samba - Nov 2011 - Enhancing NTLM Authentication to Remote Site Active Directory server

Hi,

We use NLTM Authentication with Squid is some setups.On those setup,
local machine joins active directory and squid ntlm_auth helper
authenticate through local samba service. Users transparently
authenticate through NTLM authentication handshake on HTTP without
entering any password in their browser.

However, in some cases, branch offices has no local active directory
server. Branch office is connected to the headquarters through a IPSEC
vpn. I can make branch office samba to join to the headquarter active
directory domain and set NTLM authentication on Squid up correctly.

This setup has a weakness inherited from high latency, packet loss
ofsome other things that I dont know about samba. 3-4 times in a
dayusers get prompted with user name password authentication popup
ontheir browser. Sometimes this recovered naturally in a few
minutes.However, it requires rejoining to the domain in come cases.
(wbinfo -tgives error and wbinfo -l can not list users).

I have made some tunings in samba:
? getwd cache = yes
? winbind cache time = 3000
? ldap connection timeout = 10
? ldap timeout = 120

Which other tunings can I do on samba and squid? I need your experiences.

Best Regards,


squid.conf:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 20
auth_param basic realm Squid AD Auth
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off



/etc/samba/smb.conf:

[global]
  netbios name = SQUID
  realm = MY.DOM
  workgroup = my.dom
  security = ads
  encrypt passwords = yes
  password server = 172.16.5.10
  log level = 3
  log file = /var/log/samba.log
  ldap ssl = no
  idmap uid = 10000-20000
  idmap gid = 10000-20000

  winbind separator = /
  winbind enum users = yes
  winbind enum groups = yes
  winbind use default domain = yes

  domain master = no
  local master = no
  preferred master = no

  template shell = /sbin/nologin

  getwd cache = yes
  winbind cache time = 3000
  ldap connection timeout = 10
  ldap timeout = 120



/etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MY.DOM
 default_tkt_enctypes = rc4-hmac des-cbc-crc
 default_tgs_enctypes = rc4-hmac des-cbc-crc
# dns_lookup_realm = false
# dns_lookup_kdc = false

 dns_lookup_realm = false
 dns_lookup_kdc = false
[realms]
 MY.DOM = {
 kdc = 172.16.5.10
 admin_server = 172.16.5.10
 default_domain = MY.DOM
 }

[domain_realm]
 .ronesans.hol = MY.DOM
 ronesans.hol = MY.DOM

On Tue, 2011-11-01 at 11:56 +0200, Oguz Yilmaz wrote:
> Hi,
> 
> We use NLTM Authentication with Squid is some setups.On those setup,
> local machine joins active directory and squid ntlm_auth helper
> authenticate through local samba service. Users transparently
> authenticate through NTLM authentication handshake on HTTP without
> entering any password in their browser.
> 
> However, in some cases, branch offices has no local active directory
> server. Branch office is connected to the headquarters through a IPSEC
> vpn. I can make branch office samba to join to the headquarter active
> directory domain and set NTLM authentication on Squid up correctly.
> 
> This setup has a weakness inherited from high latency, packet loss
> ofsome other things that I dont know about samba. 3-4 times in a
> dayusers get prompted with user name password authentication popup
> ontheir browser. Sometimes this recovered naturally in a few
> minutes.However, it requires rejoining to the domain in come cases.
> (wbinfo -tgives error and wbinfo -l can not list users).
> 
> I have made some tunings in samba:
>   getwd cache = yes
>   winbind cache time = 3000
>   ldap connection timeout = 10
>   ldap timeout = 120
> 
> Which other tunings can I do on samba and squid? I need your experiences.
None of these things can help, as we cannot cache authentication
details.  The only way to speed things up is to run a Read Only DC, and
allow the local users to have their passwords cached on that DC.  

That can be done with Samba4 or Windows 2008.

Technically, only other option would be to use kerberos to the proxy, as
that will not have the same latency.  (However, the support in Samba for
this mode is poor at the moment). 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org