Follow this steps to configure the SSO (Single Sign-on) between Windows authentication and Apache server with auth_ntlm_winbind module.
In the file /etc/hosts
set the Fully Qualified Domain Name (FQDN), like:
127.0.0.1 localhost
127.0.1.1 WEB1.your.domain WEB1
```
In the file `/etc/hostname`, set the server name like settled in `/etc/hosts`:
```
WEB1
```
## Synchronizing clock with Active Directory ##
Installing the ntp:
```
aptitude intall ntpdate ntp
```
Edit the file `/etc/ntp.conf`, leaving only the LDAPs servers. Example:
```
# LDAP server IP
server 192.168.1.1
```
Restart service:
```
service ntp restart
```
Synchronizing clock:
```
ntpdate -s 192.168.1.1
```
## Configuring Kerberos ##
Installing the packages:
```
aptitude install krb5-user krb5-config libpam-krb5
```
Edit the file `/etc/krb5.conf` leaving like this example:
```
[logging]
default = FILE:/var/log/krb5.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
dns_lookup_realm = false
dns_lookup_kdc = false
clockskew = 300
kdc_timesync = 1
default_realm = YOUR.DOMAIN
[realms]
YOUR.DOMAIN = {
kdc = 192.168.1.1
}
[domain_realm]
.your.domain = YOUR.DOMAIN
your.domain = YOUR.DOMAIN
```
Testing the configuration:
```
kinit <AD User>
```
```
klist # Should show the token generated by the kinit command.
```
```
kdestroy
```
## Configuring Samba ##
Installing the packages:
```
aptitude install samba winbind libnss-winbind libpam-winbind
```
Edit the file `/etc/samba/smb.conf` according the example below (see the Samba documentation for more explanation):
```
[global]
security = ADS
realm= YOUR.DOMAIN
workgroup = DOMAIN
netbios name = WEB1
server string = Server description (optional)
idmap config * : range = 2000-9999
idmap config * : backend = tdb
idmap config DOMINIO : schema_mode = rfc2307
idmap config DOMINIO : range = 100000-399999
idmap config DOMINIO : default = yes
idmap config DOMINIO : backend = rid
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
winbind use default domain = yes
restrict anonymous = 2
winbind refresh tickets = yes
```
**Tip**: Use the command `testparm` to check the samba configuration.
Restart services:
```
service winbind restart
service smbd restart
```
## Joining the server to Domain ##
```
net ads join -U domainAdminUser
```
Restart Winbind:
```
service winbind restart
```
## Configuring Apache ##
Install the **auth_ntlm_winbind** module and enable it:
```
aptitude install libapache2-mod-auth-ntlm-winbind
a2enmod auth_ntlm_winbind
```
Edit the file `/etc/apache2/apache2.conf` and add the authentication module to Wordpress directory.
If Wordpress is on `/var/www`, then:
```ApacheConf
<Directory /var/www/>
Options FollowSymLinks
AllowOverride FileInfo
AuthName "Intranet Access"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --domain=your.domain --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user
</Directory>
```
Fixing a bug:
```
usermod -a -G winbindd_priv www-data
chgrp winbindd_priv /var/lib/samba/winbindd_privileged
ln -s /var/lib/samba/winbindd_privileged/pipe /var/run/samba/winbindd_privileged/pipe
```
Restart Apache:
```
service apache2 restart
```
Finally, access the Wordpress Admin and enable the **SSO** in the `simple-LDAP-plugin` configuration.
## Configuring Firefox ##
On Firefox, you must add your domain as **trusted** if you want to use the SSO. In the
`about:config` change the key `network.automatic-ntlm-auth.trusted-uris`, adding your domain
like `.seu.dominio`.