samba - Apr 2018 - Question: Samba and YP-Yellow Pages relation.

Hello Everyone,
I am pretty new on this SAMBA list, so greetings!
I have a technical question about the relation of SAMBA and YP (Yellow
Pages/ NiS)

I´ve been learning on how to make my Firewall/proxy solution (based on
FREEBSD/PfSense) to have a trust-relationship with the Microsoft AD/Domain
so I can have Single Sign-on with NTLM/Kerberos integration.
PfSense has the YP (Yellow Pages) disabled by default, what makes SAMBA fail
according to pfSense technical forum people.
Recently, I found a supposed “patched” version of SAMBA 4.4.16 that doesn’t
require the YP enabled. Not sure how people did that, or, if that is
something normal for the version 4.4.16 of Samba. (probably not) the point
is that Samba 4.4.16 works perfectly. 
If I try to do the same with other newer versions, I got error messages like
this: /usr/local/lib/samba4/libsmbconf.so.0: Undefined symbol
"yp_match"

The question is:  Can I also patch the latest SAMBA version the same way?
What are the side effects in the end and What exactly should I change in the
Source Code before compiling it? (if possible) – Maybe to enable YP back
would be better?
I really want to replace the version 4.4.16 by the latest one available for
obvious reasons (too old, Insecure at this point).

Thanks in Advance!

Cordially,
Fabricio.

On Thu, 5 Apr 2018 15:39:45 -0300
Suporte - KONTROL via samba <samba at lists.samba.org> wrote:
> Hello Everyone,
> I am pretty new on this SAMBA list, so greetings!
> I have a technical question about the relation of SAMBA and YP (Yellow
> Pages/ NiS)
> 
> I´ve been learning on how to make my Firewall/proxy solution (based on
> FREEBSD/PfSense) to have a trust-relationship with the Microsoft
> AD/Domain so I can have Single Sign-on with NTLM/Kerberos integration.
> PfSense has the YP (Yellow Pages) disabled by default, what makes
> SAMBA fail according to pfSense technical forum people.
> Recently, I found a supposed “patched” version of SAMBA 4.4.16 that
> doesn’t require the YP enabled. Not sure how people did that, or, if
> that is something normal for the version 4.4.16 of Samba. (probably
> not) the point is that Samba 4.4.16 works perfectly. 
> If I try to do the same with other newer versions, I got error
> messages like this: /usr/local/lib/samba4/libsmbconf.so.0: Undefined
> symbol "yp_match" 
> 
> The question is:  Can I also patch the latest SAMBA version the same
> way? What are the side effects in the end and What exactly should I
> change in the Source Code before compiling it? (if possible) – Maybe
> to enable YP back would be better?
> I really want to replace the version 4.4.16 by the latest one
> available for obvious reasons (too old, Insecure at this point).
> 
> Thanks in Advance!
> 
> Cordially,
> Fabricio.
> 
> 
Hi, around here we call YP NIS ;-)

I am having trouble trying to understand what you are trying to
achieve, do your users need to log into the pfsense machine ?

I think you need to explain in a bit more depth how your
Firewall/proxy works, starting with how you want to run Samba, is it
as a DC, Unix domain member or a standalone server.

Rowland

Hi Rowland,
First of all, thanks Much for the message. Appreciate it!

Here more details...
The users do not log into the pfSense. The Samba is being used to authenticate
users with the proxy (squid) in a pfsense environment (Freebsd)
The PfSense box is added to the AD Domain as a "Member" only, so that
way the proxy can authenticate against the AD via NTLM/Kerberos.

Here is part of my script to add/leave Domain and also to create a keytab file
to use against Kerberos.


#joining a Domain
net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k  
echo
#adding SPN HTTP 
echo "Adding the SPN HTTP"
net ads keytab add HTTP
echo
#Generating keytab file
net ads keytab create -k

After that the pfsense box is part of the Domain and I have a keytab file to use
for Kerberos authentication.

That's how I add the box to a domain.

Now the problem is that it only works when I use that "special" Samba
4.4.16 version.
I would like to use the LATEST SAMBA version available for security reasons.

Thanks Once again!

Fabricio.


-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny
via samba
Sent: Thursday, April 5, 2018 4:39 PM
To: samba at lists.samba.org
Cc: Suporte - KONTROL <suporte at kontrolsecurity.com.br>
Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.

On Thu, 5 Apr 2018 15:39:45 -0300
Suporte - KONTROL via samba <samba at lists.samba.org> wrote:
> Hello Everyone,
> I am pretty new on this SAMBA list, so greetings!
> I have a technical question about the relation of SAMBA and YP (Yellow 
> Pages/ NiS)
> 
> I´ve been learning on how to make my Firewall/proxy solution (based on
> FREEBSD/PfSense) to have a trust-relationship with the Microsoft 
> AD/Domain so I can have Single Sign-on with NTLM/Kerberos integration.
> PfSense has the YP (Yellow Pages) disabled by default, what makes 
> SAMBA fail according to pfSense technical forum people.
> Recently, I found a supposed “patched” version of SAMBA 4.4.16 that 
> doesn’t require the YP enabled. Not sure how people did that, or, if 
> that is something normal for the version 4.4.16 of Samba. (probably
> not) the point is that Samba 4.4.16 works perfectly. 
> If I try to do the same with other newer versions, I got error 
> messages like this: /usr/local/lib/samba4/libsmbconf.so.0: Undefined 
> symbol "yp_match"
> 
> The question is:  Can I also patch the latest SAMBA version the same 
> way? What are the side effects in the end and What exactly should I 
> change in the Source Code before compiling it? (if possible) – Maybe 
> to enable YP back would be better?
> I really want to replace the version 4.4.16 by the latest one 
> available for obvious reasons (too old, Insecure at this point).
> 
> Thanks in Advance!
> 
> Cordially,
> Fabricio.
> 
> 
Hi, around here we call YP NIS ;-)

I am having trouble trying to understand what you are trying to achieve, do your
users need to log into the pfsense machine ?

I think you need to explain in a bit more depth how your Firewall/proxy works,
starting with how you want to run Samba, is it as a DC, Unix domain member or a
standalone server.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba