[Samba] NTLM auth, better on a DC or on a DM?

L.P.H. van Belle belle at bazuin.nl
Thu Sep 13 09:19:13 UTC 2018

Lets start with, you better not use NTLM, only if you really really not able to use kerbersos auth.

The rest below the answer of Harry. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Harry Jede via samba
> Verzonden: woensdag 12 september 2018 18:56
> Aan: samba at lists.samba.org; Marco Gaiarin
> Onderwerp: Re: [Samba] NTLM auth, better on a DC or on a DM?
> Am Dienstag, 11. September 2018, 11:04:11 CEST schrieb Marco 
> Gaiarin via samba:
> > Sorry, i'm still a bit confused.
> > 
> > Andreay say:
> > > I would do that, it allows you to have the FreeRADIUS fail over to
> > > another DC when you are upgrading Samba, and choose to upgrade
> > > Samba's base OS without consideration for the Squid/FreeRADIUS
> > > stack.
> > So, ntlm_auth connect to (local) winbind, and winbind 
> connect to DCs,
> > so in this way freeradius 'failover' in respect of the DCs, but
> > clearly not in respect of winbind (local instance).
> > Right?
> My private idea, if you really need failover use two or more winbind
>  PCs as member server.
> > Or you are speaking of the new ability of freeradius to connect
> > ''directly'' to winbind, without ntlm_auth?
> Me not.
> > Harry say:
> > > We have sveral squid proxy with ntlm_auth running. Ntlm_auth works
> > > only on a Domain Member Server and not on a PDC, BDC or DC.
> > 
> > I'm currently using freeradius (and squid) with ntlm_auth 
> on my 'NT4'
> > domain on a BDC, so this is not fully true. ;-)
> This info is from the squid docs, wiki or ml. I dont rember. 
> May be the squid folks define "Domain Member Server" in an 
> other way as
>  samba users. Perhaps a BDC is in their understanding also a
>  member server.
> My configs for a NT style domain with openldap backend. Winbindd gets
>  an own config, because we are on a PDC with "secuity = user".
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' 
> /etc/samba/winbind.conf 
> [global]
> include = /etc/samba/smb.conf
> [global]
> security = domain
> winbind use default domain = yes
> winbind separator = +
> The second global line is necessary to set new global params after the
>  last share definition in smb.conf. Without the first global line,
>  the include statement wont work.
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' 
> /etc/default/winbind 
> WINBINDD_OPTS="-s /etc/samba/winbind.conf"
> We are on debian, so we use their mech to give the winbindd
>  some start params.
> ######
> # egrep -v '^[[:space:]]*#|^[[:space:]]*;|^[[:space:]]*$' 
> /etc/squid/squid.conf|head -7
> auth_param ntlm program /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp
> auth_param basic program /usr/lib/squid/ldap_auth -b 
> "ou=people,ou=accounts,dc=europa,dc=xx" -v 3 -u uid
> auth_param basic children 20
> auth_param basic realm Internetzugang von Europaschule Dortmund
> auth_param basic credentialsttl 2 hours
> acl password proxy_auth REQUIRED
> http_access allow password
> ntlm_auth SHOULD be defined before ldap_auth!!!
>  According to the squid folks, windows do not choose the best
>  helper program as defined in RFC. Instead they use always the
>  first one. One can test this behavior very easy, switch the line.
>  If a windows user is using ntlm he get no password prompt.
>  With ldap_auth windows users see always the password prompt.
> The above is a simple setup to make windows user happy. Ldap traffic
>  should be encrypted. If one connect to a AD DC TLS/SSL is required.
> > 
> > Thanks.
> -- 
> Gruss
> 	Harry Jede
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Sind you guys run debian also, think about this setup. 
Only install winbind and the thing to authenticate with winbind. 
A snap for what i minimal use in smb.conf  
Asuming your not logging in with ssh on the server, if needed you need do adjust below a bit.

# smb.conf / Basic proxy auth setup ( tested on debian Jessie/stretch )
  log level = 0

  workgroup = NTDOM
  security = ads
  realm = YOUR.REALM.TLD

  netbios name = HOSTNAME
  preferred master = no
  domain master = no
  host msdfs = no

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config NTDOM : backend = rid
  idmap config NTDOM : range = 10000-3999999

  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  # A must 
  winbind refresh tickets = yes
  # optional
  winbind use default domain = yes
  winbind offline logon = yes

  # Disable usershares creating, when set empty no error log messages.
  usershare path =

  # Disable printing completely
  load printers = no
  printing = bsd
  printcap name = /dev/null
  disable spoolss = yes

# For Squid, Authorisations, things to think off.
1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN JOINED pc's.
   Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.
   NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in always user popup for auth.
   Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.
2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows PC's Not domain Joined.
3) And have a fallback with LDAP, if something erors, for example your time is off sync.
	then ldap will give access but only when you manualy authenticate.

# Squid configs ( tested/using as of squid 3.2 upto 3.5.28 )
# Negotiate auth ( kerberos and NTLM ) 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.your.primary.domain.tld at YOUR.REALM.HERE \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
auth_param negotiate children 30 startup=5 idle=5
auth_param negotiate keep_alive on

# Same as above, but without SPN defined. 
# auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM

# Ntlm only setup.  ( not needed if you use negotiate, and best is to use negotiate auth )
#auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
#auth_param ntlm children 20 startup=0 idle=1
#auth_param ntlm keep_alive on

# Ldap with
## NONE-SSL ( HOST format -h )
## SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "dc=your,dc=domain,dc=tld" \
    -D ldap-bind at your.domain.tld \
    -W /etc/squid/private/ldap-bind \
    -f sAMAccountName=%s \
    -H ldaps://dc1.your.domain.tld \
    -H ldaps://dc2.your.domain.tld

auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours

About the setup above, that a running setup, now im testing/preparing to extending this setup. 
Im running this on 2 separate servers atm, what i want to add here is the following. 

The dhcp config with failover, 

freeradius, still looking for some nice configs. 
What i have. Out-dated, but one good pointer : setfacl -m u:radiusd:rx winbindd_privileged 

A good starter, ( for free radius, but want this with Strongswan VPN, and no L2TP. 
Already running win7/10 / ios / android compatible, but not ad connected yet, IKEv2 based. 
And where possible i ant to use the "Dail-in" tab of windows (access_attr = "msNPAllowDialin" ) 

keepalived+strongswan VPN. 
A nice start point, https://www.bggofurther.com/2015/02/how-to-setup-an-ipsec-tunnel-with-strongswan-with-high-availability-on-linux/
Using the eap-mschapv2. 
So if you guys have any snippets of configs of a debian server, please share. 
Strongswan works without the need of any additional software on windows/ios or android. 




More information about the samba mailing list