working system. These instructions represent my notes on the process and were tested on a FreeBSD 7.1 amd64 system with the Samba 3.0.34 port. I also tried the 3.2.8 and 3.3.2 ports but was unable to successfully integrate with an Active Directory domain.

Steps:

Enter: cd /usr/ports/security/krb5 && make KRB5_HOME=/usr/local install clean
- Don’t change any config options
Enter: cd /usr/ports/net/samba3 && make KRB5_HOME=/usr/local install clean
- Select LDAP, ADS, CUPS, WINBIND, ACL_SUPPORT, FAM_SUPPORT, SYSLOG, UTMP, PAM_SMBPASS, DNSUPDATE, EXP_MODULES & POPT. Deselect all other options.
Enter: vi /etc/krb5.conf
- Many sources say this step is optional. I think it’s mandatory with Windows Server 2003 & 2008 servers.
- Make it look similar to below. Wherever you see DOMAIN.INT, replace with your active directory domain – but absolutely maintain the upper and lower case as specificed below. For instance, if your AD domain controller is ad1.example.dom, you would substitue “example.dom” for all occurences of “domain.int” maintaining the capitalization below.
- Also replace server in “server.domain.int” with the FQDN of your active directory controller. If you have more than one, you may add additional kdc and admin_server lines for each controller, substituting the hostname for each domain controller.

[logging]
default = SYSLOG:INFO:LOCAL7
default_realm = DOMAIN.INT

[libdefaults]
clock_skew = 300
default_realm = DOMAIN.INT
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
ticket_lifetime = 24000

[realms]
DOMAIN.INT = {
kdc = server.domain.int:88
admin_server = server.domain.int:464
default_domain = domain.int
}

[domain_realm]
.domain.int = DOMAIN.INT
domain.int = DOMAIN.INT

Enter: kinit Administrator
- You should see: kinit: NOTICE: ticket renewable lifetime is 1 week
- If not, check your capitalization and the names of your kdc and admin_server entries.
While you may enter: mv /usr/local/etc/smb.conf-dist /usr/local/etc/smb.conf && vi /usr/local/etc/smb.conf, I suggest entering vi /usr/local/etc/smb.conf to create a blank config file and adding the following lines.
- Replace DOMAIN, DOMAIN.INT and server.domain.int with the FQDN of your active directory controller. If you have more than one, you may add them to the password server line separated by spaces. Replace workgroup with the uppercase NETBIOS name of your domain, realm with the Active Directory domain, password server with the FQDN of your Active Directory domain controller, and wins server with the IP address of your WINS server if present on your network. Comment it out if you don’t have a WINS server.

[global]
dos charset = ASCII
unix charset = UTF8
display charset = UTF8
workgroup = DOMAIN
realm = DOMAIN.INT
server string = FreeBSD Server %v
security = ADS
allow trusted domains = no
password server = server.domain.int
restrict anonymous = 2
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
client use spnego = no
server signing = auto
log level = 10
log file = /var/log/samba/log.%m
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = no
local master = no
domain master = no
dns proxy = no
wins server = 192.168.1.x
ldap ssl = no
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
template shell = /bin/tcsh
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
winbind separator = +
winbind cache time = 3600
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind refresh tickets = yes
winbind offline logon = yes

Enter: net ads join -U Administrator
- You should be prompted for the password to the Administrator account in your Active Directory domain.
- You should then see the following where DOMAIN is the NETBIOS name of your Active directory domain, FREEBSD is the hostname of your FreeBSD server, and DOMAIN.INT is your Active Directory domain used when configuring your /etc/krb5.conf file:

Using short domain name — DOMAIN
Joined ‘FREEBSD’ to realm ‘DOMAIN.INT’

Enter: mkdir /home/DOMAIN
- Where DOMAIN is the NETBIOS name of your Active Directory domain. The FreeBSD user /home directory is linked to /home.
Enter: vi /etc/rc.conf
- Add the following lines to enable the various samba servers:

nmbd_enable=”YES”
samba_enable=”YES”
smbd_enable=”YES”
winbindd_enable=”YES”

Enter: /usr/local/etc/rc.d/samba start
- Start the Samba daemons.
Enter: vi /etc/nsswitch.conf
- Make the existing lines match the following by making the highlighted changes:

group: winbind files
group_compat: nis
hosts: files dns
networks: files
passwd: winbind files
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
shadow: winbind files

Enter: cd /usr/ports/security/pam_mkhomedir && make install clean
- This port will allow your system to automatically create user directories when combined with the next step.
Enter: vi /etc/pam.d/sshd
- Make the existing lines match the following by adding the highlighted lines:

#
# $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
#
# PAM configuration for the “sshd” service

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient /usr/local/lib/pam_winbind.so
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so
session required /usr/local/lib/pam_mkhomedir.so
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

Enter: /usr/local/etc/rc.d/samba start
Enter: /usr/local/etc/rc.d/samba start

Please comment if you would like to see any corrections made to this guide.

Don Mason » Computers

Enabling Apache SSL via Microsoft Certificate Server

Integrating FreeBSD 7.x Into Windows Server 2003/2008 Active Directory As A Domain Member Server