[Samba] Problems with Samba 4.6.3 Authentication

L.P.H. van Belle belle at bazuin.nl
Tue May 23 06:39:55 UTC 2017 

Not really a samba question but.. 

I suggest you switch to kerberos auth.
Thats this line: 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internal.dnsdomain.tld at REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Or 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM
If you have problem with A/PTR record matching in your REALM and upn/spn. 


This is what works with samba +ldap + tls.
## SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \
    -D ldapbindusers at internal.dnsdomain.tld \
    -W /etc/squid/private/ldap-bind \
    -f sAMAccountName=%s \
    -H ldaps://dc2.internal.dnsdomain.tld \
    -H ldaps://dc1.internal.dnsdomain.tld

A not ssl setup is a small change. 
    -h ldaps://dc2.internal.dnsdomain.tld \
    -h ldaps://dc1.internal.dnsdomain.tld

For ssl you need to configure : 
/etc/ldap/ldap.conf

Add your rootCA cert to  : TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
use : update-ca-certificates, unknow to you? Google for it this simplifies the setup with certificates.

Add: 
TLS_REQCERT allow
If needed configure BASE and URI. 

These above are tested as for squid 3.4.8 ( debian jessie default ) 
Up to squid from debian sid recompiled for jessie up to 3.5.24. 

And for you convients, this is the smb.conf im using on my proxy. 
Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is installed for the keytabs. 

( config is setup with a winbind 4.6.3 and samba AD DC's , backend AD. ) 
[global]
    workgroup = NTDOM
    security = ads
    realm = REALM

    netbios name = PROXY1
    preferred master = no
    domain master = no
    host msdfs = no

    interfaces = 192.168.0.50 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config NTDOM: backend = ad
    idmap config NTDOM: schema_mode = rfc2307
    idmap config NTDOM: range = 10000-3999999
    idmap config NTDOM: unix_nss_info = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    winbind offline logon = yes

    # check depth of nested groups, ! slows down you samba, if to much groups depth
    winbind expand groups = 4

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


And no shares. 



Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: maandag 22 mei 2017 23:13
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication
> 
> Hi,
> 
> I have posted the following message to Squid-Users forum ( 
> squid-users at lists.squid-cache.org).
> 
> "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now 
> my Squid authentication doesn't work.
> 
> In samba 4.2.1 is working properly.
> 
> This is my authentication block:
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R 
> -b DC=empresa,DC=com,DC=br -D 
> CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h 
> 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
> auth_param basic children 50
> auth_param basic realm Access Monitored
> auth_param basic credentialsttl 8 hours
> auth_param basic casesensitive off
> 
> I'm using Squid 3.4.8
> 
> Can anybody help me ?"
> 
> 
> *Answer of the Squid-Users forum: *
> 
> "
> 
> *If the only thing that changed was Samba its clearly an 
> issue with that end of the system.I suggest you compare those 
> LDAP parameters with what the new Samba version needs, and if 
> there is no issue there please contact your vendor or the 
> Samba help channels*."
> 
> 
> 
> Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?
> 
> Regards,
> 
> Márcio Bacci
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list