Настройка NTLM авторизации для bitrix под CentOS 5.5

Основная статья:
http://dev.1c-bitrix.ru/community/blogs/cluster_db/1754.php
Дополнение, касающееся prefork:
http://dev.1c-bitrix.ru/community/webdev/user/66240/blog/2348/

# yum install -y samba3x samba3x-client samba3x-winbind pam_krb5 krb5-workstation krb5-libs
# echo "domain cavi.local" >> /etc/resolv.conf
# echo "[global]
workgroup = CAVI
netbios name = PORTAL
log file = /var/log/samba/log.%m
max log size = 50
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/bash
security = ads
encrypt passwords = yes
realm = cavi.local
password server = second.cavi.local" > /etc/samba/smb.conf


# echo "[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = CAVI.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes

[realms]
CAVI.LOCAL = {
kdc = second.cavi.local:88
admin_server = second.cavi.local:749
}

[domain_realm]
.cavi.local = CAVI.LOCAL
cavi.local = CAVI.LOCAL" > /etc/krb5.conf

# sed -i".bak" "s/^passwd\: .*/passwd\: compat winbind/" /etc/nsswitch.conf
# sed -i".bak" "s/^group\: .*/group\: compat winbind/" /etc/nsswitch.conf
# sed -i".bak" "s/^shadow\: .*/shadow\: compat/" /etc/nsswitch.conf

# service smb start
# winbindd
# chkconfig winbind on
# chkconfig smb on

# net ads join -U najdis

Установка модуля mod_auth_ntlm_winbind:
# svn checkout svn://svnanon.samba.org/lorikeet/trunk/mod_auth_ntlm_winbind mod_auth_ntlm_winbind - не работает =(
# git-clone git://git.samba.org/jerry/mod_auth_ntlm_winbind.git - не работает =(

# wget -r -l1 --no-parent ftp://samba.org/pub/unpacked/lorikeet/mod_auth_ntlm_winbind/
# mv /root/samba.org/pub/unpacked/lorikeet/mod_auth_ntlm_winbind/ /root/mod_auth_ntlm_winbind/
# rm -rf samba.org/

# cd mod_auth_ntlm_winbind
# yum install -y httpd-devel
# apxs -DAPACHE2 -c -i mod_auth_ntlm_winbind.c
# chmod 644 /usr/lib/httpd/modules/mod_auth_ntlm_winbind.so

Конфигурируем:

# echo "LoadModule auth_ntlm_winbind_module modules/mod_auth_ntlm_winbind.so
<Directory \"/home/bitrix/www\">
   AuthName \"NTLM Authentication thingy\"
   NTLMAuth on
   NTLMAuthHelper \"/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp\"
   NTLMBasicAuthoritative on
   AuthType NTLM
   require valid-user
</Directory>" > /etc/httpd/conf.d/auth_ntlm_winbind.conf

# sed -i".bak" "s/^KeepAlive .*/KeepAlive On/" /etc/httpd/conf/httpd.conf
# setfacl -m u:bitrix:rx /var/lib/samba/winbindd_privileged

Изменяем настроки Apache так, чтобы он слушал на 80-м порту:
# sed -i".bak" "s/Listen 8888/Listen 80/" /etc/httpd/conf.d/default.conf
# sed -i".bak" "s/VirtualHost \*\:8888/VirtualHost \*\:80/" /etc/httpd/conf.d/default.conf

Делаем Apache более отзывчивым:
# echo "<IfModule mpm_prefork_module>
StartServers 8
MinSpareServers 8
MaxSpareServers 12
MaxClients 256
MaxRequestsPerChild 512
</IfModule>" > /etc/httpd/conf.d/prefork.conf

Чтобы исключить перезапись удаляем ссылку на скрипт из автозапуска:
# rm /etc/rc3.d/S16bvat

Отключаем nginx:
# service nginx stop
# chkconfig nginx off

Перезапускаем Apache:
# service zend-server restart