[Samba] Samba 4 + Squidguardian

mathias dufresne infractory at gmail.com
Tue Oct 20 08:05:44 UTC 2015


2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 19/10/15 16:46, mathias dufresne wrote:
>
>> AD from Samba or Microsoft is mainly a database for storing users (and
>> associated stuffs). It comes also with stuffs (protocols) to connect and
>> retrieve information.
>>
>> How the client uses these information is, as always, a choice from that
>> specific client.
>>
>> Your AD client is your Squid/Squidguard(ian) server. Its job as AD client
>> is to get some users information from AD to build system users. I insist
>> on
>> the fact system users are forged. Purely.
>>
>> What is responsible of that forging process? What you declared in
>> /etc/nsswitch.conf.
>> Generally it is winbind, sssd or nlscd.
>>
>> Each one of these tools comes with its own set of option, tweak and
>> configuration files to define how to forge users from local system point
>> of
>> view.
>>
>> Each one except for Winbind which forge users as it decide to, no matter
>> the desires of local system admin. At least this is how I understood
>> winbind behaviour (which has no configuration file for what I know).
>>
>
> Well, apart from idmap.ldb on a DC and the idmap_config lines in smb.conf
> on a domain member, there are no configuration files. :-D


idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
idmap_config lines in smb.conf -> how would you set them to configure
Winbind to not add domain to user? To use gidNumber rather than 100 which
seems to reflect "primaryGroupID: 513", to set up home directory to
unixHomeDirectory or to homeDirectory rather than /home/<short domain
name>/ sAMAccountName?
Is it possible to use CN or userPrincipalName rather SAMAccountName when
building the system user?

So it is not configurable.


>
>
>
>> Perhaps you are using winbind, in that case winbind is responsible to add
>> domain and backslashes when forging your users.
>>
>> I don't know at all nlscd but some are using it on that mailing list. So I
>> expect it does its job too.
>>
>> I tried SSSD for the company I'm working these days and it comes with lot
>> of configuration options. I expect it can force addition of AD domain to
>> username but it is not the default behaviour.
>>
>> On some DC where it uses winbind to forge users:
>>
>
> No, sorry, I cannot understand what you mean by forge, in English this
> word is used for creating your own banknotes or a thing used by a
> blacksmith.


In fact a blacksmith forges items using blacksmith tools. He creates these
items. These items can be something else than his own tools. In fact if a
blacksmith was only able to craft its own tools and nothing else for other
peoples, this kind of job would have quickly disappeared...

Anyway you get the point, forging, crafting, building, assembling elements
to obtain something else, they are same concept.


>
>
> wbinfo -i mathias.dufresne
>> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
>> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>>
>> I use wbinfo to show you how are build my user and not "getent" command
>> because my PAM is not configured on these DC.
>>
>> On some file server connected to that very same domain, this server is
>> using SSSD rather than winbind:
>> getent passwd mathias.dufresne
>> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
>> field:/home/mathias.dufresne:/bin/bash
>>
>> Here we can see when using SSSD the domain part which was forced by
>> winbind
>> is not present.
>>
>> UID are not the same because I changed my UIG/GID and on the DC the wbinfo
>> command do not reflect that change. SSSD do.
>>
>
> If you add a Uidnumber to user a user in AD, then it should show on a DC,
> even if you are not using winbind.


Here you should have meant "if you are using winbind" which is true for UID
and wrong for GID which is not reflecting gidNumber configured into AD.
Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...

SSSD grant sys admin possibility to chose all that, forging users as
sysadmin wants to (which is most generally what his bosses asked to him).
Winbind can't.
And here the question is "how can the user have username using <username>
syntax rather than <domainname>\<username>. Is it possible to remove domain
part from username when using winbind? With the idmap_config lines perhaps
? :p


>
>
> Home directory: once more, winbind forge its own home directory when SSSD
>> is using what I configured in AD in homeDirectory attribute.
>>
>> Gecos : SSSD use the "gecos" field from AD. Winbind decided to use display
>> name. With SSSD you can decide to use display name if you want, bbut only
>> if you want.
>>
>> Etc, etc, etc...
>>
>> Perhaps I'm totally wrong and you are not using Winbind, in that case you
>> should simply have a look into your tool configuration.
>> If I'm right, you'll have to change this tool to replace it by something
>> configurable.
>>
>> Best regards,
>>
>> mathias
>>
>>
> Best plan, tell us how you have setup Samba.


And more: how system is configured to retrieve users from AD! AD seems well
configured: it works. The question is about how to obtain system users
according to what this user needs and not according to what winbind thinks
it is the right way.


>
>
> Rowland
>
>
>
>> 2015-10-19 16:35 GMT+02:00 Andre Freire <
>> andre.freire at hotfixtecnologia.com.br>:
>>
>> Hi,
>>>
>>>
>>>
>>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use
>>> Squid with NTLM Athentication and work perfecly. My problem is Squidguard
>>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>>> Controler I watch in Squid LOG only the user name but If I use Samba
>>> 4.1.x
>>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name
>>> and
>>> Squidguard Authentication not work.
>>>
>>>
>>>
>>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name
>>> user
>>> whitout domain?
>>>
>>>
>>>
>>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba
>>> 4.2.x, the LOG of Squid show only username and NTLM Authentication of the
>>> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x or
>>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM Authentication
>>> of
>>> the Squid work but Squidguard don´t work.
>>>
>>>
>>>
>>> Att,
>>> André Freire
>>> Sócio Diretor
>>> E-mail: andre.freire at hotfixtecnologia.com.br
>>> skype: andrefreire.hf
>>> Tel: (71)9381-7372
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list