[Samba] Samba 4 + Squidguardian

mathias dufresne infractory at gmail.com
Mon Oct 19 15:46:50 UTC 2015


AD from Samba or Microsoft is mainly a database for storing users (and
associated stuffs). It comes also with stuffs (protocols) to connect and
retrieve information.

How the client uses these information is, as always, a choice from that
specific client.

Your AD client is your Squid/Squidguard(ian) server. Its job as AD client
is to get some users information from AD to build system users. I insist on
the fact system users are forged. Purely.

What is responsible of that forging process? What you declared in
/etc/nsswitch.conf.
Generally it is winbind, sssd or nlscd.

Each one of these tools comes with its own set of option, tweak and
configuration files to define how to forge users from local system point of
view.

Each one except for Winbind which forge users as it decide to, no matter
the desires of local system admin. At least this is how I understood
winbind behaviour (which has no configuration file for what I know).

Perhaps you are using winbind, in that case winbind is responsible to add
domain and backslashes when forging your users.

I don't know at all nlscd but some are using it on that mailing list. So I
expect it does its job too.

I tried SSSD for the company I'm working these days and it comes with lot
of configuration options. I expect it can force addition of AD domain to
username but it is not the default behaviour.

On some DC where it uses winbind to forge users:
wbinfo -i mathias.dufresne
AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false

I use wbinfo to show you how are build my user and not "getent" command
because my PAM is not configured on these DC.

On some file server connected to that very same domain, this server is
using SSSD rather than winbind:
getent passwd mathias.dufresne
mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
field:/home/mathias.dufresne:/bin/bash

Here we can see when using SSSD the domain part which was forced by winbind
is not present.

UID are not the same because I changed my UIG/GID and on the DC the wbinfo
command do not reflect that change. SSSD do.

Home directory: once more, winbind forge its own home directory when SSSD
is using what I configured in AD in homeDirectory attribute.

Gecos : SSSD use the "gecos" field from AD. Winbind decided to use display
name. With SSSD you can decide to use display name if you want, bbut only
if you want.

Etc, etc, etc...

Perhaps I'm totally wrong and you are not using Winbind, in that case you
should simply have a look into your tool configuration.
If I'm right, you'll have to change this tool to replace it by something
configurable.

Best regards,

mathias



2015-10-19 16:35 GMT+02:00 Andre Freire <
andre.freire at hotfixtecnologia.com.br>:

> Hi,
>
>
>
> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use
> Squid with NTLM Athentication and work perfecly. My problem is Squidguard
> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
> Controler I watch in Squid LOG only the user name but If I use Samba 4.1.x
> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name and
> Squidguard Authentication not work.
>
>
>
> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name user
> whitout domain?
>
>
>
> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba
> 4.2.x, the LOG of Squid show only username and NTLM Authentication of the
> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x or
> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM Authentication of
> the Squid work but Squidguard don´t work.
>
>
>
> Att,
> André Freire
> Sócio Diretor
> E-mail: andre.freire at hotfixtecnologia.com.br
> skype: andrefreire.hf
> Tel: (71)9381-7372
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list