[Samba] Question: Samba and YP-Yellow Pages relation.
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 6 14:47:20 UTC 2018
Hai,
Someone called me called??
I did a quick read here in this thread..
The upn part is done, so your almost there.
You need to make sure your DNS is working as it should.
To check on the proxy with
dig a hostname.FQDN.
dig -x ip_the_server
Test this for the DC hostnames/ips also.
If that all ok, you can try these settings in squid
# For squid ( works for me as of squid 3.2 up to 3.5 )
# negotiate kerberos and ntlm authentication + ldap fallback.
# Debugging. -d in the kerberos line, --diagnostics in ntlm)
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/your.server.hostname.in.fqdn at YOUR_REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
# adjust this to you needs, you might want to lower the childeren and startups.
auth_param negotiate children 10 startup=2 idle=2
auth_param negotiate keep_alive on
# My advice, put everything on ssl, so dont use this one, but handy to have/know.
# ! Do note the -h and -H parameters.
# ! The user : SeparatedUser4bind2Ldap at internal.domain.tld
# ! : set disable pre kerberos auth and password does not expire, and can not change it.
# ! : set as trusted and can not be delegated.
# Non-SSL
#auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
# -b "ou=Company,dc=internal,dc=domain,dc=tld" \
# -D SeparatedUser4bind2Ldap at internal.domain.tld \
# -W /etc/squid/private/your_userPassword_in_Here \
# -f (sAMAccountName=%s) \
# -h dc2.internal.domain.tld \
# -h dc1.internal.domain.tld
# SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Company,dc=internal,dc=domain,dc=tld" \
-D SeparatedUser4bind2Ldap at internal.domain.tld \
-W /etc/squid/private/your_userPassword_in_Here \
-f sAMAccountName=%s \
-H ldaps://dc2.internal.domain.tld \
-H ldaps://dc1.internal.domain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours
In smb.conf
Set these to no after you tested.
> winbind enum users = no
> winbind enum groups = no
Good luck,
If you have questions just mail me or the list.
Ps. Back Monday, and if you lucky, i'll responce in the weekend.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Suporte - KONTROL via samba
> Verzonden: vrijdag 6 april 2018 15:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> Hi Rowland,
> That looks GREAT!
> I will give it a try for sure and let you know.
>
> I am trying to talk to the guys who "modified/patched" the
> Samba 44 to get details. If I got it, I will send it to you.
>
> Many Thanks!!!
>
> Fabricio.
>
>
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
> Rowland Penny via samba
> Sent: Friday, April 6, 2018 5:15 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> On Thu, 5 Apr 2018 18:57:03 -0300
> "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:
>
> > Hi Rowland,
> > Actually I don't want to disable the Yellow Pages, that's a
> situation
> > I already have in the pFsense, cause YP was disabled by the pfsense
> > developers.
>
> Yellow pages is the old name for NIS and unless it is
> installed it isn't used by Linux and I suspect the same goes
> for freebsd.
>
> >So my doubt is: Is there a way to make samba (latest
> > version) to work without the YP enabled? What about what
> people made
> >with that samba version 4.4.16 I mentioned? Not sure how they did
> >that. The only thing I know is that it is working fine even without
> >the YP.
>
> I would love to know what they did, perhaps the relevant code
> has been accepted into Samba.
>
> >
> > The Microsoft environment is mixed. I have Win2008R2 /
> Win2012 R2 and
> > Win2016. It is working today with all of them.
> >
>
> Here is the good part, Unless you extend Windows by
> installing 'IDMU', it has no knowledge of NIS and you cannot
> install 'IDMU' on Win2016
>
> > No problems, Here is the smb4.conf file:
>
> and here is my version for 4.7.6, basically yours with
> default lines remove and the deprecated 'idmap uid & gid'
> lines replaced with their modern counterparts:
>
> [global]
> workgroup = SAMDOM
> security = ads
> realm = SAMDOM.EXAMPLE.COM
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
>
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
>
> log level = 3 passdb:5 winbind:3
> printcap name = /dev/null
> load printers = no
> printing = bsd
> local master = no
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> [homes]
> comment = Home Directories
> valid users = %s, %D%W%S
> browseable = no
> read only = no
> inherit acls = yes
>
> With that smb.conf, I joined it to my domain with:
>
> net ads join
> createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.C
> OM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1'
> to dns domain 'samdom.example.com'
>
> and if I examine the keytab created, I find this:
>
> ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
>
> So the required UPN is there, so all I can suggest is, give it a try.
>
> I do not use Squid, but I know a man that does ;-)
>
> So over to you Louis.
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list