Kontrol-Suporte
2019-Apr-18 21:33 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
Hello everyone,
Just made a brand new installation of the Samba 4.10 for FreeBSD (got it
from FreeNAS project) and it worked very well but I am facing some issues
while working with it + Squid 4.6
Here is the thing. I could Join the machine to my Domain with absolutely no
problems. I also created the Kerberos keytab, etc.
For some reason, the Squid Helpers are showing an error message, like the
one below.
Although, NTLM helper is working fine and authenticating with no errors,
Kerberos helper is not working at all and it fails crashing the Squid as it
Terminated abnormally.
**start error log**
Initialising global parameters
Processing section "[global]"
Initialising global parameters
Processing section "[global]"
Initialising global parameters
directory_create_or_exist_strict: invalid ownership on directory
/var/run/samba4/msg.lock
Processing section "[global]"
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
**end of error log**
I tried several different ownerships with no success, also I compared with
old versions. Same thing.
The Kerberos helper fails with the following Error log:
**start error log**
2019/04/18 18:25:05 kid1| WARNING: negotiateauthenticator #Hlpr1 exited
2019/04/18 18:25:05 kid1| FATAL: The negotiateauthenticator helpers are
crashing too rapidly, need help!
2019/04/18 18:25:05 kid1| Squid Cache (Version 4.6): Terminated abnormally.
CPU Usage: 0.105 seconds = 0.053 user + 0.053 sys
Maximum Resident Size: 122672 KB
Page faults with physical i/o: 0
** end error log**
Here is my smb4.conf file, just in case I am using any deprecated/Invalid
configuration.
**smb4.conf**
#########################
[global]
workgroup = DOMAIN
realm = DOMAIN.CORP
client NTLMv2 auth = yes
client lanman auth = no
client plaintext auth = no
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-20000
map to guest = never
security = ads
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
winbind nested groups = yes
winbind use default domain = yes
encrypt passwords = yes
log level = 3 passdb:5 winbind:3
usershare allow guests = no
printcap name = /dev/null
load printers = no
printing = bsd
local master = no
kerberos method = secrets and keytab
winbind refresh tickets = yes
[homes]
comment = Home Directories
valid users = %s, %D%W%S
browseable = no
read only = no
inherit acls = yes
##############################
**Here the krb5.conf**
############################
[libdefaults]
default_realm = DOMAIN.CORP
dns_lookup_kdc = yes
dns_lookup_realm = yes
ticket_lifetime = 24h
default_keytab_name = /etc/krb5.keytab
forwardable = yes
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
DOMAIN.CORP = {
kdc = kontroldc01.domain.corp
admin_server = kontroldc01.domain.corp
default_domain = domain.corp
}
.domain.corp = DOMAIN.CORP
domain.corp = DOMAIN.CORP
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
####################
I know it seems something wrong with SQUID, not SAMBA 4.10, but I am just
wondering if I committed any mistake during the configuration process.
Any help will be very welcome and appreciated!
Thanks!
Fabricio.
Rowland Penny
2019-Apr-19 07:44 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
On Thu, 18 Apr 2019 18:33:03 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Just made a brand new installation of the Samba 4.10 for FreeBSD (got > it from FreeNAS project) and it worked very well but I am facing some > issues while working with it + Squid 4.6 > > Here is the thing. I could Join the machine to my Domain with > absolutely no problems. I also created the Kerberos keytab, etc. > > For some reason, the Squid Helpers are showing an error message, like > the one below. > > Although, NTLM helper is working fine and authenticating with no > errors, Kerberos helper is not working at all and it fails crashing > the Squid as it Terminated abnormally. > > > > Here is my smb4.conf file, just in case I am using any > deprecated/Invalid configuration.Not so much deprecated or invalid, but un-needed/missing ? Remove the defaults: [global] workgroup = DOMAIN realm = DOMAIN.CORP security = ads idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes The missing: idmap config * : backend = tdb idmap config * : range = 3999-7999> > > I know it seems something wrong with SQUID, not SAMBA 4.10, but I am > just wondering if I committed any mistake during the configuration > process.The probably missing (part 2): ntlm auth = mschapv2-and-ntlmv2-only Not sure what Samba version you used last, but NTLMv1 is now turned off by default. Rowland
Suporte - KONTROL
2019-Apr-20 21:56 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
Hi Rowland Appreciate the message and the tips. I updated my smb file, although the Kerberos error still showing up. Thanks Anyway. Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Friday, April 19, 2019 4:45 AM To: samba at lists.samba.org Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder On Thu, 18 Apr 2019 18:33:03 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Just made a brand new installation of the Samba 4.10 for FreeBSD (got > it from FreeNAS project) and it worked very well but I am facing some > issues while working with it + Squid 4.6 > > Here is the thing. I could Join the machine to my Domain with > absolutely no problems. I also created the Kerberos keytab, etc. > > For some reason, the Squid Helpers are showing an error message, like > the one below. > > Although, NTLM helper is working fine and authenticating with no > errors, Kerberos helper is not working at all and it fails crashing > the Squid as it Terminated abnormally. > > > > Here is my smb4.conf file, just in case I am using any > deprecated/Invalid configuration.Not so much deprecated or invalid, but un-needed/missing ? Remove the defaults: [global] workgroup = DOMAIN realm = DOMAIN.CORP security = ads idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes The missing: idmap config * : backend = tdb idmap config * : range = 3999-7999> > > I know it seems something wrong with SQUID, not SAMBA 4.10, but I am > just wondering if I committed any mistake during the configuration > process.The probably missing (part 2): ntlm auth = mschapv2-and-ntlmv2-only Not sure what Samba version you used last, but NTLMv1 is now turned off by default. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2019-Apr-23 08:04 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
In addition.
Everything Rowland noticed it correct and i notieced, you probley missing the
HTTP/spn.
Because squid 4.6 with samba and kerberos works great here.
Read this..
https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos
Now, in addition, the krb5.conf shown there. Is not needed, keep your default.
If you need to adjust it, then is probley.
[libdefaults]
default_realm = ADDCDOM.REALM.TLD
; for Windows 2008 with AES
; this is optional, but if you have problems, set it, it wont hurt.
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc
des-cbc-md5
The keytab part, Dont use msktutil.
Just setup a member with winbind installed only and join the domain.
Then when this server is domain joined run this :
kinit administrator
export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
net ads keytab CREATE
net ads keytab ADD HTTP
unset KRB5_KTNAME
chmod proxy:proxy /etc/squid/HTTP.keytab
! Change users/group here if needed, i dont know freebsd..
And ( by example ) in debian 8/9/10.
/etc/default/squid
Add in the beginning the part, or put it in your init script.
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
And for smb.conf i use for references.
[global]
workgroup = ADDCDOM
security = ads
realm = ADDCDOM.REALM.TLD
netbios name = PROXY1
preferred master = no
domain master = no
host msdfs = no
# explicit set, because i use a caching and forwarding dns on the proxy.
interfaces = 192.168.0.11 127.0.0.1
bind interfaces only = yes
dns proxy = yes
server signing = mandatory
ntlm auth = no
#Add and Update TLS Key
tls enabled = yes
# i have my own certs configured, using the default works also.
tls keyfile = /etc/ssl/local/private/xxxxx.key.pem
tls certfile = /etc/ssl/local/certs/xxxxxx.cert.pem
tls cafile = /etc/ssl/certs/xxxxx-ca.pem
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config ADDCDOM: backend = ad
idmap config ADDCDOM: schema_mode = rfc2307
idmap config ADDCDOM: range = 10000-3999999
# if you need to login also with ssh you need a uid.
idmap config ADDCDOM: unix_nss_info = yes
# Keytab and method.
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
# renew the kerberos ticket, is a must have.
winbind refresh tickets = yes
# Use home directory and shell information from AD
# winbind nss info = rfc2307 overrulled by unix_nss_info (PER DOMAIN) option
# show domain prefix
# set to no, dont use the default domain, output shows: DOMAIN\user
# set to yes, use the default domain, output shows: user
winbind use default domain = yes
# show users with : getent passwd username
winbind enum users = no
winbind enum groups = no
# enable offline logins
winbind offline logon = yes
# user Administrator workaround, without it you are unable to set privileges
username map = /etc/samba/samba_usermapping
# disable usershares creating, when set empty no error log messages.
usershare path
# Disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
Then use one of these to setup squid and its helpers.
# If you have a correct DNS, A and PTR for every server.
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/proxy1.rotterdam.bazuin.nl at ADDCDOM.REALM.TLD \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=ADDCDOM
## or same, check the -s ! This setup does not require A+PTR
#auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
# --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
# --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--domain=BAZRTD
# optinal, add the ldap (basic) fallback also, then you have 3.
# kerberos => NTLM => Basic.
This should help you going, more questions, just ask.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Suporte - KONTROL via samba
> Verzonden: zaterdag 20 april 2019 23:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh
> install - Error ownership folder
> Urgentie: Hoog
>
> Hi Rowland
>
> Appreciate the message and the tips.
> I updated my smb file, although the Kerberos error still showing up.
>
> Thanks Anyway.
>
> Fabricio.
>
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
> Rowland Penny via samba
> Sent: Friday, April 19, 2019 4:45 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh
> install - Error ownership folder
>
> On Thu, 18 Apr 2019 18:33:03 -0300
> Kontrol-Suporte via samba <samba at lists.samba.org> wrote:
>
> > Hello everyone,
> >
> > Just made a brand new installation of the Samba 4.10 for
> FreeBSD (got
> > it from FreeNAS project) and it worked very well but I am
> facing some
> > issues while working with it + Squid 4.6
> >
> > Here is the thing. I could Join the machine to my Domain with
> > absolutely no problems. I also created the Kerberos keytab, etc.
> >
> > For some reason, the Squid Helpers are showing an error
> message, like
> > the one below.
> >
> > Although, NTLM helper is working fine and authenticating with no
> > errors, Kerberos helper is not working at all and it fails crashing
> > the Squid as it Terminated abnormally.
> >
> >
> >
> > Here is my smb4.conf file, just in case I am using any
> > deprecated/Invalid configuration.
>
> Not so much deprecated or invalid, but un-needed/missing ?
>
> Remove the defaults:
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.CORP
> security = ads
>
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 10000-20000
>
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind use default domain = yes
> log level = 3 passdb:5 winbind:3
> printcap name = /dev/null
> load printers = no
> printing = bsd
> local master = no
> kerberos method = secrets and keytab
>
> [homes]
> comment = Home Directories
> valid users = %s, %D%W%S
> browseable = no
> read only = no
> inherit acls = yes
>
> The missing:
>
> idmap config * : backend = tdb
> idmap config * : range = 3999-7999
>
> >
> >
> > I know it seems something wrong with SQUID, not SAMBA 4.10,
> but I am
> > just wondering if I committed any mistake during the configuration
> > process.
>
> The probably missing (part 2):
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
> Not sure what Samba version you used last, but NTLMv1 is now
> turned off by default.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>