[Samba] NTLM auth, better on a DC or on a DM?

Harry Jede walk2sun at arcor.de
Wed Sep 12 16:56:05 UTC 2018

Am Dienstag, 11. September 2018, 11:04:11 CEST schrieb Marco Gaiarin via samba:
> Sorry, i'm still a bit confused.
> Andreay say:
> > I would do that, it allows you to have the FreeRADIUS fail over to
> > another DC when you are upgrading Samba, and choose to upgrade
> > Samba's base OS without consideration for the Squid/FreeRADIUS
> > stack.
> So, ntlm_auth connect to (local) winbind, and winbind connect to DCs,
> so in this way freeradius 'failover' in respect of the DCs, but
> clearly not in respect of winbind (local instance).
> Right?
My private idea, if you really need failover use two or more winbind
 PCs as member server.

> Or you are speaking of the new ability of freeradius to connect
> ''directly'' to winbind, without ntlm_auth?
Me not.
> Harry say:
> > We have sveral squid proxy with ntlm_auth running. Ntlm_auth works
> > only on a Domain Member Server and not on a PDC, BDC or DC.
> I'm currently using freeradius (and squid) with ntlm_auth on my 'NT4'
> domain on a BDC, so this is not fully true. ;-)
This info is from the squid docs, wiki or ml. I dont rember. 

May be the squid folks define "Domain Member Server" in an other way as
 samba users. Perhaps a BDC is in their understanding also a
 member server.

My configs for a NT style domain with openldap backend. Winbindd gets
 an own config, because we are on a PDC with "secuity = user".

# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/samba/winbind.conf 
include = /etc/samba/smb.conf
security = domain
winbind use default domain = yes
winbind separator = +

The second global line is necessary to set new global params after the
 last share definition in smb.conf. Without the first global line,
 the include statement wont work.

# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/default/winbind 
WINBINDD_OPTS="-s /etc/samba/winbind.conf"

We are on debian, so we use their mech to give the winbindd
 some start params.

# egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' /etc/squid/squid.conf|head -7
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/lib/squid/ldap_auth -b "ou=people,ou=accounts,dc=europa,dc=xx" -v 3 -u uid
auth_param basic children 20
auth_param basic realm Internetzugang von Europaschule Dortmund
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
http_access allow password

ntlm_auth SHOULD be defined before ldap_auth!!!
 According to the squid folks, windows do not choose the best
 helper program as defined in RFC. Instead they use always the
 first one. One can test this behavior very easy, switch the line.

 If a windows user is using ntlm he get no password prompt.
 With ldap_auth windows users see always the password prompt.

The above is a simple setup to make windows user happy. Ldap traffic
 should be encrypted. If one connect to a AD DC TLS/SSL is required.

> Thanks.


	Harry Jede

More information about the samba mailing list