[Samba] Samba 4 + Squidguardian

Mon Oct 19 16:08:40 UTC 2015

On 19/10/15 16:46, mathias dufresne wrote:
> AD from Samba or Microsoft is mainly a database for storing users (and
> associated stuffs). It comes also with stuffs (protocols) to connect and
> retrieve information.
>
> How the client uses these information is, as always, a choice from that
> specific client.
>
> Your AD client is your Squid/Squidguard(ian) server. Its job as AD client
> is to get some users information from AD to build system users. I insist on
> the fact system users are forged. Purely.
>
> What is responsible of that forging process? What you declared in
> /etc/nsswitch.conf.
> Generally it is winbind, sssd or nlscd.
>
> Each one of these tools comes with its own set of option, tweak and
> configuration files to define how to forge users from local system point of
> view.
>
> Each one except for Winbind which forge users as it decide to, no matter
> the desires of local system admin. At least this is how I understood
> winbind behaviour (which has no configuration file for what I know).

Well, apart from idmap.ldb on a DC and the idmap_config lines in 
smb.conf on a domain member, there are no configuration files. :-D

>
> Perhaps you are using winbind, in that case winbind is responsible to add
> domain and backslashes when forging your users.
>
> I don't know at all nlscd but some are using it on that mailing list. So I
> expect it does its job too.
>
> I tried SSSD for the company I'm working these days and it comes with lot
> of configuration options. I expect it can force addition of AD domain to
> username but it is not the default behaviour.
>
> On some DC where it uses winbind to forge users:

No, sorry, I cannot understand what you mean by forge, in English this 
word is used for creating your own banknotes or a thing used by a 
blacksmith.

> wbinfo -i mathias.dufresne
> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>
> I use wbinfo to show you how are build my user and not "getent" command
> because my PAM is not configured on these DC.
>
> On some file server connected to that very same domain, this server is
> using SSSD rather than winbind:
> getent passwd mathias.dufresne
> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
> field:/home/mathias.dufresne:/bin/bash
>
> Here we can see when using SSSD the domain part which was forced by winbind
> is not present.
>
> UID are not the same because I changed my UIG/GID and on the DC the wbinfo
> command do not reflect that change. SSSD do.

If you add a Uidnumber to user a user in AD, then it should show on a 
DC, even if you are not using winbind.

> Home directory: once more, winbind forge its own home directory when SSSD
> is using what I configured in AD in homeDirectory attribute.
>
> Gecos : SSSD use the "gecos" field from AD. Winbind decided to use display
> name. With SSSD you can decide to use display name if you want, bbut only
> if you want.
>
> Etc, etc, etc...
>
> Perhaps I'm totally wrong and you are not using Winbind, in that case you
> should simply have a look into your tool configuration.
> If I'm right, you'll have to change this tool to replace it by something
> configurable.
>
> Best regards,
>
> mathias
>

Best plan, tell us how you have setup Samba.

Rowland

>
> 2015-10-19 16:35 GMT+02:00 Andre Freire <
> andre.freire at hotfixtecnologia.com.br>:
>
>> Hi,
>>
>>
>>
>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use
>> Squid with NTLM Athentication and work perfecly. My problem is Squidguard
>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>> Controler I watch in Squid LOG only the user name but If I use Samba 4.1.x
>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name and
>> Squidguard Authentication not work.
>>
>>
>>
>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name user
>> whitout domain?
>>
>>
>>
>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba
>> 4.2.x, the LOG of Squid show only username and NTLM Authentication of the
>> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x or
>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM Authentication of
>> the Squid work but Squidguard don´t work.
>>
>>
>>
>> Att,
>> André Freire
>> Sócio Diretor
>> E-mail: andre.freire at hotfixtecnologia.com.br
>> skype: andrefreire.hf
>> Tel: (71)9381-7372
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>