[Samba] Question: Samba and YP-Yellow Pages relation.

Suporte - KONTROL suporte at kontrolsecurity.com.br
Thu Apr 5 20:01:22 UTC 2018 

Hi Rowland,
First of all, thanks Much for the message. Appreciate it!

Here more details...
The users do not log into the pfSense. The Samba is being used to authenticate users with the proxy (squid) in a pfsense environment (Freebsd)
The PfSense box is added to the AD Domain as a "Member" only, so that way the proxy can authenticate against the AD via NTLM/Kerberos.

Here is part of my script to add/leave Domain and also to create a keytab file to use against Kerberos.


#joining a Domain
net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k  
echo
#adding SPN HTTP 
echo "Adding the SPN HTTP"
net ads keytab add HTTP
echo
#Generating keytab file
net ads keytab create -k

After that the pfsense box is part of the Domain and I have a keytab file to use for Kerberos authentication.

That's how I add the box to a domain.

Now the problem is that it only works when I use that "special" Samba 4.4.16 version.
I would like to use the LATEST SAMBA version available for security reasons.

Thanks Once again!

Fabricio.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Thursday, April 5, 2018 4:39 PM
To: samba at lists.samba.org
Cc: Suporte - KONTROL <suporte at kontrolsecurity.com.br>
Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.

On Thu, 5 Apr 2018 15:39:45 -0300
Suporte - KONTROL via samba <samba at lists.samba.org> wrote:

> Hello Everyone,
> I am pretty new on this SAMBA list, so greetings!
> I have a technical question about the relation of SAMBA and YP (Yellow 
> Pages/ NiS)
> 
> I´ve been learning on how to make my Firewall/proxy solution (based on
> FREEBSD/PfSense) to have a trust-relationship with the Microsoft 
> AD/Domain so I can have Single Sign-on with NTLM/Kerberos integration.
> PfSense has the YP (Yellow Pages) disabled by default, what makes 
> SAMBA fail according to pfSense technical forum people.
> Recently, I found a supposed “patched” version of SAMBA 4.4.16 that 
> doesn’t require the YP enabled. Not sure how people did that, or, if 
> that is something normal for the version 4.4.16 of Samba. (probably
> not) the point is that Samba 4.4.16 works perfectly. 
> If I try to do the same with other newer versions, I got error 
> messages like this: /usr/local/lib/samba4/libsmbconf.so.0: Undefined 
> symbol "yp_match"
> 
> The question is:  Can I also patch the latest SAMBA version the same 
> way? What are the side effects in the end and What exactly should I 
> change in the Source Code before compiling it? (if possible) – Maybe 
> to enable YP back would be better?
> I really want to replace the version 4.4.16 by the latest one 
> available for obvious reasons (too old, Insecure at this point).
> 
> Thanks in Advance!
> 
> Cordially,
> Fabricio.
> 
> 

Hi, around here we call YP NIS ;-)

I am having trouble trying to understand what you are trying to achieve, do your users need to log into the pfsense machine ?

I think you need to explain in a bit more depth how your Firewall/proxy works, starting with how you want to run Samba, is it as a DC, Unix domain member or a standalone server.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list