[Samba] samba4+squid3+ntlm

L.P.H. van Belle belle at bazuin.nl
Fri Jun 8 13:44:52 UTC 2018 

Hai Eduardo, 

In addition to Rowlands reply. 

Try this one : auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=MYDOMINIO
Change the : squid-2.5-ntlmssp to gss-spnego 
And test, if it works.. Stop reading here and be happy.. 

Not working.. Then i have these questions and suggestions. ( and maybe more ).

Are use using all debian 8 standaard packages?
You might preper for a change to negotiate auth. ( See: https://wiki.squid-cache.org/Features/NegotiateAuthentication ) 

The token first presented by the client is used by helpers to identify which flavour is being used: 
type 1 token - NTLM 
type 2 token - Kerberos 

You may see warnings or errors mentioning either of these token types with Negotiate authentication. Particularly common are problems with type 1 when configured with Kerberos helpers. 
The issue is a mismatch between the client and helper capabilities. The negotiate_wrapper helper is currently the only helper known which can handle both types at once. 

Then I suspect you Win8 uses type 2 tokens and then you need the following. 

These settings below work on both my servers, I run 2 proxies atm. 
Debian 8, samba 4.6.15, squid, own build 3.5.19 (a rebuild from debian testing, but with ssl enabled )
Debian 9, samba 4.8.2, squid, own build 3.5.27 (a rebuild from debian testing, but with ssl enabled )

My settings are these and this works as of Win XP up to win10 1709 ( in production here ).
#Negotiate auth
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy.internal.domain.tld at KERBEROS.DOMAIN.TLD \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate keep_alive on

#Basic auth, over ldaps
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Company,dc=internal,dc=domain,dc=tld" \
    -D special-user-for-ldap-bind-request at internal.domain.tld \
    -W /etc/squid/private/special-file-4-user-for-ldap-bind-request-containing-passwd \
    -f sAMAccountName=%s \
    -H ldaps://dc2.internal.domain.tld \
    -H ldaps://dc1.internal.domain.tld

auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours
acl authenticated proxy_auth REQUIRED

authenticate_cache_garbage_interval 2 hour
authenticate_ttl 2 hour
authenticate_ip_ttl 2 hour

Samba does not need much, but i would change some things. 
The important ones are : 

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = yes # needed to update the kerberos ticket for the server.
    winbind use default domain = yes
    winbind offline logon = yes  # can be handy if you need to reboot the AD server. 


Squid, I noticed  you config is a bit off.. 
> [libdefaults] 
> default_realm = MYDOMINIO.COM 
> dns_lookup_kdc = no 
> dns_lookup_realm = no 
> ticket_lifetime = 24h 
> default_keytab_name = /etc/squid3/PROXY.keytab 

All i have is: 
    default_realm = MYKERBEROSREALM.DOMAIN.TLD
    dns_lookup_kdc = true
    dns_lookup_realm = false
    ticket_lifetime = 24h
    ccache_type = 4
    forwardable = true
    proxiable = true

    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5


And in /etc/default/squid
KRB5_KTNAME=/etc/squid/keytab.PROXY-HTTP
export KRB5_KTNAME

#You might need: 
TLS_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
export TLS_CACERTFILE

Beware, these changes are not small ones, backup backup backup... 

Also, im away from computers this weekend, so i'll be able to reply today. If you fast.
Or Monday. 

Good luck! 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Eduardo Miranda Hidalgo via samba
> Verzonden: vrijdag 8 juni 2018 14:19
> Aan: samba
> Onderwerp: [Samba] samba4+squid3+ntlm
> 
> Hello: 
> 
> I have a squid3 with aunteticacion ntlm integrated to samba4 
> but in workstations with windows 8.1 constantly asked for the 
> username and password and it does not let the user navigate, 
> use debian 8 + samba 4.7.7, no idea because that happens in 
> client with windows 7 works well. 
> 
> 
> smb.conf 
> 
> workgroup = MYDOMINIO 
> security = ads 
> netbios name = srv-proxy 
> server string = Servidor Proxy de Dominio 
> realm =MYDOMINIO.COM 
> password server = srv-pdc.midominio.com 
> 
> winbind uid = 10000-20000 
> winbind gid = 10000-20000 
> winbind use default domain = yes 
> winbind enum users = yes 
> winbind enum groups = yes 
> 
> syslog = 0 
> #log level = 1 
> log level = 3 passdb:5 auth:10 winbind:5 
> log file = /var/log/samba/%m.log 
> max log size = 50 
> 
> squid.conf 
> 
> ##Autenticacion 
> # NTLM 
> auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMINIO 
> auth_param ntlm children 20 
> auth_param ntlm keep_alive on 
> # NTLM basic 
> auth_param basic program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-basic --domain=MYDOMINIO 
> auth_param ntlm children 20 
> auth_param basic children 20 
> auth_param basic realm Proxy midominio.comu 
> auth_param basic credentialsttl 1 hours 
> external_acl_type ldap_group children-max=20 %LOGIN 
> /usr/lib/squid3/ext_wbinfo_group_acl 
> authenticate_ttl 1 hours 
> authenticate_ip_ttl 1 hours 
> 
> krb5.conf 
> 
> [libdefaults] 
> default_realm = MYDOMINIO.COM 
> dns_lookup_kdc = no 
> dns_lookup_realm = no 
> ticket_lifetime = 24h 
> default_keytab_name = /etc/squid3/PROXY.keytab 
> 
> ; for Windows 2003 
> ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 
> ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 
> ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 
> 
> ; for Windows 2008 with AES 
> default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5 
> default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5 
> permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac 
> des-cbc-crc des-cbc-md5 
> 
> [realms] 
> MYDOMINIO.COM= { 
> kdc = srv-pdc.midominio.com 
> admin_server = srv-pdc.midominio.com 
> default_domain = midominio.com 
> } 
> 
> [domain_realm] 
> . midominio.com = MYDOMINIO.COM 
> srv-pdc.midominio.com = MYDOMINIO.COM 
> 
> regards 
> Eduardo 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list