[Samba] Problems with Samba 4.6.3 Authentication
L.P.H. van Belle
belle at bazuin.nl
Tue May 23 06:50:57 UTC 2017
For got to mention.
If you dont have any certificates setup and not using tls.
Set on the DC's.
ldap server require strong auth = allow_sasl_over_tls
Or
ldap server require strong auth = no
And you may need to enable NTLM v1 on the proxy also, but thats why i recommends kerberos auth.
SO preffered imo, try to avoid any NTLM to improve your security.
For NTLM v1 then you need to set on the proxy and DC
ntlm auth = no
lanman auth = no
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: dinsdag 23 mei 2017 8:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with Samba 4.6.3 Authentication
>
> Not really a samba question but..
>
> I suggest you switch to kerberos auth.
> Thats this line:
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
> HTTP/hostname.internal.dnsdomain.tld at REALM \
> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego
> --domain=NTDOM
>
> Or
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
> GSS_C_NO_NAME \
> --ntlm /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM If you
> have problem with A/PTR record matching in your REALM and upn/spn.
>
>
> This is what works with samba +ldap + tls.
> ## SSL enabled ( URI format -H )
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
> -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \
> -D ldapbindusers at internal.dnsdomain.tld \
> -W /etc/squid/private/ldap-bind \
> -f sAMAccountName=%s \
> -H ldaps://dc2.internal.dnsdomain.tld \
> -H ldaps://dc1.internal.dnsdomain.tld
>
> A not ssl setup is a small change.
> -h ldaps://dc2.internal.dnsdomain.tld \
> -h ldaps://dc1.internal.dnsdomain.tld
>
> For ssl you need to configure :
> /etc/ldap/ldap.conf
>
> Add your rootCA cert to : TLS_CACERT
> /etc/ssl/certs/ca-certificates.crt
> use : update-ca-certificates, unknow to you? Google for it
> this simplifies the setup with certificates.
>
> Add:
> TLS_REQCERT allow
> If needed configure BASE and URI.
>
> These above are tested as for squid 3.4.8 ( debian jessie default )
> Up to squid from debian sid recompiled for jessie up to 3.5.24.
>
> And for you convients, this is the smb.conf im using on my proxy.
> Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is
> installed for the keytabs.
>
> ( config is setup with a winbind 4.6.3 and samba AD DC's ,
> backend AD. )
> [global]
> workgroup = NTDOM
> security = ads
> realm = REALM
>
> netbios name = PROXY1
> preferred master = no
> domain master = no
> host msdfs = no
>
> interfaces = 192.168.0.50 127.0.0.1
> bind interfaces only = yes
> dns proxy = yes
>
> ## map id's outside to domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> ## map ids from the domain the range may not overlap !
> idmap config NTDOM: backend = ad
> idmap config NTDOM: schema_mode = rfc2307
> idmap config NTDOM: range = 10000-3999999
> idmap config NTDOM: unix_nss_info = yes
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> # renew the kerberos ticket
> winbind refresh tickets = yes
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
>
> # enable offline logins
> winbind offline logon = yes
>
> # check depth of nested groups, ! slows down you samba,
> if to much groups depth
> winbind expand groups = 4
>
> # user Administrator workaround, without it you are
> unable to set privileges
> username map = /etc/samba/samba_usermapping
>
> # disable usershares creating, when set empty no error
> log messages.
> usershare path =
>
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
>
> And no shares.
>
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Marcio Demetrio Bacci via samba
> > Verzonden: maandag 22 mei 2017 23:13
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication
> >
> > Hi,
> >
> > I have posted the following message to Squid-Users forum (
> > squid-users at lists.squid-cache.org).
> >
> > "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now
> > my Squid authentication doesn't work.
> >
> > In samba 4.2.1 is working properly.
> >
> > This is my authentication block:
> >
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R
> > -b DC=empresa,DC=com,DC=br -D
> > CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h
> > 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored
> > auth_param basic credentialsttl 8 hours
> > auth_param basic casesensitive off
> >
> > I'm using Squid 3.4.8
> >
> > Can anybody help me ?"
> >
> >
> > *Answer of the Squid-Users forum: *
> >
> > "
> >
> > *If the only thing that changed was Samba its clearly an
> > issue with that end of the system.I suggest you compare those
> > LDAP parameters with what the new Samba version needs, and if
> > there is no issue there please contact your vendor or the
> > Samba help channels*."
> >
> >
> >
> > Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?
> >
> > Regards,
> >
> > Márcio Bacci
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list