[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 23 08:04:13 UTC 2019
In addition.
Everything Rowland noticed it correct and i notieced, you probley missing the HTTP/spn.
Because squid 4.6 with samba and kerberos works great here.
Read this..
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Now, in addition, the krb5.conf shown there. Is not needed, keep your default.
If you need to adjust it, then is probley.
[libdefaults]
default_realm = ADDCDOM.REALM.TLD
; for Windows 2008 with AES
; this is optional, but if you have problems, set it, it wont hurt.
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
The keytab part, Dont use msktutil.
Just setup a member with winbind installed only and join the domain.
Then when this server is domain joined run this :
kinit administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME
chmod proxy:proxy /etc/squid/HTTP.keytab
! Change users/group here if needed, i dont know freebsd..
And ( by example ) in debian 8/9/10.
/etc/default/squid
Add in the beginning the part, or put it in your init script.
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
And for smb.conf i use for references.
[global]
workgroup = ADDCDOM
security = ads
realm = ADDCDOM.REALM.TLD
netbios name = PROXY1
preferred master = no
domain master = no
host msdfs = no
# explicit set, because i use a caching and forwarding dns on the proxy.
interfaces = 192.168.0.11 127.0.0.1
bind interfaces only = yes
dns proxy = yes
server signing = mandatory
ntlm auth = no
#Add and Update TLS Key
tls enabled = yes
# i have my own certs configured, using the default works also.
tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
tls certfile = /etc/ssl/local/certs/xxxxxx.cert.pem
tls cafile = /etc/ssl/certs/xxxxx-ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config ADDCDOM: backend = ad
idmap config ADDCDOM: schema_mode = rfc2307
idmap config ADDCDOM: range = 10000-3999999
# if you need to login also with ssh you need a uid.
idmap config ADDCDOM: unix_nss_info = yes
# Keytab and method.
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket, is a must have.
winbind refresh tickets = yes
# Use home directory and shell information from AD
# winbind nss info = rfc2307 overrulled by unix_nss_info (PER DOMAIN) option
# show domain prefix
# set to no, dont use the default domain, output shows: DOMAIN\user
# set to yes, use the default domain, output shows: user
winbind use default domain = yes
# show users with : getent passwd username
winbind enum users = no
winbind enum groups = no
# enable offline logins
winbind offline logon = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path =
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Then use one of these to setup squid and its helpers.
# If you have a correct DNS, A and PTR for every server.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.rotterdam.bazuin.nl at ADDCDOM.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=ADDCDOM
## or same, check the -s ! This setup does not require A+PTR
#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
# --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
# --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD
# optinal, add the ldap (basic) fallback also, then you have 3.
# kerberos => NTLM => Basic.
This should help you going, more questions, just ask.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Suporte - KONTROL via samba
> Verzonden: zaterdag 20 april 2019 23:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh
> install - Error ownership folder
> Urgentie: Hoog
>
> Hi Rowland
>
> Appreciate the message and the tips.
> I updated my smb file, although the Kerberos error still showing up.
>
> Thanks Anyway.
>
> Fabricio.
>
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
> Rowland Penny via samba
> Sent: Friday, April 19, 2019 4:45 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh
> install - Error ownership folder
>
> On Thu, 18 Apr 2019 18:33:03 -0300
> Kontrol-Suporte via samba <samba at lists.samba.org> wrote:
>
> > Hello everyone,
> >
> > Just made a brand new installation of the Samba 4.10 for
> FreeBSD (got
> > it from FreeNAS project) and it worked very well but I am
> facing some
> > issues while working with it + Squid 4.6
> >
> > Here is the thing. I could Join the machine to my Domain with
> > absolutely no problems. I also created the Kerberos keytab, etc.
> >
> > For some reason, the Squid Helpers are showing an error
> message, like
> > the one below.
> >
> > Although, NTLM helper is working fine and authenticating with no
> > errors, Kerberos helper is not working at all and it fails crashing
> > the Squid as it Terminated abnormally.
> >
> >
> >
> > Here is my smb4.conf file, just in case I am using any
> > deprecated/Invalid configuration.
>
> Not so much deprecated or invalid, but un-needed/missing ?
>
> Remove the defaults:
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.CORP
> security = ads
>
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000-20000
>
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind use default domain = yes
> log level = 3 passdb:5 winbind:3
> printcap name = /dev/null
> load printers = no
> printing = bsd
> local master = no
> kerberos method = secrets and keytab
>
> [homes]
> comment = Home Directories
> valid users = %s, %D%W%S
> browseable = no
> read only = no
> inherit acls = yes
>
> The missing:
>
> idmap config * : backend = tdb
> idmap config * : range = 3999-7999
>
> >
> >
> > I know it seems something wrong with SQUID, not SAMBA 4.10,
> but I am
> > just wondering if I committed any mistake during the configuration
> > process.
>
> The probably missing (part 2):
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> Not sure what Samba version you used last, but NTLMv1 is now
> turned off by default.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list