While I'm not going to bore with my full step-by-step server build doc, I have extracted the Kerberos steps, hoping it will make someone else's life a little easier.
So we start at the point where we have built and activated the server, configured networking and installed vmware tools, but we haven't installed Nagios.
Time Synchronisation - this is very important as Kerberos only tolerates 5 minutes clock differences. So as well as installing ntp, I still add clock=pit to the end of my kernel= line in /boot/grub/menu.lst
Install Kerberos client through yast networking services. Ensure the default dns domain matches resolv.conf; ensure that the default realm matches your AD, and is in CAPITALS; supply your nearest DC's FQDN as KDC server.
Edit krb5.conf
vi /etc/krb5.conf
(insert after [libdefaults])
dns_lookup_realm = true
dns_lookup_kdc = true
With just this first change, you should be able to authenticate using your AD credentials
SRV09 # kinit -V myadusername
Password for myadusername@MYADREALM.INTERNAL:
Password for myadusername@MYADREALM.INTERNAL:
Authenticated to Kerberos v5
SRV09 #
If you get any errors containing "...not match expectations..." check your krb5.conf for typos
Now we have to enable kerberos in PAM.
Edit pam_unix2.conf and check that the following lines are present:
vi /etc/security/pam_unix2.conf
auth: use_krb5 nullok
auth: use_krb5 nullok
account: use_krb5
password: use_krb5 nulllok
session: none
Every participating AD user must have a local account exactly matching their AD username :
useradd –c “My Full Name” –m myadusername
Finish the job by sorting out su and sudo - add the user to the wheel group:
usermod –G wheel myadusername
Enforce use of the wheel group
chown root:wheel /bin/su
chmod o-rx /bin/su
chmod u+s /bin/su
Configure sudo - I just allow access from the wheel group, but you can configure how you like.
visudo
(modify)
#Defaults targetpw
#ALL ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
At this point you should be able to log on via ssh with your AD credentials and use su to root or execute programs with root privilege through sudo if necessary.
Once you have verified this, you can disable root access to sshd:
vi /etc/ssh/sshd_config
(modify)
PermitRootLogin no
Restart SSHD
/etc/init.d/sshd restart
Now we're ready to take on Apache...
Run yast and install the following packages:
apache2
apache-mod_php5
This gets enough Apache in place to install Nagios.
So we run through the Nagios core and plugins installation until we get to
...
make install-webconf
htpasswd2 –c /usr/local/nagios/etc/htpasswd.users nagiosadmin
Now when we restart Apache we should be able to get to the basic Nagios website, to be prompted for the local nagiosadmin credentials.
/etc.init.d/apache2 restart
Ensure all authenticated users have required accesses
vi /usr/local/nagios/etc/cgi.cfg
(modify)
authorized_for_all_services=*
authorized_for_all_hosts=*
authorized_for_all_service_commands=*
authorized_for_system_information=*
authorized_for_configuration_information=*
Now we need to update Apache to use PAM. First run yast and install the following packages:
apache2-devel
pam-devel
Download and expand the pam module source tar file
cd /var/tmp
wget http://pam.sourceforge.net/mod_auth_pam/dist/mod_auth_pam-2.0-1.1.1.tar.gz
tar xzpf mod_auth_pam-2.0-1.1.1.tar.gz
cd mod_auth_pam/
Correction for Apache 2
vi Makefile
(replace) APXS=apxs
(with) APXS=/usr/sbin/apxs2
Compile and install module
make
make install
Tell Apache about the new module:
vi /etc/sysconfig/apache2
(find line beginning with: APACHE_MODULES and add auth_pam and auth_sys_group to the list)
Change system-wide authentication / authorisation to per-directory
vi /etc/apache2/httpd.conf
(under) <Directory />
(replace) AllowOverride None
(with) AllowOverride AuthConfig
Configure PAM parameters for Apache
vi /etc/pam.d/httpd
(remove everything and insert:)
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_krb5.so minimum_uid=1
auth required /lib/security/pam_deny.so
account required /lib/security/pam_krb5.so
vi /etc/apache2/conf.d/nagios.conf
(replace everything in <Directory…> brackets with):
SSLRequireSSL (optional - I'm assuming that you compiled with SSL):
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthName "My AD Domain”
AuthPAM_Enabled on
AuthPAM_FallThrough off
AuthBasicAuthoritative off
AuthGROUP_Enabled off
AuthUserFile /dev/null
AuthType Basic
Require valid-user
Restart Apache (check for errors)
/etc/init.d/apache restart
And that's the main enabling configuration done!
So in future, when we want to add an AD user to Nagios, these are the steps we have to carry out:
Create a local username identical to the AD username
useradd –c “User Full Name” –m adusername
Add the username to the wheel group
usermod –G wheel adusername
Add the username to Nagios Contacts
vi /usr/local/nagios/etc/objects/contacts.cfg
define contact{
contact_name adusername
use generic-contact
alias User Full Name
host_notification_commands notify-host-by-email
service_notification_commands notify-service-by-email
email adusermailname@somedomain.net
}
Add the username to Nagios Admins Group
define contactgroup{
contactgroup_name admins
alias Nagios Administrators
members nagiosadmin,adusername
}
Create a Nagios account using the username (password is ignored, leave blank)
htpasswd2 –c /usr/local/nagios/etc/htpasswd.users adusername
If the user is only to have readonly rights:
vi /usr/local/nagios/etc/cgi.cfg
(modify)
authorized_for_read_only=adusername,user2,etc
Restart Nagios
/etc/init.d/nagios restart