[Samba] Samba 4 + Squidguardian

Mon Oct 19 20:07:10 UTC 2015

My smb.conf file in Domain member is:

[global]

  netbios name = FW01
  workgroup = HOTFIX
  security = ADS
  realm = HOTFIX.INTRA

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HOTFIX:backend = ad
  idmap config HOTFIX:schema_mode = rfc2307
  idmap config HOTFIX:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

My /etc/nsswitch is:

passwd: compat winbind
group:  compat winbind

If I use Samba 4.2.X or Windows DC and any version of Samba 4 in Domain
Member the NTLM authentication Squid\Squiduard work perfecly but if I use
Samba 4.1.X or Samba 4.3.0 NTLM Authentication Work in Squid but doesn´t
work in Squidguard.

André Freire
Sócio Diretor
E-mail: andre.freire at hotfixtecnologia.com.br
skype: andrefreire.hf
Tel: (71)9381-7372

2015-10-19 13:08 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 19/10/15 16:46, mathias dufresne wrote:
>
>> AD from Samba or Microsoft is mainly a database for storing users (and
>> associated stuffs). It comes also with stuffs (protocols) to connect and
>> retrieve information.
>>
>> How the client uses these information is, as always, a choice from that
>> specific client.
>>
>> Your AD client is your Squid/Squidguard(ian) server. Its job as AD client
>> is to get some users information from AD to build system users. I insist
>> on
>> the fact system users are forged. Purely.
>>
>> What is responsible of that forging process? What you declared in
>> /etc/nsswitch.conf.
>> Generally it is winbind, sssd or nlscd.
>>
>> Each one of these tools comes with its own set of option, tweak and
>> configuration files to define how to forge users from local system point
>> of
>> view.
>>
>> Each one except for Winbind which forge users as it decide to, no matter
>> the desires of local system admin. At least this is how I understood
>> winbind behaviour (which has no configuration file for what I know).
>>
>
> Well, apart from idmap.ldb on a DC and the idmap_config lines in smb.conf
> on a domain member, there are no configuration files. :-D
>
>
>> Perhaps you are using winbind, in that case winbind is responsible to add
>> domain and backslashes when forging your users.
>>
>> I don't know at all nlscd but some are using it on that mailing list. So I
>> expect it does its job too.
>>
>> I tried SSSD for the company I'm working these days and it comes with lot
>> of configuration options. I expect it can force addition of AD domain to
>> username but it is not the default behaviour.
>>
>> On some DC where it uses winbind to forge users:
>>
>
> No, sorry, I cannot understand what you mean by forge, in English this
> word is used for creating your own banknotes or a thing used by a
> blacksmith.
>
> wbinfo -i mathias.dufresne
>> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
>> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>>
>> I use wbinfo to show you how are build my user and not "getent" command
>> because my PAM is not configured on these DC.
>>
>> On some file server connected to that very same domain, this server is
>> using SSSD rather than winbind:
>> getent passwd mathias.dufresne
>> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
>> field:/home/mathias.dufresne:/bin/bash
>>
>> Here we can see when using SSSD the domain part which was forced by
>> winbind
>> is not present.
>>
>> UID are not the same because I changed my UIG/GID and on the DC the wbinfo
>> command do not reflect that change. SSSD do.
>>
>
> If you add a Uidnumber to user a user in AD, then it should show on a DC,
> even if you are not using winbind.
>
> Home directory: once more, winbind forge its own home directory when SSSD
>> is using what I configured in AD in homeDirectory attribute.
>>
>> Gecos : SSSD use the "gecos" field from AD. Winbind decided to use display
>> name. With SSSD you can decide to use display name if you want, bbut only
>> if you want.
>>
>> Etc, etc, etc...
>>
>> Perhaps I'm totally wrong and you are not using Winbind, in that case you
>> should simply have a look into your tool configuration.
>> If I'm right, you'll have to change this tool to replace it by something
>> configurable.
>>
>> Best regards,
>>
>> mathias
>>
>>
> Best plan, tell us how you have setup Samba.
>
> Rowland
>
>
>
>> 2015-10-19 16:35 GMT+02:00 Andre Freire <
>> andre.freire at hotfixtecnologia.com.br>:
>>
>> Hi,
>>>
>>>
>>>
>>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use
>>> Squid with NTLM Athentication and work perfecly. My problem is Squidguard
>>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>>> Controler I watch in Squid LOG only the user name but If I use Samba
>>> 4.1.x
>>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name
>>> and
>>> Squidguard Authentication not work.
>>>
>>>
>>>
>>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name
>>> user
>>> whitout domain?
>>>
>>>
>>>
>>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba
>>> 4.2.x, the LOG of Squid show only username and NTLM Authentication of the
>>> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x or
>>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM Authentication
>>> of
>>> the Squid work but Squidguard don´t work.
>>>
>>>
>>>
>>> Att,
>>> André Freire
>>> Sócio Diretor
>>> E-mail: andre.freire at hotfixtecnologia.com.br
>>> skype: andrefreire.hf
>>> Tel: (71)9381-7372
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>