[Samba] NTLM auth, better on a DC or on a DM?
L.P.H. van Belle
belle at bazuin.nl
Thu Sep 13 09:19:13 UTC 2018
Lets start with, you better not use NTLM, only if you really really not able to use kerbersos auth.
The rest below the answer of Harry.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Harry Jede via samba
> Verzonden: woensdag 12 september 2018 18:56
> Aan: samba at lists.samba.org; Marco Gaiarin
> Onderwerp: Re: [Samba] NTLM auth, better on a DC or on a DM?
>
> Am Dienstag, 11. September 2018, 11:04:11 CEST schrieb Marco
> Gaiarin via samba:
> > Sorry, i'm still a bit confused.
> >
> > Andreay say:
> > > I would do that, it allows you to have the FreeRADIUS fail over to
> > > another DC when you are upgrading Samba, and choose to upgrade
> > > Samba's base OS without consideration for the Squid/FreeRADIUS
> > > stack.
> > So, ntlm_auth connect to (local) winbind, and winbind
> connect to DCs,
> > so in this way freeradius 'failover' in respect of the DCs, but
> > clearly not in respect of winbind (local instance).
> > Right?
> My private idea, if you really need failover use two or more winbind
> PCs as member server.
>
> > Or you are speaking of the new ability of freeradius to connect
> > ''directly'' to winbind, without ntlm_auth?
> Me not.
>
> > Harry say:
> > > We have sveral squid proxy with ntlm_auth running. Ntlm_auth works
> > > only on a Domain Member Server and not on a PDC, BDC or DC.
> >
> > I'm currently using freeradius (and squid) with ntlm_auth
> on my 'NT4'
> > domain on a BDC, so this is not fully true. ;-)
> This info is from the squid docs, wiki or ml. I dont rember.
>
> May be the squid folks define "Domain Member Server" in an
> other way as
> samba users. Perhaps a BDC is in their understanding also a
> member server.
>
>
>
> My configs for a NT style domain with openldap backend. Winbindd gets
> an own config, because we are on a PDC with "secuity = user".
>
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$'
> /etc/samba/winbind.conf
> [global]
> include = /etc/samba/smb.conf
> [global]
> security = domain
> winbind use default domain = yes
> winbind separator = +
>
> The second global line is necessary to set new global params after the
> last share definition in smb.conf. Without the first global line,
> the include statement wont work.
>
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$'
> /etc/default/winbind
> WINBINDD_OPTS="-s /etc/samba/winbind.conf"
>
> We are on debian, so we use their mech to give the winbindd
> some start params.
>
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$'
> /etc/squid/squid.conf|head -7
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param basic program /usr/lib/squid/ldap_auth -b
> "ou=people,ou=accounts,dc=europa,dc=xx" -v 3 -u uid
> auth_param basic children 20
> auth_param basic realm Internetzugang von Europaschule Dortmund
> auth_param basic credentialsttl 2 hours
> acl password proxy_auth REQUIRED
> http_access allow password
>
> ntlm_auth SHOULD be defined before ldap_auth!!!
> According to the squid folks, windows do not choose the best
> helper program as defined in RFC. Instead they use always the
> first one. One can test this behavior very easy, switch the line.
>
> If a windows user is using ntlm he get no password prompt.
> With ldap_auth windows users see always the password prompt.
>
>
> The above is a simple setup to make windows user happy. Ldap traffic
> should be encrypted. If one connect to a AD DC TLS/SSL is required.
>
> >
> > Thanks.
>
>
> --
>
> Gruss
> Harry Jede
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Sind you guys run debian also, think about this setup.
Only install winbind and the thing to authenticate with winbind.
A snap for what i minimal use in smb.conf
Asuming your not logging in with ssh on the server, if needed you need do adjust below a bit.
# smb.conf / Basic proxy auth setup ( tested on debian Jessie/stretch )
log level = 0
workgroup = NTDOM
security = ads
realm = YOUR.REALM.TLD
netbios name = HOSTNAME
preferred master = no
domain master = no
host msdfs = no
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config NTDOM : backend = rid
idmap config NTDOM : range = 10000-3999999
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# A must
winbind refresh tickets = yes
# optional
winbind use default domain = yes
winbind offline logon = yes
# Disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# For Squid, Authorisations, things to think off.
1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
3) And have a fallback with LDAP, if something erors, for example your time is off sync.
then ldap will give access but only when you manualy authenticate.
# Squid configs ( tested/using as of squid 3.2 upto 3.5.28 )
# Negotiate auth ( kerberos and NTLM )
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.your.primary.domain.tld at YOUR.REALM.HERE \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate keep_alive on
# Same as above, but without SPN defined.
# auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
# --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
# --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM
# Ntlm only setup. ( not needed if you use negotiate, and best is to use negotiate auth )
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
#auth_param ntlm children 20 startup=0 idle=1
#auth_param ntlm keep_alive on
# Ldap with
## NONE-SSL ( HOST format -h )
## SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "dc=your,dc=domain,dc=tld" \
-D ldap-bind at your.domain.tld \
-W /etc/squid/private/ldap-bind \
-f sAMAccountName=%s \
-H ldaps://dc1.your.domain.tld \
-H ldaps://dc2.your.domain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours
About the setup above, that a running setup, now im testing/preparing to extending this setup.
Im running this on 2 separate servers atm, what i want to add here is the following.
The dhcp config with failover,
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
freeradius, still looking for some nice configs.
What i have. Out-dated, but one good pointer : setfacl -m u:radiusd:rx winbindd_privileged
https://wiki.freeradius.org/guide/freeradius-active-directory-integration-howto
A good starter, ( for free radius, but want this with Strongswan VPN, and no L2TP.
Already running win7/10 / ios / android compatible, but not ad connected yet, IKEv2 based.
https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD
And where possible i ant to use the "Dail-in" tab of windows (access_attr = "msNPAllowDialin" )
keepalived+strongswan VPN.
A nice start point, https://www.bggofurther.com/2015/02/how-to-setup-an-ipsec-tunnel-with-strongswan-with-high-availability-on-linux/
Using the eap-mschapv2.
So if you guys have any snippets of configs of a debian server, please share.
Strongswan works without the need of any additional software on windows/ios or android.
Greetz,
Louis
More information about the samba
mailing list