[Samba] Samba 4 + Squidguardian

L.P.H. van Belle belle at bazuin.nl
Tue Oct 20 07:23:07 UTC 2015 

Hai, 

 

NTLM, yes somethimes it works somethime it does not. 

 

I run about the same. 

I run squid 3.4.8. on a debian wheezy and debian Jessie 

Jessie, samba 4.1.17 with squid 3.4.8 all debian packages. 

Wheezy, sernet samba 4.2.4 squid 3.4.8 *(rebuild from Jessie) 

I use c-icap and no squidguard. ( in my old setup i did ) but this

setup is not ready yet. It?s in production, but im testing now also

with squidguard and c-icap-squidclamav and its management tools squidguardmgr 

http://squidguardmgr.darold.net/install.html so the final setup wil have squidguard also. 

But im still not sure, i did read somewhere about so problems with auth. 

 

Read below, and maybe you see something i dont have or you do have. 

 

These lines where tested and do work on samba 4.1 and samba 4.2, not tested on samba 4.3. 

But i dont see why they would not work for you, my smb.conf is about the same as yours. 

This is what i have. 

So if you can post your squid auth setup for NTLM also, i?ll test it for you on my samba 4.1.17. 

 

and my samba setup, only winbind is used. 

My DC and members, give the same output with wbinfo, id, getent. 

 

#########################################################################################################

## Authorisations, things to think off.

##

## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.

##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.

##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.

##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.

## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.

##    Which is handy for getting windows updates, etc.

#########################################################################################################

 

#1## negotiate kerberos and ntlm authentication ( negotiate wrapper test, debian supplied ) 

#auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \

#    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp \

#    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

#    --domain=NTDOMAIN

 

#0## pure negotiate kerberos  ( tested, works )

#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s HTTP/proxy2.internal.domain.tld at INTERNAL.DOMAIN.TLD

#auth_param negotiate children 10

#auth_param negotiate keep_alive off

 

 

### from http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

#1## negotiate kerberos and ntlm authentication with negotiate_wrapper from source

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \

 --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=NTDOMAIN \

 --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

auth_param negotiate children 10

auth_param negotiate keep_alive off

 

 

#2## pure ntlm authentication  

## Not well tested yet. ( the negotiate_wrapper_auth is use for NTLM for now ) 

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego --domain=NTDOMAIN

#auth_param ntlm children 10

#auth_param ntlm keep_alive off

 

#3## provide basic authentication via ldap for clients not authenticated via kerberos/ntlm

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \

    -b "ou=Organisation,dc=internal,dc=domain,dc=tld" \

    -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \

    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \

    -h dc1.internal.domain.tld \

    -h dc2.internal.domain.tld 

 

## This is not tested yet. 

### ldap group authorisation 

#external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -S \

#    -b "dc=internal,dc=domain,dc=tld" \

#    -D ldap-bind at internal.domain.tld  - W /etc/squid3/private/ldap-bind \

#    -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Security Groups,ou=Organisation,dc=internal,dc=domain,dc=tld))" \

#    -h dc1.internal.domain.tld \

#    -h dc2.internal.domain.tld

 

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andre Freire

> Verzonden: maandag 19 oktober 2015 22:07

> Aan: Rowland Penny

> CC: samba at lists.samba.org

> Onderwerp: Re: [Samba] Samba 4 + Squidguardian

> 

> My smb.conf file in Domain member is:

> 

> [global]

> 

>   netbios name = FW01

>   workgroup = HOTFIX

>   security = ADS

>   realm = HOTFIX.INTRA

> 

>   idmap config *:backend = tdb

>   idmap config *:range = 2000-9999

>   idmap config HOTFIX:backend = ad

>   idmap config HOTFIX:schema_mode = rfc2307

>   idmap config HOTFIX:range = 10000-99999

> 

>   winbind nss info = rfc2307

>   winbind trusted domains only = no

>   winbind use default domain = yes

>   winbind enum users  = yes

>   winbind enum groups = yes

>   winbind refresh tickets = Yes

> 

> My /etc/nsswitch is:

> 

> passwd: compat winbind

> group:  compat winbind

> 

> If I use Samba 4.2.X or Windows DC and any version of Samba 4 in Domain

> Member the NTLM authentication Squid\Squiduard work perfecly but if I use

> Samba 4.1.X or Samba 4.3.0 NTLM Authentication Work in Squid but doesn´t

> work in Squidguard.

> 

> 

> 

> André Freire

> Sócio Diretor

> E-mail: andre.freire at hotfixtecnologia.com.br

> skype: andrefreire.hf

> Tel: (71)9381-7372

> 

> 

> 2015-10-19 13:08 GMT-03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> 

> > On 19/10/15 16:46, mathias dufresne wrote:

> >

> >> AD from Samba or Microsoft is mainly a database for storing users (and

> >> associated stuffs). It comes also with stuffs (protocols) to connect

> and

> >> retrieve information.

> >>

> >> How the client uses these information is, as always, a choice from that

> >> specific client.

> >>

> >> Your AD client is your Squid/Squidguard(ian) server. Its job as AD

> client

> >> is to get some users information from AD to build system users. I

> insist

> >> on

> >> the fact system users are forged. Purely.

> >>

> >> What is responsible of that forging process? What you declared in

> >> /etc/nsswitch.conf.

> >> Generally it is winbind, sssd or nlscd.

> >>

> >> Each one of these tools comes with its own set of option, tweak and

> >> configuration files to define how to forge users from local system

> point

> >> of

> >> view.

> >>

> >> Each one except for Winbind which forge users as it decide to, no

> matter

> >> the desires of local system admin. At least this is how I understood

> >> winbind behaviour (which has no configuration file for what I know).

> >>

> >

> > Well, apart from idmap.ldb on a DC and the idmap_config lines in

> smb.conf

> > on a domain member, there are no configuration files. :-D

> >

> >

> >> Perhaps you are using winbind, in that case winbind is responsible to

> add

> >> domain and backslashes when forging your users.

> >>

> >> I don't know at all nlscd but some are using it on that mailing list.

> So I

> >> expect it does its job too.

> >>

> >> I tried SSSD for the company I'm working these days and it comes with

> lot

> >> of configuration options. I expect it can force addition of AD domain

> to

> >> username but it is not the default behaviour.

> >>

> >> On some DC where it uses winbind to forge users:

> >>

> >

> > No, sorry, I cannot understand what you mean by forge, in English this

> > word is used for creating your own banknotes or a thing used by a

> > blacksmith.

> >

> > wbinfo -i mathias.dufresne

> >> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias

> >> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false

> >>

> >> I use wbinfo to show you how are build my user and not "getent" command

> >> because my PAM is not configured on these DC.

> >>

> >> On some file server connected to that very same domain, this server is

> >> using SSSD rather than winbind:

> >> getent passwd mathias.dufresne

> >> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos

> >> field:/home/mathias.dufresne:/bin/bash

> >>

> >> Here we can see when using SSSD the domain part which was forced by

> >> winbind

> >> is not present.

> >>

> >> UID are not the same because I changed my UIG/GID and on the DC the

> wbinfo

> >> command do not reflect that change. SSSD do.

> >>

> >

> > If you add a Uidnumber to user a user in AD, then it should show on a

> DC,

> > even if you are not using winbind.

> >

> > Home directory: once more, winbind forge its own home directory when

> SSSD

> >> is using what I configured in AD in homeDirectory attribute.

> >>

> >> Gecos : SSSD use the "gecos" field from AD. Winbind decided to use

> display

> >> name. With SSSD you can decide to use display name if you want, bbut

> only

> >> if you want.

> >>

> >> Etc, etc, etc...

> >>

> >> Perhaps I'm totally wrong and you are not using Winbind, in that case

> you

> >> should simply have a look into your tool configuration.

> >> If I'm right, you'll have to change this tool to replace it by

> something

> >> configurable.

> >>

> >> Best regards,

> >>

> >> mathias

> >>

> >>

> > Best plan, tell us how you have setup Samba.

> >

> > Rowland

> >

> >

> >

> >> 2015-10-19 16:35 GMT+02:00 Andre Freire <

> >> andre.freire at hotfixtecnologia.com.br>:

> >>

> >> Hi,

> >>>

> >>>

> >>>

> >>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use

> >>> Squid with NTLM Athentication and work perfecly. My problem is

> Squidguard

> >>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain

> >>> Controler I watch in Squid LOG only the user name but If I use Samba

> >>> 4.1.x

> >>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name

> >>> and

> >>> Squidguard Authentication not work.

> >>>

> >>>

> >>>

> >>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name

> >>> user

> >>> whitout domain?

> >>>

> >>>

> >>>

> >>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba

> >>> 4.2.x, the LOG of Squid show only username and NTLM Authentication of

> the

> >>> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x

> or

> >>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM

> Authentication

> >>> of

> >>> the Squid work but Squidguard don´t work.

> >>>

> >>>

> >>>

> >>> Att,

> >>> André Freire

> >>> Sócio Diretor

> >>> E-mail: andre.freire at hotfixtecnologia.com.br

> >>> skype: andrefreire.hf

> >>> Tel: (71)9381-7372

> >>> --

> >>> To unsubscribe from this list go to the following URL and read the

> >>> instructions:  https://lists.samba.org/mailman/options/samba

> >>>

> >>>

> >

> > --

> > To unsubscribe from this list go to the following URL and read the

> > instructions:  https://lists.samba.org/mailman/options/samba

> >

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 

More information about the samba mailing list