[Samba] NTLM auth, better on a DC or on a DM?
walk2sun at arcor.de
Wed Sep 12 16:56:05 UTC 2018
Am Dienstag, 11. September 2018, 11:04:11 CEST schrieb Marco Gaiarin via samba:
> Sorry, i'm still a bit confused.
> Andreay say:
> > I would do that, it allows you to have the FreeRADIUS fail over to
> > another DC when you are upgrading Samba, and choose to upgrade
> > Samba's base OS without consideration for the Squid/FreeRADIUS
> > stack.
> So, ntlm_auth connect to (local) winbind, and winbind connect to DCs,
> so in this way freeradius 'failover' in respect of the DCs, but
> clearly not in respect of winbind (local instance).
My private idea, if you really need failover use two or more winbind
PCs as member server.
> Or you are speaking of the new ability of freeradius to connect
> ''directly'' to winbind, without ntlm_auth?
> Harry say:
> > We have sveral squid proxy with ntlm_auth running. Ntlm_auth works
> > only on a Domain Member Server and not on a PDC, BDC or DC.
> I'm currently using freeradius (and squid) with ntlm_auth on my 'NT4'
> domain on a BDC, so this is not fully true. ;-)
This info is from the squid docs, wiki or ml. I dont rember.
May be the squid folks define "Domain Member Server" in an other way as
samba users. Perhaps a BDC is in their understanding also a
My configs for a NT style domain with openldap backend. Winbindd gets
an own config, because we are on a PDC with "secuity = user".
# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/samba/winbind.conf
include = /etc/samba/smb.conf
security = domain
winbind use default domain = yes
winbind separator = +
The second global line is necessary to set new global params after the
last share definition in smb.conf. Without the first global line,
the include statement wont work.
# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/default/winbind
We are on debian, so we use their mech to give the winbindd
some start params.
# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/squid/squid.conf|head -7
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/lib/squid/ldap_auth -b "ou=people,ou=accounts,dc=europa,dc=xx" -v 3 -u uid
auth_param basic children 20
auth_param basic realm Internetzugang von Europaschule Dortmund
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
http_access allow password
ntlm_auth SHOULD be defined before ldap_auth!!!
According to the squid folks, windows do not choose the best
helper program as defined in RFC. Instead they use always the
first one. One can test this behavior very easy, switch the line.
If a windows user is using ntlm he get no password prompt.
With ldap_auth windows users see always the password prompt.
The above is a simple setup to make windows user happy. Ldap traffic
should be encrypted. If one connect to a AD DC TLS/SSL is required.
More information about the samba