[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder

L.P.H. van Belle belle at bazuin.nl
Tue Apr 23 08:04:13 UTC 2019 

In addition. 

Everything Rowland noticed it correct and i notieced, you probley missing the HTTP/spn. 
Because squid 4.6 with samba and kerberos works great here. 

Read this.. 
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos 

Now, in addition, the krb5.conf shown there. Is not needed, keep your default. 
If you need to adjust it, then is probley. 

[libdefaults]
      default_realm = ADDCDOM.REALM.TLD

; for Windows 2008 with AES
; this is optional, but if you have problems, set it, it wont hurt. 
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

The keytab part, Dont use msktutil. 
Just setup a member with winbind installed only and join the domain.
Then when this server is domain joined run this : 

kinit administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME

chmod proxy:proxy /etc/squid/HTTP.keytab
! Change users/group here if needed, i dont know freebsd.. 


And ( by example ) in debian 8/9/10.
/etc/default/squid

Add in the beginning the part, or put it in your init script. 
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME


And for smb.conf i use for references. 
[global]
    workgroup = ADDCDOM
    security = ads
    realm = ADDCDOM.REALM.TLD

    netbios name = PROXY1
    preferred master = no
    domain master = no
    host msdfs = no

    # explicit set, because i use a caching and forwarding dns on the proxy. 
    interfaces = 192.168.0.11 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    server signing = mandatory
    ntlm auth = no

    #Add and Update TLS Key
    tls enabled = yes
    # i have my own certs configured, using the default works also. 
    tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
    tls certfile = /etc/ssl/local/certs/xxxxxx.cert.pem
    tls cafile = /etc/ssl/certs/xxxxx-ca.pem

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config ADDCDOM: backend = ad
    idmap config ADDCDOM: schema_mode = rfc2307
    idmap config ADDCDOM: range = 10000-3999999

    # if you need to login also with ssh you need a uid.
    idmap config ADDCDOM: unix_nss_info = yes

    # Keytab and method.
    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket, is a must have. 
    winbind refresh tickets = yes

    # Use home directory and shell information from AD
    # winbind nss info = rfc2307 overrulled by unix_nss_info (PER DOMAIN) option

    # show domain prefix
    # set to no, dont use the default domain, output shows: DOMAIN\user
    # set to yes, use the default domain, output shows: user
    winbind use default domain = yes

    # show users with : getent passwd username
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    winbind offline logon = yes

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path =

    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


Then use one of these to setup squid and its helpers. 

# If you have a correct DNS, A and PTR for every server.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.rotterdam.bazuin.nl at ADDCDOM.REALM.TLD \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=ADDCDOM

## or same, check the -s ! This setup does not require A+PTR 
#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
#    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
#    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD

# optinal, add the ldap (basic) fallback also, then you have 3. 
# kerberos => NTLM => Basic. 


This should help you going, more questions, just ask. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Suporte - KONTROL via samba
> Verzonden: zaterdag 20 april 2019 23:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh 
> install - Error ownership folder
> Urgentie: Hoog
> 
> Hi Rowland
> 
> Appreciate the message and the tips.
> I updated my smb file, although the Kerberos error still showing up.
> 
> Thanks Anyway.
> 
> Fabricio.
> 
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of 
> Rowland Penny via samba
> Sent: Friday, April 19, 2019 4:45 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh 
> install - Error ownership folder
> 
> On Thu, 18 Apr 2019 18:33:03 -0300
> Kontrol-Suporte via samba <samba at lists.samba.org> wrote:
> 
> > Hello everyone,
> > 
> > Just made a brand new installation of the Samba 4.10 for 
> FreeBSD (got 
> > it from FreeNAS project) and it worked very well but I am 
> facing some 
> > issues while working with it + Squid 4.6
> > 
> > Here is the thing.  I could Join the machine to my Domain with 
> > absolutely no problems. I also created the Kerberos keytab, etc.
> > 
> > For some reason, the Squid Helpers are showing an error 
> message, like 
> > the one below.
> > 
> > Although, NTLM helper is working fine and authenticating with no 
> > errors, Kerberos helper is not working at all and it fails crashing 
> > the Squid as it Terminated abnormally.
> > 
> >  
> > 
> > Here is my smb4.conf file, just in case I am using any 
> > deprecated/Invalid configuration.
> 
> Not so much deprecated or invalid, but un-needed/missing ?
> 
> Remove the defaults:
> 
> [global]
>     workgroup = DOMAIN
>     realm  = DOMAIN.CORP
>     security = ads
> 
>     idmap config DOMAIN : backend = rid
>     idmap config DOMAIN : range = 10000-20000
> 
>     template shell = /bin/bash
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     winbind use default domain = yes
>     log level = 3 passdb:5 winbind:3
>     printcap name = /dev/null
>     load printers = no
>     printing = bsd
>     local master = no
>     kerberos method = secrets and keytab
> 
> [homes]
>     comment = Home Directories
>     valid users = %s, %D%W%S
>     browseable = no
>     read only = no
>     inherit acls = yes
> 
> The missing:
> 
>     idmap config * : backend = tdb
>     idmap config * : range = 3999-7999 
> 
> >  
> > 
> > I know it seems something wrong with SQUID, not SAMBA 4.10, 
> but I am 
> > just wondering if I committed any mistake during the configuration 
> > process.
> 
> The probably missing (part 2):
> 
>     ntlm auth = mschapv2-and-ntlmv2-only
> 
> Not sure what Samba version you used last, but NTLMv1 is now 
> turned off by default.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list