Title: phpbb3 setup on Gentoo Subject: Install phpbb-3.0,apache-2.2,mysql-5,samba-3, with Authentication authnz_external->winbind->Active Directory Author: John Stile Date: Sat Mar 1 13:17:27 PST 2008 #----------------------------------------------- # Summery: #----------------------------------------------- This sets-up phpbb3 on gentoo, with single sign-on, using Active Directory. #----------------------------------------------- # Install Software #----------------------------------------------- # # Install MySQL # emerge dev-db/mysql eix -I dev-db/mysql # [I] dev-db/mysql # Available versions: [M]3.23.58-r1 4.0.27-r1 4.1.22-r1 [M]~4.1.23_alpha20070101-r61 5.0.26-r2 ~5.0.32 ~5.0.34 5.0.38 5.0.40 5.0.42 5.0.44 5.0.44-r1 5.0.44-r2 5.0.54 {berkdb big-tables cluster debug embedded extraengine innodb latin1 max-idx-128 minimal perl raid readline selinux ssl static tcpd} # Installed versions: 5.0.54(04:27:22 PM 02/12/2008)(berkdb perl ssl -big-tables -cluster -debug -embedded -extraengine -latin1 -max-idx-128 -minimal -selinux -static) # Homepage: http://www.mysql.com/ # Description: A fast, multi-threaded, multi-user SQL database server. # # Initialized mysql # /usr/bin/mysql_install_db # # Start mysql # /etc/init.d/mysql start # # Add mysql to default runlevel # rc-update add mysql default ############################### # # Install php5 # echo 'dev-lang/php xml gd ftp' >> /etc/portage/package.use emerge dev-lang/php eix -I dev-lang/php # [I] dev-lang/php # Available versions: # (4) [M]4.4.8_pre20070816 [M]~4.4.8 # (5) 5.2.4_pre200708051230-r2 5.2.5-r1 [M]5.2.5_p20080206 ~5.2.5_p20080206-r2 ~5.2.5_p20080206-r3 # {adabas apache2 bcmath berkdb birdstep bzip2 calendar cdb cgi cjk cli concurrentmodphp crypt ctype curl curlwrappers db2 dbase dbmaker dbx debug discard-path doc empress empress-bcs esoob exif expat fastbuild fdftk filepro filter firebird flatfile force-cgi-redirect frontbase ftp gd gd-external gdbm gmp hash hyperwave-api iconv imap informix inifile interbase iodbc ipv6 java-external java-internal json kerberos ldap ldap-sasl libedit mcal mcve memlimit mhash ming mnogosearch msql mssql mysql mysqli ncurses nls oci8 oci8-instant-client odbc oracle7 overload pcntl pcre pdo pfpro pic posix postgres qdbm readline recode reflection sapdb session sharedext sharedmem simplexml snmp soap sockets solid spell spl sqlite ssl suhosin sybase sybase-ct sysvipc threads tidy tokenizer truetype unicode wddx xml xmlreader xmlrpc xmlwriter xpm xsl yaz zip zip-external zlib} # Installed versions: 5.2.5-r1(5)(02:43:09 PM 02/13/2008)(apache2 berkdb cli crypt ftp gd gdbm iconv ipv6 mysql ncurses nls pcre readline reflection session spl ssl unicode xml zlib -adabas -bcmath -birdstep -bzip2 -calendar -cdb -cgi -cjk -concurrentmodphp -ctype -curl -curlwrappers -db2 -dbase -dbmaker -debug -discard-path -doc -empress -empress-bcs -esoob -exif -fastbuild -fdftk -filter -firebird -flatfile -force-cgi-redirect -frontbase -gd-external -gmp -hash -imap -inifile -interbase -iodbc -java-external -json -kerberos -ldap -ldap-sasl -libedit -mcve -mhash -msql -mssql -mysqli -oci8 -oci8-instant-client -odbc -pcntl -pdo -pic -posix -postgres -qdbm -recode -sapdb -sharedext -sharedmem -simplexml -snmp -soap -sockets -solid -spell -sqlite -suhosin -sybase -sybase-ct -sysvipc -threads -tidy -tokenizer -truetype -wddx -xmlreader -xmlrpc -xmlwriter -xpm -xsl -yaz -zip -zip-external) # Homepage: http://www.php.net/ # Description: The PHP language runtime engine: CLI, CGI and Apache2 SAPIs. ############################### # # Install Apache2 # # Add a line to /etc/make.conf specifying apache modules to build echo 'APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias"' >> /etc/make.conf emerge --deep --update --newuse www-servers/apache # # set options in /etc/conf.d/apache2 # APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PROXY -D PHP5" # # Start apache # /etc/conf.d/apache2 start # # Add mysql to default runlevel # rc-update add apache2 default # # Show installed verison # eix -I www-servers/apache # [I] www-servers/apache # Available versions: (2) 2.2.6-r7 2.2.8 ~2.2.8-r1 # {apache2_modules_actions apache2_modules_alias apache2_modules_asis apache2_modules_auth_basic apache2_modules_auth_digest apache2_modules_authn_alias apache2_modules_authn_anon apache2_modules_authn_dbd apache2_modules_authn_dbm apache2_modules_authn_default apache2_modules_authn_file apache2_modules_authz_dbm apache2_modules_authz_default apache2_modules_authz_groupfile apache2_modules_authz_host apache2_modules_authz_owner apache2_modules_authz_user apache2_modules_autoindex apache2_modules_cache apache2_modules_cern_meta apache2_modules_charset_lite apache2_modules_dav apache2_modules_dav_fs apache2_modules_dav_lock apache2_modules_dbd apache2_modules_deflate apache2_modules_dir apache2_modules_disk_cache apache2_modules_dumpio apache2_modules_env apache2_modules_expires apache2_modules_ext_filter apache2_modules_file_cache apache2_modules_filter apache2_modules_headers apache2_modules_ident apache2_modules_imagemap apache2_modules_include apache2_modules_info apache2_modules_log_config apache2_modules_log_forensic apache2_modules_logio apache2_modules_mem_cache apache2_modules_mime apache2_modules_mime_magic apache2_modules_negotiation apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_balancer apache2_modules_proxy_connect apache2_modules_proxy_ftp apache2_modules_proxy_http apache2_modules_rewrite apache2_modules_setenvif apache2_modules_speling apache2_modules_status apache2_modules_unique_id apache2_modules_userdir apache2_modules_usertrack apache2_modules_version apache2_modules_vhost_alias apache2_mpms_event apache2_mpms_itk apache2_mpms_peruser apache2_mpms_prefork apache2_mpms_worker debug doc ldap selinux sni ssl static suexec threads} # Installed versions: 2.2.8(2)(04:31:54 PM 02/12/2008)(apache2_modules_actions apache2_modules_alias apache2_modules_auth_basic apache2_modules_auth_digest apache2_modules_authn_anon apache2_modules_authn_dbd apache2_modules_authn_dbm apache2_modules_authn_default apache2_modules_authn_file apache2_modules_authz_dbm apache2_modules_authz_default apache2_modules_authz_groupfile apache2_modules_authz_host apache2_modules_authz_owner apache2_modules_authz_user apache2_modules_autoindex apache2_modules_cache apache2_modules_dav apache2_modules_dav_fs apache2_modules_dav_lock apache2_modules_dbd apache2_modules_deflate apache2_modules_dir apache2_modules_disk_cache apache2_modules_env apache2_modules_expires apache2_modules_ext_filter apache2_modules_file_cache apache2_modules_filter apache2_modules_headers apache2_modules_ident apache2_modules_imagemap apache2_modules_include apache2_modules_info apache2_modules_log_config apache2_modules_logio apache2_modules_mem_cache apache2_modules_mime apache2_modules_mime_magic apache2_modules_negotiation apache2_modules_proxy apache2_modules_proxy_ajp apache2_modules_proxy_balancer apache2_modules_proxy_connect apache2_modules_proxy_http apache2_modules_rewrite apache2_modules_setenvif apache2_modules_speling apache2_modules_status apache2_modules_unique_id apache2_modules_userdir apache2_modules_usertrack apache2_modules_vhost_alias ssl -apache2_modules_asis -apache2_modules_authn_alias -apache2_modules_cern_meta -apache2_modules_charset_lite -apache2_modules_dumpio -apache2_modules_log_forensic -apache2_modules_proxy_ftp -apache2_modules_version -apache2_mpms_event -apache2_mpms_itk -apache2_mpms_peruser -apache2_mpms_prefork -apache2_mpms_worker -debug -doc -ldap -selinux -sni -static -suexec -threads) # Homepage: http://httpd.apache.org/ # Description: The Apache Web Server. # # # We need this for the apache authnz_external # echo 'www-apache/pwauth pam' >> /etc/portage/package.use emerge www-apache/pwauth eix -I www-apache/pwauth # [I] www-apache/pwauth # Available versions: (~)2.3.2 (~)2.3.5 {domain-aware faillog ignore-case pam} # Installed versions: 2.3.5(04:05:30 PM 02/12/2008)(pam -domain-aware -faillog -ignore-case) # Homepage: http://www.unixpapa.com/pwauth/ # Description: A Unix Web Authenticator ############################### # # Install Samba # echo 'net-fs/samba ads samba winbind kerberos ldap' >> /etc/portage/package.use emerge samba # # Start samba # /etc/conf.d/samba start # # Add samba to default runlevel # rc-update add samba default eix -I samba # [I] net-fs/samba # Available versions: 3.0.24-r3 [M]3.0.27 3.0.28 {acl ads async automount caps cups doc examples fam ipv6 kerberos kernel_linux ldap linguas_ja linguas_pl oav pam python quotas readline selinux swat syslog winbind} # Installed versions: 3.0.28(01:09:00 PM 01/16/2008)(acl ads cups fam ipv6 kernel_linux ldap pam python readline winbind -async -automount -caps -doc -examples -linguas_ja -linguas_pl -quotas -selinux -swat -syslog) # Homepage: http://www.samba.org/ # Description: A suite of SMB and CIFS client/server programs for UNIX ############################### # # Install supporting packages for phpbb # emerge media-libs/gd emerge dev-perl/GDTextUtil emerge dev-perl/GDGraph emerge dev-perl/GD emerge media-gfx/imagemagick /etc/init.d/apache2 reload ############################### # # Install phpBB # echo 'www-apps/phpBB' >> /etc/portage/package.keywords echo 'www-apps/phpBB' >> /etc/portage/package.unmask echo 'www-apps/phpBB vhosts' >> /etc/portage/package.use emerge www-apps/phpBB eix phpbb # [I] www-apps/phpBB # Available versions: # (2.0.22) {M}(~)2.0.22 # (3.0.0) {M}(~)3.0.0 # {vhosts} # Installed versions: 3.0.0(3.0.0)(12:07:23 PM 02/13/2008)(vhosts) # Homepage: http://www.phpbb.com/ # Description: phpBB is an open-source bulletin board package. # #----------------------------------------------- # Configuration #----------------------------------------------- # # Create MySQL database for phpbb # mysqladmin -uroot -p create phpbb3 echo "GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP ON phpbb3.* TO phpbb@localhost IDENTIFIED BY 'phpbb'; FLUSH PRIVILEGES;" |mysql -uroot -p ############################### # # Enable PHP features I had to do the following # # php.ini Setting 1: Authentication. # # When safe_mode is off, we get the variables: # _SERVER["PHP_AUTH_USER"] johns # REMOTE_USER johns # AUTH_TYPE Basic # When safe_mode is on, we get the variables: # REMOTE_USER johns # AUTH_TYPE Basic # # To change phpbb's setting Authentication to Apache we need _SERVER["PHP_AUTH_USER"] # sed -i 's/\(^safe_mode = \)Off/\1On/' /etc/php/apache2-php5/php.ini # # php.ini Setting 2: Allow Uploads # # Set allow_url_fopen to on, in order to??? # sed -i 's/\(^allow_url_fopen = \)Off/\1On/' /etc/php/apache2-php5/php.ini # # php.ini Setting 3: Enable error logging # log_errors = On # error_log = /var/log/apache2/php_error.log sed -i \ -e 's/\(^log_errors = \)Off/\1On/' \ -e 's|^;error_log = filename|error_log = /var/log/apache2/php_error.log|' \ /etc/php/apache2-php5/php.ini ############################### # # Setup Samba for Active Driectory authentication # # Backup orignal files # cp /etc/nsswitch.conf /etc/nsswitch.conf.orig cp /etc/samba/smb.conf /etc/samba/smb.conf.orig cp /etc/conf.d/samba /etc/conf.d/samba.orig cp /etc/krb5.conf /etc/krb5.conf.orig cp /etc/pam.d/apache2 /etc/pam.d/apache2.orig # # Setup kerberouse realm # cat /etc/krb5.conf <<'END_KRB5' [libdefaults] ticket_lifetime = 600 default_realm = MS.MYDOMAIN.COM dns_lookup_realm = false dns_lookup_kdc = true default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc [realms] MS.MYDOMAIN.COM = { kdc = 192.168.50.11 kdc = 192.168.50.12 admin_server = 192.168.50.11 default_domain = ms.mydomain.com } [domain_realm] ms = MS.MYDOMAIN.COM .ms = MS.MYDOMAIN.COM .mydomain.com = MS.MYDOMAIN.COM mydomain.com = MS.MYDOMAIN.COM ms.mydomain.com = MS.MYDOMAIN.COM .ms.mydomain.com = MS.MYDOMAIN.COM [kdc] profile = /etc/krb5kdc/kdc.conf [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } END_KRB5 # # Test Kerberos # kinit johns@MS.MYDOMAIN.COM # # Setup minimal samba for joining AD domain # mv /etc/samba/smb.conf /etc/samba/smb.conf.orig cat > /etc/samba/smb.conf <<'END_SAMBA' [global] # JohnStile: added Active directory stuff workgroup = MS server string = %h server (Samba %v) idmap uid = 10000-20000 idmap gid = 10000-20000 template homedir = /home/%U template shell = /bin/bash winbind enum users = yes winbind enum groups = yes winbind nested groups = Yes winbind use default domain = Yes winbind separator = + security = ADS realm = MS.MYDOMAIN.COM wins server = ad1.ms.mydomain.com ldap ssl = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 encrypt passwords = true password server = ad1.ms.mydomain.com dns proxy = no wins proxy = no END_SAMBA # # Remove pre-existing tdb files # /etc/init.d/samba stop find / -name "*.tdb" |xargs rm -rf {} # # Join the Active Directory Domain # net ads join -W ms -U Administrator # Administrator's password: # Using short domain name -- MS # Joined 'SUBVERSION01' to realm 'MS.MYDOMAIN.COM' # # Test ports MyServer-IP=192.168.60.5, the KDC-IP=192.168.50.11 # lsof -i tcp -nP |egrep '445|389' # 445=ldap, 389=microsoft-ds # winbindd 16627 root 14u IPv4 723539 TCP 192.168.60.5:50679->192.168.50.11:445 (ESTABLISHED) # winbindd 16627 root 16u IPv4 723589 TCP 192.168.60.5:49312->192.168.50.11:389 (ESTABLISHED) # # Test config # testparm # # Test winbind talking to the Active Directory server # wbinfo -u wbinfo -g # # Test conversion of Windows Active Directory accounts to Linux accounts # getent passwd getent group # # Setup pam to use winbind # cp /etc/samba/system-auth-winbind /etc/pam.d/system-auth # # Add first auth line to /etc/samba/system-auth-winbind # which will quiery aloowed users. # auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail # # Make list of poeple with shell access to the system # cat > /etc/ssh/pam.sshd <<'SSHUSERS' root johns peterw fredw SSHUSERS # # Restart samba daemon # /etc/init.d/samba restart rc-update add samba default ---------------------------- Testing Samba AD Cheet Sheet ---------------------------- smbd -b |egrep 'KRB|LDAP' # Shows Samba has needed Libs. net time # Check time on kdc date # Check time on local host net ads join -Uadministrator%passwd # Joined the domain Join is OK net ads testjoin # Shows join is ok getent passwd # Shows nsswitch is correct, to resolve ADSusers. getent group # Shows nsswitch is correct, to resolve ADS groups. net ads info # Show AD info winbindd -d 3 -i # Ran winbindd damon interactively in debug. wbinfo -u # Shows winbind is doing lookups from ADS wbinfo -g # Shows winbind is doing lookups from ADS wbinfo -a MS+johns%password # Test if winbind can authenticate kinit johns # Test if kerberose can authenticate strace -e open getent passwd # Find files opened during execution of the getent passwd command -------------------------- Testing Cheet Sheet -------------------------- # # Configure Apache authnz_external -> pam -> winbind # cat > /etc/pam.d/apache2 <<'END_APACHE_PAM' #%PAM-1.0 auth required pam_winbind.so account required pam_winbind.so END_APACHE_PAM # # Create Apache virtual host for phpbb app named forums.mydomain.com # cat > /etc/apache2/vhosts.d/02_forums.mydomain.com.conf <<'END_VHOST_PHPBB' ####################################### #NameVirtualHost forums.mydomain.com:443 # ServerAdmin johns@mydomain.com ServerName forums.mydomain.com ServerAlias forums.mydomain.com ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined #------------------------------# SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/apache2/ssl/server.crt SSLCertificateKeyFile /etc/apache2/ssl/server.key #------------------------------# SSLOptions +StdEnvVars #------------------------------# AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe ServerEnvironment apache apache #------------------------------# DocumentRoot /var/www/phpBB #Options Indexes FollowSymLinks MultiViews Order allow,deny Allow from all Order deny,allow Deny from all php_flag magic_quotes_gpc Off php_flag track_vars On AuthType Basic AuthName "Forum Authenticated (uses windows user/passwd). Once in, Register an account using your windows username." AuthBasicProvider external AuthExternal pwauth Require valid-user Require user jeffk johns peterw jont psoper pkohut perrin mhs fredw rogers davidg jeremyf geoffreym john-paulb thorny toddm jaromyr stevem toddm sjohns alexc alexb mhs ####################################### # vim: ts=4 filetype=apache END_VHOST_PHPBB ############################### # # Create instance of webapp phpbb # /usr/sbin/webapp-cleaner -p -C phpBB /usr/sbin/webapp-config -I -h localhost -u root -d /phpBB phpBB 3.0.0 vi /var/www/phpBB/includes/auth/auth_apache.php # # Edit phpbb source to help with Authentication # # Change funciton in /var/www/phpBB/includes/auth/auth_apache.php # function init_apache() # { # global $user; # error_log($_SERVER['PHP_AUTH_USER'],0 ); # error_log($user->data['username'], 0); # if ( !isset($_SERVER['PHP_AUTH_USER']) || ( $user->data['username'] !== $_SERVER['PHP_AUTH_USER']) ) # { # return $user->lang['APACHE_SETUP_BEFORE_USE']; # } # return false; # } # # With the above change to the init_apache function, # I followed the following procedure to switch phpbb authentication to "Apache" # 1. Setup Apache virtual host config for phpBB3 to use 'AuthType Basic', # 2. Change php.ini setting 'safe_mode = Off' # 3. Creating an account in phpbb3 with the same name as an apache authorized account. (username1 in my case). # 4. Giving account in step 3 Founder rights (set username1 as a Founder). # 5. Restart the client browser (to force apache to prompt for user and passwd). # 6. Log in as user (in my case username1). # 7. Select Administrative Control Panel # 8. Log in to Administrative Control Panel as user (in my case username1). # 9. From Administrative Control Panel ->Authentication->change "Select an authentication method" from "Db" to "Apache". # I see the successful green box after this. # # To help debug authentication issues, I added this bit of code # When someone logs in, look in /var/log/apache2/php_error.log # # # Install some phpbb styles: # REFERENCE: http://www.phpbb.com/styles/db/?sid=b0ff4d918b43439043444c65015985d3 # http://www.phpbb3styles.net/db/ cd /var/www/phpBB/styles wget http://www.stsoftware.biz/files/phpbb3/acidtech.zip unzip acidtech.zip wget http://www.stsoftware.biz/files/phpbb3/serenity.zip unzip serenity.zip wget http://www.stsoftware.biz/files/phpbb3/avalon.zip unzip avalon.zip # # Not sure if this is necessary # chown -R apache:apache /usr/share/webapps/phpBB/3.0.0/htdocs/{cache,files,store,config.php,images/avatars/upload} # # Setup phpbb # Brows to https://forums.mydomain.com/install/index.php # # Click Install # # --Database------------------------------------ # Database: mysql # Database server hostname or DSN: 127.0.0.1:3306 # Database server port: # Database name: phpbb3 # Database username: phpbb # Database password: phpbb # Prefix for tables in database: phpbb_ # --Basic------------------------------------ # Default board Lang: British English # Administrator username: admin # Administrator password: ZivOsio29 # Confirm admin password: ZivOsio29 # Contact email address: johns@mydomain.com # Confirm email address: johns@mydomain.com # --Email Settings----------------------------------- # Enable board-wide e-mails: Enabled # Use SMTP server for e-mail: Yes # SMTP server address: smtp.ms.mydomain.com # Auth method for SMTP: PLAIN # SMTP user: # SMTP passwd: # --Server URL Settings----------------------------------- # Cookie secure: Enable (I'm using ssl) # Force server URL settings: NO # Domain name: forum.mydomain.com # Server port: 443 # Script path: /phpBB # # --Finished!-------------------------------- # Convert an existing board to phpBB3 # # Go live with your phpBB3 # # Clicking the button below will take you to your Administration Control Panel (ACP). # Take some time to examine the options available to you. # Remember that help is available online via the Documentation and the support forums, # see the README for further information. # # Please now delete, move or rename the install directory before you use your board. # If this directory is still present, only the Administration Control Panel (ACP) will be accessible. # mv /var/www/phpBB/install /var/www/phpBB/install.bak chmod 000 /var/www/phpBB/install.bak # # # Log in to web as admin # # # Edit "Your first Category" # Forum Type: Category # Parent Forum: No Parent # Forum Name: Communication Suite # Description: Discussions about All Software Tools for Teamwork and Group communication. # Enable active topic: Yes # # # Edit "Your first Forum" # Forum Type: Forum # Parent forum: Forum # Parent forum: Communicaiton Suite # Forum Name: Buliten Board # Description: Discussions about the Current or Future bulletin board software # # Display active topics: yes # Click Submit # Click "Back to previous page" # ----------------------------------------------- # Navitate to Board index -> Communication Suite # Create new forum: Wiki # Description: Discussions about Current and Future Online Documentation Tools # Display active topics: yes # ----------------------------------------------- # Log out, and select Register # # # # I need to edit the register page... # # # Agree to terms # Username: johns # email: johns@mydomain.com # confirm email: johns@mydomain.com # passwd: letstalk # confirm passwd: letstalk # Lanag: Brit english # Timezone: [UTC -8 ] Pacific Standard Time # Confirm reg: # ----------------------------------------------- # Permissions Tab # ->Forum Based Permissions # -->Select forum: # --->All forums # ---->submit # ----------------------------------------------- # # To give a user lots of access, set them as a "Founder" # You could also set their roll as "Admin" #