samba - Oct 2015 - Samba 4 + Squidguardian

On 19/10/15 16:46, mathias dufresne wrote:
> AD from Samba or Microsoft is mainly a database for storing users (and
> associated stuffs). It comes also with stuffs (protocols) to connect and
> retrieve information.
>
> How the client uses these information is, as always, a choice from that
> specific client.
>
> Your AD client is your Squid/Squidguard(ian) server. Its job as AD client
> is to get some users information from AD to build system users. I insist on
> the fact system users are forged. Purely.
>
> What is responsible of that forging process? What you declared in
> /etc/nsswitch.conf.
> Generally it is winbind, sssd or nlscd.
>
> Each one of these tools comes with its own set of option, tweak and
> configuration files to define how to forge users from local system point of
> view.
>
> Each one except for Winbind which forge users as it decide to, no matter
> the desires of local system admin. At least this is how I understood
> winbind behaviour (which has no configuration file for what I know).
Well, apart from idmap.ldb on a DC and the idmap_config lines in 
smb.conf on a domain member, there are no configuration files. :-D
>
> Perhaps you are using winbind, in that case winbind is responsible to add
> domain and backslashes when forging your users.
>
> I don't know at all nlscd but some are using it on that mailing list.
So I
> expect it does its job too.
>
> I tried SSSD for the company I'm working these days and it comes with
lot
> of configuration options. I expect it can force addition of AD domain to
> username but it is not the default behaviour.
>
> On some DC where it uses winbind to forge users:
No, sorry, I cannot understand what you mean by forge, in English this 
word is used for creating your own banknotes or a thing used by a 
blacksmith.
> wbinfo -i mathias.dufresne
> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>
> I use wbinfo to show you how are build my user and not "getent"
command
> because my PAM is not configured on these DC.
>
> On some file server connected to that very same domain, this server is
> using SSSD rather than winbind:
> getent passwd mathias.dufresne
> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
> field:/home/mathias.dufresne:/bin/bash
>
> Here we can see when using SSSD the domain part which was forced by winbind
> is not present.
>
> UID are not the same because I changed my UIG/GID and on the DC the wbinfo
> command do not reflect that change. SSSD do.
If you add a Uidnumber to user a user in AD, then it should show on a 
DC, even if you are not using winbind.
> Home directory: once more, winbind forge its own home directory when SSSD
> is using what I configured in AD in homeDirectory attribute.
>
> Gecos : SSSD use the "gecos" field from AD. Winbind decided to
use display
> name. With SSSD you can decide to use display name if you want, bbut only
> if you want.
>
> Etc, etc, etc...
>
> Perhaps I'm totally wrong and you are not using Winbind, in that case
you
> should simply have a look into your tool configuration.
> If I'm right, you'll have to change this tool to replace it by
something
> configurable.
>
> Best regards,
>
> mathias
>
Best plan, tell us how you have setup Samba.

Rowland
>
> 2015-10-19 16:35 GMT+02:00 Andre Freire <
> andre.freire at hotfixtecnologia.com.br>:
>
>> Hi,
>>
>>
>>
>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I use
>> Squid with NTLM Athentication and work perfecly. My problem is
Squidguard
>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>> Controler I watch in Squid LOG only the user name but If I use Samba
4.1.x
>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user name
and
>> Squidguard Authentication not work.
>>
>>
>>
>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the name
user
>> whitout domain?
>>
>>
>>
>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a Samba
>> 4.2.x, the LOG of Squid show only username and NTLM Authentication of
the
>> Squid and Squidguard work perfecly but if I have a DC with Samba 4.1.x
or
>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM
Authentication of
>> the Squid work but Squidguard don´t work.
>>
>>
>>
>> Att,
>> André Freire
>> Sócio Diretor
>> E-mail: andre.freire at hotfixtecnologia.com.br
>> skype: andrefreire.hf
>> Tel: (71)9381-7372
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

My smb.conf file in Domain member is:

[global]

  netbios name = FW01
  workgroup = HOTFIX
  security = ADS
  realm = HOTFIX.INTRA

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config HOTFIX:backend = ad
  idmap config HOTFIX:schema_mode = rfc2307
  idmap config HOTFIX:range = 10000-99999

  winbind nss info = rfc2307
  winbind trusted domains only = no
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

My /etc/nsswitch is:

passwd: compat winbind
group:  compat winbind

If I use Samba 4.2.X or Windows DC and any version of Samba 4 in Domain
Member the NTLM authentication Squid\Squiduard work perfecly but if I use
Samba 4.1.X or Samba 4.3.0 NTLM Authentication Work in Squid but doesn´t
work in Squidguard.



André Freire
Sócio Diretor
E-mail: andre.freire at hotfixtecnologia.com.br
skype: andrefreire.hf
Tel: (71)9381-7372


2015-10-19 13:08 GMT-03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 19/10/15 16:46, mathias dufresne wrote:
>
>> AD from Samba or Microsoft is mainly a database for storing users (and
>> associated stuffs). It comes also with stuffs (protocols) to connect
and
>> retrieve information.
>>
>> How the client uses these information is, as always, a choice from that
>> specific client.
>>
>> Your AD client is your Squid/Squidguard(ian) server. Its job as AD
client
>> is to get some users information from AD to build system users. I
insist
>> on
>> the fact system users are forged. Purely.
>>
>> What is responsible of that forging process? What you declared in
>> /etc/nsswitch.conf.
>> Generally it is winbind, sssd or nlscd.
>>
>> Each one of these tools comes with its own set of option, tweak and
>> configuration files to define how to forge users from local system
point
>> of
>> view.
>>
>> Each one except for Winbind which forge users as it decide to, no
matter
>> the desires of local system admin. At least this is how I understood
>> winbind behaviour (which has no configuration file for what I know).
>>
>
> Well, apart from idmap.ldb on a DC and the idmap_config lines in smb.conf
> on a domain member, there are no configuration files. :-D
>
>
>> Perhaps you are using winbind, in that case winbind is responsible to
add
>> domain and backslashes when forging your users.
>>
>> I don't know at all nlscd but some are using it on that mailing
list. So I
>> expect it does its job too.
>>
>> I tried SSSD for the company I'm working these days and it comes
with lot
>> of configuration options. I expect it can force addition of AD domain
to
>> username but it is not the default behaviour.
>>
>> On some DC where it uses winbind to forge users:
>>
>
> No, sorry, I cannot understand what you mean by forge, in English this
> word is used for creating your own banknotes or a thing used by a
> blacksmith.
>
> wbinfo -i mathias.dufresne
>> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
>> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>>
>> I use wbinfo to show you how are build my user and not
"getent" command
>> because my PAM is not configured on these DC.
>>
>> On some file server connected to that very same domain, this server is
>> using SSSD rather than winbind:
>> getent passwd mathias.dufresne
>> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
>> field:/home/mathias.dufresne:/bin/bash
>>
>> Here we can see when using SSSD the domain part which was forced by
>> winbind
>> is not present.
>>
>> UID are not the same because I changed my UIG/GID and on the DC the
wbinfo
>> command do not reflect that change. SSSD do.
>>
>
> If you add a Uidnumber to user a user in AD, then it should show on a DC,
> even if you are not using winbind.
>
> Home directory: once more, winbind forge its own home directory when SSSD
>> is using what I configured in AD in homeDirectory attribute.
>>
>> Gecos : SSSD use the "gecos" field from AD. Winbind decided
to use display
>> name. With SSSD you can decide to use display name if you want, bbut
only
>> if you want.
>>
>> Etc, etc, etc...
>>
>> Perhaps I'm totally wrong and you are not using Winbind, in that
case you
>> should simply have a look into your tool configuration.
>> If I'm right, you'll have to change this tool to replace it by
something
>> configurable.
>>
>> Best regards,
>>
>> mathias
>>
>>
> Best plan, tell us how you have setup Samba.
>
> Rowland
>
>
>
>> 2015-10-19 16:35 GMT+02:00 Andre Freire <
>> andre.freire at hotfixtecnologia.com.br>:
>>
>> Hi,
>>>
>>>
>>>
>>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I
use
>>> Squid with NTLM Athentication and work perfecly. My problem is
Squidguard
>>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>>> Controler I watch in Squid LOG only the user name but If I use
Samba
>>> 4.1.x
>>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user
name
>>> and
>>> Squidguard Authentication not work.
>>>
>>>
>>>
>>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the
name
>>> user
>>> whitout domain?
>>>
>>>
>>>
>>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a
Samba
>>> 4.2.x, the LOG of Squid show only username and NTLM Authentication
of the
>>> Squid and Squidguard work perfecly but if I have a DC with Samba
4.1.x or
>>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM
Authentication
>>> of
>>> the Squid work but Squidguard don´t work.
>>>
>>>
>>>
>>> Att,
>>> André Freire
>>> Sócio Diretor
>>> E-mail: andre.freire at hotfixtecnologia.com.br
>>> skype: andrefreire.hf
>>> Tel: (71)9381-7372
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hai, 

 

NTLM, yes somethimes it works somethime it does not. 

 

I run about the same. 

I run squid 3.4.8. on a debian wheezy and debian Jessie 

Jessie, samba 4.1.17 with squid 3.4.8 all debian packages. 

Wheezy, sernet samba 4.2.4 squid 3.4.8 *(rebuild from Jessie) 

I use c-icap and no squidguard. ( in my old setup i did ) but this

setup is not ready yet. It?s in production, but im testing now also

with squidguard and c-icap-squidclamav and its management tools squidguardmgr 

http://squidguardmgr.darold.net/install.html so the final setup wil have
squidguard also.

But im still not sure, i did read somewhere about so problems with auth. 

 

Read below, and maybe you see something i dont have or you do have. 

 

These lines where tested and do work on samba 4.1 and samba 4.2, not tested on
samba 4.3.

But i dont see why they would not work for you, my smb.conf is about the same as
yours.

This is what i have. 

So if you can post your squid auth setup for NTLM also, i?ll test it for you on
my samba 4.1.17.

 

and my samba setup, only winbind is used. 

My DC and members, give the same output with wbinfo, id, getent. 

 

#########################################################################################################

## Authorisations, things to think off.

##

## 1) Pure Kerberos. Passthrough auth for windows users with windows DOMAIN
JOINED pc's.

##    Fallback to Ldap for NON WINDOWS NON DOMAIN JOINED Devices.

##    NO NTLM. AKA, a windows pc, NOT JOINED in the domain, with end up in
always user popup for auth.

##    Which will always fail because of NTLM TYPE 1 and TYPE 2, authorisations.

## 2) NEGOTIATE AUTH, which will do all of above, but also authenticated Windows
PC's Not domain Joined.

##    Which is handy for getting windows updates, etc.

#########################################################################################################

 

#1## negotiate kerberos and ntlm authentication ( negotiate wrapper test, debian
supplied )

#auth_param negotiate program /usr/lib/squid3/negotiate_wrapper_auth -d \

#    --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp
\

#    --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

#    --domain=NTDOMAIN

 

#0## pure negotiate kerberos  ( tested, works )

#auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -s
HTTP/proxy2.internal.domain.tld at INTERNAL.DOMAIN.TLD

#auth_param negotiate children 10

#auth_param negotiate keep_alive off

 

 

### from
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory

#1## negotiate kerberos and ntlm authentication with negotiate_wrapper from
source

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d \

 --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=gss-spnego
--domain=NTDOMAIN \

 --kerberos /usr/lib/squid3/negotiate_kerberos_auth -d -s GSS_C_NO_NAME

auth_param negotiate children 10

auth_param negotiate keep_alive off

 

 

#2## pure ntlm authentication  

## Not well tested yet. ( the negotiate_wrapper_auth is use for NTLM for now ) 

#auth_param ntlm program /usr/bin/ntlm_auth --diagnostics
--helper-protocol=gss-spnego --domain=NTDOMAIN

#auth_param ntlm children 10

#auth_param ntlm keep_alive off

 

#3## provide basic authentication via ldap for clients not authenticated via
kerberos/ntlm

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \

    -b "ou=Organisation,dc=internal,dc=domain,dc=tld" \

    -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \

    -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \

    -h dc1.internal.domain.tld \

    -h dc2.internal.domain.tld 

 

## This is not tested yet. 

### ldap group authorisation 

#external_acl_type memberof %LOGIN /usr/lib/squid3/squid_ldap_group -R -K -S \

#    -b "dc=internal,dc=domain,dc=tld" \

#    -D ldap-bind at internal.domain.tld  - W /etc/squid3/private/ldap-bind \

#    -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=%g,ou=Security
Groups,ou=Organisation,dc=internal,dc=domain,dc=tld))" \

#    -h dc1.internal.domain.tld \

#    -h dc2.internal.domain.tld

 

 

 

 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Andre Freire
> Verzonden: maandag 19 oktober 2015 22:07
> Aan: Rowland Penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba 4 + Squidguardian
> 
> My smb.conf file in Domain member is:
> 
> [global]
> 
>   netbios name = FW01
>   workgroup = HOTFIX
>   security = ADS
>   realm = HOTFIX.INTRA
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 2000-9999
>   idmap config HOTFIX:backend = ad
>   idmap config HOTFIX:schema_mode = rfc2307
>   idmap config HOTFIX:range = 10000-99999
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind refresh tickets = Yes
> 
> My /etc/nsswitch is:
> 
> passwd: compat winbind
> group:  compat winbind
> 
> If I use Samba 4.2.X or Windows DC and any version of Samba 4 in Domain
> Member the NTLM authentication Squid\Squiduard work perfecly but if I use
> Samba 4.1.X or Samba 4.3.0 NTLM Authentication Work in Squid but doesn´t
> work in Squidguard.
> 
> 
> 
> André Freire
> Sócio Diretor
> E-mail: andre.freire at hotfixtecnologia.com.br
> skype: andrefreire.hf
> Tel: (71)9381-7372
> 
> 
> 2015-10-19 13:08 GMT-03:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> 
> > On 19/10/15 16:46, mathias dufresne wrote:
> >
> >> AD from Samba or Microsoft is mainly a database for storing users
(and
> >> associated stuffs). It comes also with stuffs (protocols) to
connect
> and
> >> retrieve information.
> >>
> >> How the client uses these information is, as always, a choice from
that
> >> specific client.
> >>
> >> Your AD client is your Squid/Squidguard(ian) server. Its job as AD
> client
> >> is to get some users information from AD to build system users. I
> insist
> >> on
> >> the fact system users are forged. Purely.
> >>
> >> What is responsible of that forging process? What you declared in
> >> /etc/nsswitch.conf.
> >> Generally it is winbind, sssd or nlscd.
> >>
> >> Each one of these tools comes with its own set of option, tweak
and
> >> configuration files to define how to forge users from local system
> point
> >> of
> >> view.
> >>
> >> Each one except for Winbind which forge users as it decide to, no
> matter
> >> the desires of local system admin. At least this is how I
understood
> >> winbind behaviour (which has no configuration file for what I
know).
> >>
> >
> > Well, apart from idmap.ldb on a DC and the idmap_config lines in
> smb.conf
> > on a domain member, there are no configuration files. :-D
> >
> >
> >> Perhaps you are using winbind, in that case winbind is responsible
to
> add
> >> domain and backslashes when forging your users.
> >>
> >> I don't know at all nlscd but some are using it on that
mailing list.
> So I
> >> expect it does its job too.
> >>
> >> I tried SSSD for the company I'm working these days and it
comes with
> lot
> >> of configuration options. I expect it can force addition of AD
domain
> to
> >> username but it is not the default behaviour.
> >>
> >> On some DC where it uses winbind to forge users:
> >>
> >
> > No, sorry, I cannot understand what you mean by forge, in English this
> > word is used for creating your own banknotes or a thing used by a
> > blacksmith.
> >
> > wbinfo -i mathias.dufresne
> >> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
> >> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
> >>
> >> I use wbinfo to show you how are build my user and not
"getent" command
> >> because my PAM is not configured on these DC.
> >>
> >> On some file server connected to that very same domain, this
server is
> >> using SSSD rather than winbind:
> >> getent passwd mathias.dufresne
> >> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
> >> field:/home/mathias.dufresne:/bin/bash
> >>
> >> Here we can see when using SSSD the domain part which was forced
by
> >> winbind
> >> is not present.
> >>
> >> UID are not the same because I changed my UIG/GID and on the DC
the
> wbinfo
> >> command do not reflect that change. SSSD do.
> >>
> >
> > If you add a Uidnumber to user a user in AD, then it should show on a
> DC,
> > even if you are not using winbind.
> >
> > Home directory: once more, winbind forge its own home directory when
> SSSD
> >> is using what I configured in AD in homeDirectory attribute.
> >>
> >> Gecos : SSSD use the "gecos" field from AD. Winbind
decided to use
> display
> >> name. With SSSD you can decide to use display name if you want,
bbut
> only
> >> if you want.
> >>
> >> Etc, etc, etc...
> >>
> >> Perhaps I'm totally wrong and you are not using Winbind, in
that case
> you
> >> should simply have a look into your tool configuration.
> >> If I'm right, you'll have to change this tool to replace
it by
> something
> >> configurable.
> >>
> >> Best regards,
> >>
> >> mathias
> >>
> >>
> > Best plan, tell us how you have setup Samba.
> >
> > Rowland
> >
> >
> >
> >> 2015-10-19 16:35 GMT+02:00 Andre Freire <
> >> andre.freire at hotfixtecnologia.com.br>:
> >>
> >> Hi,
> >>>
> >>>
> >>>
> >>> I´m have a Samba 4 Domain Member that I use like a Proxy
Server. I use
> >>> Squid with NTLM Athentication and work perfecly. My problem is
> Squidguard
> >>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4
Domain
> >>> Controler I watch in Squid LOG only the user name but If I use
Samba
> >>> 4.1.x
> >>> or 4.3.0 in my Domain Controler I watch in Squid LOG
domain\\user name
> >>> and
> >>> Squidguard Authentication not work.
> >>>
> >>>
> >>>
> >>> How can I use Samba 4.3 in my DC and only apear in Squid LOG
the name
> >>> user
> >>> whitout domain?
> >>>
> >>>
> >>>
> >>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with
a Samba
> >>> 4.2.x, the LOG of Squid show only username and NTLM
Authentication of
> the
> >>> Squid and Squidguard work perfecly but if I have a DC with
Samba 4.1.x
> or
> >>> 4.3.0 the LOG of Squid show "domain\\user name" and
NTLM
> Authentication
> >>> of
> >>> the Squid work but Squidguard don´t work.
> >>>
> >>>
> >>>
> >>> Att,
> >>> André Freire
> >>> Sócio Diretor
> >>> E-mail: andre.freire at hotfixtecnologia.com.br
> >>> skype: andrefreire.hf
> >>> Tel: (71)9381-7372
> >>> --
> >>> To unsubscribe from this list go to the following URL and read
the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
 

2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 19/10/15 16:46, mathias dufresne wrote:
>
>> AD from Samba or Microsoft is mainly a database for storing users (and
>> associated stuffs). It comes also with stuffs (protocols) to connect
and
>> retrieve information.
>>
>> How the client uses these information is, as always, a choice from that
>> specific client.
>>
>> Your AD client is your Squid/Squidguard(ian) server. Its job as AD
client
>> is to get some users information from AD to build system users. I
insist
>> on
>> the fact system users are forged. Purely.
>>
>> What is responsible of that forging process? What you declared in
>> /etc/nsswitch.conf.
>> Generally it is winbind, sssd or nlscd.
>>
>> Each one of these tools comes with its own set of option, tweak and
>> configuration files to define how to forge users from local system
point
>> of
>> view.
>>
>> Each one except for Winbind which forge users as it decide to, no
matter
>> the desires of local system admin. At least this is how I understood
>> winbind behaviour (which has no configuration file for what I know).
>>
>
> Well, apart from idmap.ldb on a DC and the idmap_config lines in smb.conf
> on a domain member, there are no configuration files. :-D

idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
idmap_config lines in smb.conf -> how would you set them to configure
Winbind to not add domain to user? To use gidNumber rather than 100 which
seems to reflect "primaryGroupID: 513", to set up home directory to
unixHomeDirectory or to homeDirectory rather than /home/<short domain
name>/ sAMAccountName?
Is it possible to use CN or userPrincipalName rather SAMAccountName when
building the system user?

So it is not configurable.

>
>
>
>> Perhaps you are using winbind, in that case winbind is responsible to
add
>> domain and backslashes when forging your users.
>>
>> I don't know at all nlscd but some are using it on that mailing
list. So I
>> expect it does its job too.
>>
>> I tried SSSD for the company I'm working these days and it comes
with lot
>> of configuration options. I expect it can force addition of AD domain
to
>> username but it is not the default behaviour.
>>
>> On some DC where it uses winbind to forge users:
>>
>
> No, sorry, I cannot understand what you mean by forge, in English this
> word is used for creating your own banknotes or a thing used by a
> blacksmith.

In fact a blacksmith forges items using blacksmith tools. He creates these
items. These items can be something else than his own tools. In fact if a
blacksmith was only able to craft its own tools and nothing else for other
peoples, this kind of job would have quickly disappeared...

Anyway you get the point, forging, crafting, building, assembling elements
to obtain something else, they are same concept.

>
>
> wbinfo -i mathias.dufresne
>> AD.DGFIP\mathias.dufresne:*:1000:100:Mathias
>> Dufresne:/home/AD.DGFIP/mathias.dufresne:/bin/false
>>
>> I use wbinfo to show you how are build my user and not
"getent" command
>> because my PAM is not configured on these DC.
>>
>> On some file server connected to that very same domain, this server is
>> using SSSD rather than winbind:
>> getent passwd mathias.dufresne
>> mathias.dufresne:*:10002103:10002103:Mathias Dufresne gecos
>> field:/home/mathias.dufresne:/bin/bash
>>
>> Here we can see when using SSSD the domain part which was forced by
>> winbind
>> is not present.
>>
>> UID are not the same because I changed my UIG/GID and on the DC the
wbinfo
>> command do not reflect that change. SSSD do.
>>
>
> If you add a Uidnumber to user a user in AD, then it should show on a DC,
> even if you are not using winbind.

Here you should have meant "if you are using winbind" which is true
for UID
and wrong for GID which is not reflecting gidNumber configured into AD.
Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...

SSSD grant sys admin possibility to chose all that, forging users as
sysadmin wants to (which is most generally what his bosses asked to him).
Winbind can't.
And here the question is "how can the user have username using
<username>
syntax rather than <domainname>\<username>. Is it possible to remove
domain
part from username when using winbind? With the idmap_config lines perhaps
? :p

>
>
> Home directory: once more, winbind forge its own home directory when SSSD
>> is using what I configured in AD in homeDirectory attribute.
>>
>> Gecos : SSSD use the "gecos" field from AD. Winbind decided
to use display
>> name. With SSSD you can decide to use display name if you want, bbut
only
>> if you want.
>>
>> Etc, etc, etc...
>>
>> Perhaps I'm totally wrong and you are not using Winbind, in that
case you
>> should simply have a look into your tool configuration.
>> If I'm right, you'll have to change this tool to replace it by
something
>> configurable.
>>
>> Best regards,
>>
>> mathias
>>
>>
> Best plan, tell us how you have setup Samba.

And more: how system is configured to retrieve users from AD! AD seems well
configured: it works. The question is about how to obtain system users
according to what this user needs and not according to what winbind thinks
it is the right way.

>
>
> Rowland
>
>
>
>> 2015-10-19 16:35 GMT+02:00 Andre Freire <
>> andre.freire at hotfixtecnologia.com.br>:
>>
>> Hi,
>>>
>>>
>>>
>>> I´m have a Samba 4 Domain Member that I use like a Proxy Server. I
use
>>> Squid with NTLM Athentication and work perfecly. My problem is
Squidguard
>>> with NTLM Authentication. If I use Samba 4.2.X in my Samba 4 Domain
>>> Controler I watch in Squid LOG only the user name but If I use
Samba
>>> 4.1.x
>>> or 4.3.0 in my Domain Controler I watch in Squid LOG domain\\user
name
>>> and
>>> Squidguard Authentication not work.
>>>
>>>
>>>
>>> How can I use Samba 4.3 in my DC and only apear in Squid LOG the
name
>>> user
>>> whitout domain?
>>>
>>>
>>>
>>> Summing up: If I have a DC with Windows 2k8 or 2k12 ou DC with a
Samba
>>> 4.2.x, the LOG of Squid show only username and NTLM Authentication
of the
>>> Squid and Squidguard work perfecly but if I have a DC with Samba
4.1.x or
>>> 4.3.0 the LOG of Squid show "domain\\user name" and NTLM
Authentication
>>> of
>>> the Squid work but Squidguard don´t work.
>>>
>>>
>>>
>>> Att,
>>> André Freire
>>> Sócio Diretor
>>> E-mail: andre.freire at hotfixtecnologia.com.br
>>> skype: andrefreire.hf
>>> Tel: (71)9381-7372
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 20/10/15 09:05, mathias dufresne wrote:
>
> 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>:
>
>     On 19/10/15 16:46, mathias dufresne wrote:
>
>         AD from Samba or Microsoft is mainly a database for storing
>         users (and
>         associated stuffs). It comes also with stuffs (protocols) to
>         connect and
>         retrieve information.
>
>         How the client uses these information is, as always, a choice
>         from that
>         specific client.
>
>         Your AD client is your Squid/Squidguard(ian) server. Its job
>         as AD client
>         is to get some users information from AD to build system
>         users. I insist on
>         the fact system users are forged. Purely.
>
>         What is responsible of that forging process? What you declared in
>         /etc/nsswitch.conf.
>         Generally it is winbind, sssd or nlscd.
>
>         Each one of these tools comes with its own set of option,
>         tweak and
>         configuration files to define how to forge users from local
>         system point of
>         view.
>
>         Each one except for Winbind which forge users as it decide to,
>         no matter
>         the desires of local system admin. At least this is how I
>         understood
>         winbind behaviour (which has no configuration file for what I
>         know).
>
>
>     Well, apart from idmap.ldb on a DC and the idmap_config lines in
>     smb.conf on a domain member, there are no configuration files. :-D
>
>
> idmap.ldb -> TDB database version 6, little-endian hash size 10000 bytes
> idmap_config lines in smb.conf -> how would you set them to configure 
> Winbind to not add domain to user?
Well, I will give you this one, on DC you cannot, but on a domain member 
you can: winbind use default domain = yes
However, it is not recommended to use the DC as a fileserver
> To use gidNumber rather than 100 which seems to reflect 
> "primaryGroupID: 513",
Give the users unique uidNumbers and Domain Users a gidNumber
> to set up home directory to unixHomeDirectory or to homeDirectory 
> rather than /home/<short domain name>/ sAMAccountName?
template homedir = /home/%U
> Is it possible to use CN or userPrincipalName rather SAMAccountName 
> when building the system user?
No, you have lost me again, what do you mean by 'building the system
user'
>
> So it is not configurable.
Yes it is, fully on a domain member, partially on a DC
>
>
>
>         Perhaps you are using winbind, in that case winbind is
>         responsible to add
>         domain and backslashes when forging your users.
>
>         I don't know at all nlscd but some are using it on that
>         mailing list. So I
>         expect it does its job too.
>
>         I tried SSSD for the company I'm working these days and it
>         comes with lot
>         of configuration options. I expect it can force addition of AD
>         domain to
>         username but it is not the default behaviour.
>
>         On some DC where it uses winbind to forge users:
>
>
>     No, sorry, I cannot understand what you mean by forge, in English
>     this word is used for creating your own banknotes or a thing used
>     by a blacksmith.
>
>
> In fact a blacksmith forges items using blacksmith tools. He creates 
> these items. These items can be something else than his own tools. In 
> fact if a blacksmith was only able to craft its own tools and nothing 
> else for other peoples, this kind of job would have quickly disappeared...
So what you meant was 'create a user', please don't try to get
creative
with the English language, just say what you mean.
As for forge and a blacksmith, the word can mean the place a blacksmith 
works, the 'action' of the blacksmith doing something i.e. a blacksmith 
forges horseshoes (technical note: no, this actually done by a farrier) 
(further note: blacksmiths have virtually disappeared)
Have we played enough with *my* language yet?
>
> Anyway you get the point, forging, crafting, building, assembling 
> elements to obtain something else, they are same concept.
Same basic concept, but they all mean totally different things.
>
>
>
>     If you add a Uidnumber to user a user in AD, then it should show
>     on a DC, even if you are not using winbind.
>
>
> Here you should have meant "if you are using winbind" which is
true
> for UID and wrong for GID which is not reflecting gidNumber configured 
> into AD.
Ah, that is because you think that giving a user a gidNumber, this 
becomes the users main GID, it doesn't. The users primary gid number is 
obtained from what is set in the aptly named 'PrimaryGidNumber' 
attribute, AD obtains this and then uses whatever gidNumber that groups 
object contains.


Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...

No, because I have already dealt with that.
>
> SSSD grant sys admin possibility to chose all that, forging users as 
> sysadmin wants to (which is most generally what his bosses asked to 
> him). Winbind can't.
> And here the question is "how can the user have username using 
> <username> syntax rather than <domainname>\<username>. Is
it possible
> to remove domain part from username when using winbind? With the 
> idmap_config lines perhaps ? :p
Anything that sssd can do, winbind can do, but, as I have admitted, only 
fully on a domain member.
>
> And more: how system is configured to retrieve users from AD! AD seems 
> well configured: it works. The question is about how to obtain system 
> users according to what this user needs and not according to what 
> winbind thinks it is the right way.
As I said, winbind will do what sssd does, in fact winbind is that good, 
the later versions of sssd implements a lot of the winbind code.

Rowland

> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver
Wbinfo -u returns only  username  on my DC's. 

Just add this to the DC and it works fine, yes yes, its for a member server, but
it works fine for me on my DC's also, and as result, getent, id, wbinfo
Do return on all my servers the same info. 

I believe its safe to use it like this.
sidenote, IF you assign all users/groups UID/GID. 
If not all assigned, the groups on DC give a 3xxxxxx GID or no users shown. 


       # Use home directory and shell information from AD
        winbind nss info = rfc2307
        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/users/%U

Greetz, 

Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: dinsdag 20 oktober 2015 11:10
> Aan: samba
> Onderwerp: Re: [Samba] Samba 4 + Squidguardian
> 
> On 20/10/15 09:05, mathias dufresne wrote:
> >
> > 2015-10-19 18:08 GMT+02:00 Rowland Penny <rowlandpenny241155 at
gmail.com
> > <mailto:rowlandpenny241155 at gmail.com>>:
> >
> >     On 19/10/15 16:46, mathias dufresne wrote:
> >
> >         AD from Samba or Microsoft is mainly a database for storing
> >         users (and
> >         associated stuffs). It comes also with stuffs (protocols) to
> >         connect and
> >         retrieve information.
> >
> >         How the client uses these information is, as always, a choice
> >         from that
> >         specific client.
> >
> >         Your AD client is your Squid/Squidguard(ian) server. Its job
> >         as AD client
> >         is to get some users information from AD to build system
> >         users. I insist on
> >         the fact system users are forged. Purely.
> >
> >         What is responsible of that forging process? What you declared
> in
> >         /etc/nsswitch.conf.
> >         Generally it is winbind, sssd or nlscd.
> >
> >         Each one of these tools comes with its own set of option,
> >         tweak and
> >         configuration files to define how to forge users from local
> >         system point of
> >         view.
> >
> >         Each one except for Winbind which forge users as it decide to,
> >         no matter
> >         the desires of local system admin. At least this is how I
> >         understood
> >         winbind behaviour (which has no configuration file for what I
> >         know).
> >
> >
> >     Well, apart from idmap.ldb on a DC and the idmap_config lines in
> >     smb.conf on a domain member, there are no configuration files. :-D
> >
> >
> > idmap.ldb -> TDB database version 6, little-endian hash size 10000
bytes
> > idmap_config lines in smb.conf -> how would you set them to
configure
> > Winbind to not add domain to user?
> 
> Well, I will give you this one, on DC you cannot, but on a domain member
> you can: winbind use default domain = yes
> However, it is not recommended to use the DC as a fileserver
> 
> > To use gidNumber rather than 100 which seems to reflect
> > "primaryGroupID: 513",
> 
> Give the users unique uidNumbers and Domain Users a gidNumber
> 
> > to set up home directory to unixHomeDirectory or to homeDirectory
> > rather than /home/<short domain name>/ sAMAccountName?
> 
> template homedir = /home/%U
> 
> > Is it possible to use CN or userPrincipalName rather SAMAccountName
> > when building the system user?
> 
> No, you have lost me again, what do you mean by 'building the system
user'
> 
> >
> > So it is not configurable.
> 
> Yes it is, fully on a domain member, partially on a DC
> 
> >
> >
> >
> >         Perhaps you are using winbind, in that case winbind is
> >         responsible to add
> >         domain and backslashes when forging your users.
> >
> >         I don't know at all nlscd but some are using it on that
> >         mailing list. So I
> >         expect it does its job too.
> >
> >         I tried SSSD for the company I'm working these days and it
> >         comes with lot
> >         of configuration options. I expect it can force addition of AD
> >         domain to
> >         username but it is not the default behaviour.
> >
> >         On some DC where it uses winbind to forge users:
> >
> >
> >     No, sorry, I cannot understand what you mean by forge, in English
> >     this word is used for creating your own banknotes or a thing used
> >     by a blacksmith.
> >
> >
> > In fact a blacksmith forges items using blacksmith tools. He creates
> > these items. These items can be something else than his own tools. In
> > fact if a blacksmith was only able to craft its own tools and nothing
> > else for other peoples, this kind of job would have quickly
> disappeared...
> 
> So what you meant was 'create a user', please don't try to get
creative
> with the English language, just say what you mean.
> As for forge and a blacksmith, the word can mean the place a blacksmith
> works, the 'action' of the blacksmith doing something i.e. a
blacksmith
> forges horseshoes (technical note: no, this actually done by a farrier)
> (further note: blacksmiths have virtually disappeared)
> Have we played enough with *my* language yet?
> 
> >
> > Anyway you get the point, forging, crafting, building, assembling
> > elements to obtain something else, they are same concept.
> 
> Same basic concept, but they all mean totally different things.
> 
> >
> >
> >
> >     If you add a Uidnumber to user a user in AD, then it should show
> >     on a DC, even if you are not using winbind.
> >
> >
> > Here you should have meant "if you are using winbind" which
is true
> > for UID and wrong for GID which is not reflecting gidNumber configured
> > into AD.
> 
> Ah, that is because you think that giving a user a gidNumber, this
> becomes the users main GID, it doesn't. The users primary gid number is
> obtained from what is set in the aptly named 'PrimaryGidNumber'
> attribute, AD obtains this and then uses whatever gidNumber that groups
> object contains.
> 
> 
> Should I speak again about home dir ? Shell ? Gecos ? login attribute ?...
> 
> No, because I have already dealt with that.
> 
> >
> > SSSD grant sys admin possibility to chose all that, forging users as
> > sysadmin wants to (which is most generally what his bosses asked to
> > him). Winbind can't.
> > And here the question is "how can the user have username using
> > <username> syntax rather than
<domainname>\<username>. Is it possible
> > to remove domain part from username when using winbind? With the
> > idmap_config lines perhaps ? :p
> 
> Anything that sssd can do, winbind can do, but, as I have admitted, only
> fully on a domain member.
> 
> >
> > And more: how system is configured to retrieve users from AD! AD seems
> > well configured: it works. The question is about how to obtain system
> > users according to what this user needs and not according to what
> > winbind thinks it is the right way.
> 
> As I said, winbind will do what sssd does, in fact winbind is that good,
> the later versions of sssd implements a lot of the winbind code.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba