[Samba] Question: Samba and YP-Yellow Pages relation.
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 11 08:26:13 UTC 2018
Hai Fabricio,
> Hello Louis,
> I did all the tests and they worked, but here some questions.
>
> When using the wrapper with samba47, I see the squid tries
> Kerberos, if it doesn't work, it goes for NTLM.
Yes and no, read on you see why i say yes and no..
> If I use the wrapper for a machine that is NOT on a Domain,
> it just fails, which is fine because the credentials don't
> match anything.
Correct, if you want this to work you could try :
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
Now you dont need the UPN in the DNS. ( ! Its really adviced to have it ) but
you are still trying to auth over kerberos first.
! Do note, the server still needs to be domain joined.
> But If I break the authentication in two, not
> using the wrapper, the NTLM shows a challenge screen asking
> for credentials, which I like it.
Its what you preffer of what you want here. I suggest read :
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM
And man ntlm_auth
But the short story here is, avoid ntlm where possible and use kerberos.
>
> Example:
> #### NEGOTIATE ONLY KERBEROS AUTHENTICATION ####
> auth_param negotiate program
> /usr/local/libexec/squid/negotiate_kerberos_auth -d -i -s
> HTTP/kontrol243.kontrol.corp at KONTROL.CORP
> auth_param negotiate children 50 startup=20 idle=10
> auth_param negotiate keep_alive on
>
> #### NTLMv2 AUTHENTICATION ONLY - IN CASE KERBEROS DOESNT WORK ####
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30 startup=20 idle=5
> auth_param ntlm keep_alive off
>
> The config above shows a challenge on the browser asking for
> credentials in case the machine is not In the Domain, which is OK.
>
> The config you sent me, doesn't ask for credentials, it just
> fails. Do you know why?
Any error messages? I can't read you mind ... ;-)
Bit of squid logs and windows message helps..
>
> Other question is: What is the difference between using
> NTLMSSP and GSS-SPNEGO?
> Both worked fine, just didn't understand what is the difference.
You have these auth's :
Negotiate/Kerberos
Negotiate/NTLM
NTLM
BASIC
Now the here, i can try to explain but with all my typos you wont understand it. ;-)
Here i my question on the squid list, read it it wil help you understand.
http://squid-web-proxy-cache.1019090.n4.nabble.com/Negotiate-wrappter-returns-AF-on-Debian-Jessie-td4676735.html
And the related squid pages.
https://wiki.squid-cache.org/Features/Authentication
https://wiki.squid-cache.org/Features/NegotiateAuthentication
>
> I have also tested the smb4.conf tip you asked:
> winbind enum users = no
> winbind enum groups = no
> It worked too. Here again, what is the difference with yes/no for enum users/groups?
In the end nothing, but the no offloads samba, so its quicker.
When testing set it to yes, so you know it works when done set to no.
The detailed part why, uhm, that more a samba dev to answer.
Its somewhere also on the list, but i did not google for it.
>
>
> Thanks Much for the info. I really appreciate it!
Your welkom and no problem..
Greetz,
Louis
>
> Fabricio.
>
>
> -----Original Message-----
> From: Suporte - KONTROL <suporte at kontrolsecurity.com.br>
> Sent: Saturday, April 7, 2018 1:30 PM
> To: 'L.P.H. van Belle' <belle at bazuin.nl>
> Cc: 'samba at lists.samba.org' <samba at lists.samba.org>
> Subject: RE: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> Hi Louis!
> Wow! That was nice!
> I will test each one of the tips.
>
> Thanks Much!!! Appreciate it!
>
> Cordially,
> Fabricio.
>
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
> L.P.H. van Belle via samba
> Sent: Friday, April 6, 2018 11:47 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> Hai,
>
> Someone called me called??
>
> I did a quick read here in this thread..
> The upn part is done, so your almost there.
>
> You need to make sure your DNS is working as it should.
> To check on the proxy with
> dig a hostname.FQDN.
> dig -x ip_the_server
>
> Test this for the DC hostnames/ips also.
> If that all ok, you can try these settings in squid
>
> # For squid ( works for me as of squid 3.2 up to 3.5 ) #
> negotiate kerberos and ntlm authentication + ldap fallback.
> # Debugging. -d in the kerberos line, --diagnostics in ntlm)
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
> HTTP/your.server.hostname.in.fqdn at YOUR_REALM \
> --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego
> --domain=NTDOM
>
> # adjust this to you needs, you might want to lower the
> childeren and startups.
> auth_param negotiate children 10 startup=2 idle=2 auth_param
> negotiate keep_alive on
>
> # My advice, put everything on ssl, so dont use this one, but
> handy to have/know.
> # ! Do note the -h and -H parameters.
> # ! The user : SeparatedUser4bind2Ldap at internal.domain.tld
> # ! : set disable pre kerberos auth and password
> does not expire, and can not change it.
> # ! : set as trusted and can not be delegated.
> # Non-SSL
> #auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
> # -b "ou=Company,dc=internal,dc=domain,dc=tld" \
> # -D SeparatedUser4bind2Ldap at internal.domain.tld \
> # -W /etc/squid/private/your_userPassword_in_Here \
> # -f (sAMAccountName=%s) \
> # -h dc2.internal.domain.tld \
> # -h dc1.internal.domain.tld
>
> # SSL enabled ( URI format -H )
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
> -b "ou=Company,dc=internal,dc=domain,dc=tld" \
> -D SeparatedUser4bind2Ldap at internal.domain.tld \
> -W /etc/squid/private/your_userPassword_in_Here \
> -f sAMAccountName=%s \
> -H ldaps://dc2.internal.domain.tld \
> -H ldaps://dc1.internal.domain.tld
>
> auth_param basic children 5 startup=1 idle=1 auth_param basic
> realm Internet Proxy Autorisation auth_param basic
> credentialsttl 9 hours
>
>
> In smb.conf
> Set these to no after you tested.
> > winbind enum users = no
> > winbind enum groups = no
>
>
> Good luck,
>
> If you have questions just mail me or the list.
> Ps. Back Monday, and if you lucky, i'll responce in the weekend.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Suporte -
> > KONTROL via samba
> > Verzonden: vrijdag 6 april 2018 15:58
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
> >
> > Hi Rowland,
> > That looks GREAT!
> > I will give it a try for sure and let you know.
> >
> > I am trying to talk to the guys who "modified/patched" the
> Samba 44 to
> > get details. If I got it, I will send it to you.
> >
> > Many Thanks!!!
> >
> > Fabricio.
> >
> >
> > -----Original Message-----
> > From: samba <samba-bounces at lists.samba.org> On Behalf Of
> Rowland Penny
> > via samba
> > Sent: Friday, April 6, 2018 5:15 AM
> > To: samba at lists.samba.org
> > Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
> >
> > On Thu, 5 Apr 2018 18:57:03 -0300
> > "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:
> >
> > > Hi Rowland,
> > > Actually I don't want to disable the Yellow Pages, that's a
> > situation
> > > I already have in the pFsense, cause YP was disabled by
> the pfsense
> > > developers.
> >
> > Yellow pages is the old name for NIS and unless it is installed it
> > isn't used by Linux and I suspect the same goes for freebsd.
> >
> > >So my doubt is: Is there a way to make samba (latest
> > > version) to work without the YP enabled? What about what
> > people made
> > >with that samba version 4.4.16 I mentioned? Not sure how they did
> > >that. The only thing I know is that it is working fine
> even without
> > >the YP.
> >
> > I would love to know what they did, perhaps the relevant
> code has been
> > accepted into Samba.
> >
> > >
> > > The Microsoft environment is mixed. I have Win2008R2 /
> > Win2012 R2 and
> > > Win2016. It is working today with all of them.
> > >
> >
> > Here is the good part, Unless you extend Windows by
> installing 'IDMU',
> > it has no knowledge of NIS and you cannot install 'IDMU' on Win2016
> >
> > > No problems, Here is the smb4.conf file:
> >
> > and here is my version for 4.7.6, basically yours with
> default lines
> > remove and the deprecated 'idmap uid & gid'
> > lines replaced with their modern counterparts:
> >
> > [global]
> > workgroup = SAMDOM
> > security = ads
> > realm = SAMDOM.EXAMPLE.COM
> >
> > ## map ids outside of domain to tdb files.
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > ## map ids from the domain the ranges may not overlap !
> > idmap config SAMDOM : backend = rid
> > idmap config SAMDOM : range = 10000-999999
> >
> > template shell = /bin/bash
> > winbind offline logon = yes
> > winbind refresh tickets = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> >
> > log level = 3 passdb:5 winbind:3
> > printcap name = /dev/null
> > load printers = no
> > printing = bsd
> > local master = no
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > [homes]
> > comment = Home Directories
> > valid users = %s, %D%W%S
> > browseable = no
> > read only = no
> > inherit acls = yes
> >
> > With that smb.conf, I joined it to my domain with:
> >
> > net ads join
> > createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.C
> > OM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1'
> > to dns domain 'samdom.example.com'
> >
> > and if I examine the keytab created, I find this:
> >
> > ktutil
> > ktutil: rkt /etc/krb5.keytab
> > ktutil: l
> > slot KVNO Principal
> > ---- ----
> >
> ---------------------------------------------------------------------
> > 1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> > 3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> > 5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> > 7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> > 9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> > 11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> > 12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> > 13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> > 14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> > 15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> > 16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> > 20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> >
> > So the required UPN is there, so all I can suggest is, give
> it a try.
> >
> > I do not use Squid, but I know a man that does ;-)
> >
> > So over to you Louis.
> >
> > Rowland
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list