Marcio Demetrio Bacci
2017-May-22 21:12 UTC
[Samba] Problems with Samba 4.6.3 Authentication
Hi, I have posted the following message to Squid-Users forum ( squid-users at lists.squid-cache.org). "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid authentication doesn't work. In samba 4.2.1 is working properly. This is my authentication block: auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s" auth_param basic children 50 auth_param basic realm Access Monitored auth_param basic credentialsttl 8 hours auth_param basic casesensitive off I'm using Squid 3.4.8 Can anybody help me ?" *Answer of the Squid-Users forum: * " *If the only thing that changed was Samba its clearly an issue with that end of the system.I suggest you compare those LDAP parameters with what the new Samba version needs, and if there is no issue there please contact your vendor or the Samba help channels*." Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ? Regards, Márcio Bacci
On Mon, 22 May 2017 18:12:58 -0300 Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:> Hi, > > I have posted the following message to Squid-Users forum ( > squid-users at lists.squid-cache.org). > > "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid > authentication doesn't work. > > In samba 4.2.1 is working properly. > > This is my authentication block: > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b > DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br > -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s" > auth_param basic children 50 > auth_param basic realm Access Monitored > auth_param basic credentialsttl 8 hours > auth_param basic casesensitive off > > I'm using Squid 3.4.8 > > Can anybody help me ?" > > > *Answer of the Squid-Users forum: * > > " > > *If the only thing that changed was Samba its clearly an issue with > that end of the system.I suggest you compare those LDAP parameters > with what the new Samba version needs, and if there is no issue there > please contact your vendor or the Samba help channels*." > > > > Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ? > > Regards, > > Márcio BacciTry using TLS '-Z' I think Rowland
Not really a samba question but.. I suggest you switch to kerberos auth. Thats this line: auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/hostname.internal.dnsdomain.tld at REALM \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM Or auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \ --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM If you have problem with A/PTR record matching in your REALM and upn/spn. This is what works with samba +ldap + tls. ## SSL enabled ( URI format -H ) auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \ -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \ -D ldapbindusers at internal.dnsdomain.tld \ -W /etc/squid/private/ldap-bind \ -f sAMAccountName=%s \ -H ldaps://dc2.internal.dnsdomain.tld \ -H ldaps://dc1.internal.dnsdomain.tld A not ssl setup is a small change. -h ldaps://dc2.internal.dnsdomain.tld \ -h ldaps://dc1.internal.dnsdomain.tld For ssl you need to configure : /etc/ldap/ldap.conf Add your rootCA cert to : TLS_CACERT /etc/ssl/certs/ca-certificates.crt use : update-ca-certificates, unknow to you? Google for it this simplifies the setup with certificates. Add: TLS_REQCERT allow If needed configure BASE and URI. These above are tested as for squid 3.4.8 ( debian jessie default ) Up to squid from debian sid recompiled for jessie up to 3.5.24. And for you convients, this is the smb.conf im using on my proxy. Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is installed for the keytabs. ( config is setup with a winbind 4.6.3 and samba AD DC's , backend AD. ) [global] workgroup = NTDOM security = ads realm = REALM netbios name = PROXY1 preferred master = no domain master = no host msdfs = no interfaces = 192.168.0.50 127.0.0.1 bind interfaces only = yes dns proxy = yes ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config NTDOM: backend = ad idmap config NTDOM: schema_mode = rfc2307 idmap config NTDOM: range = 10000-3999999 idmap config NTDOM: unix_nss_info = yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket winbind refresh tickets = yes winbind trusted domains only = no winbind use default domain = yes winbind enum users = no winbind enum groups = no # enable offline logins winbind offline logon = yes # check depth of nested groups, ! slows down you samba, if to much groups depth winbind expand groups = 4 # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. usershare path # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes And no shares. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Demetrio Bacci via samba > Verzonden: maandag 22 mei 2017 23:13 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication > > Hi, > > I have posted the following message to Squid-Users forum ( > squid-users at lists.squid-cache.org). > > "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now > my Squid authentication doesn't work. > > In samba 4.2.1 is working properly. > > This is my authentication block: > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R > -b DC=empresa,DC=com,DC=br -D > CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h > 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s" > auth_param basic children 50 > auth_param basic realm Access Monitored > auth_param basic credentialsttl 8 hours > auth_param basic casesensitive off > > I'm using Squid 3.4.8 > > Can anybody help me ?" > > > *Answer of the Squid-Users forum: * > > " > > *If the only thing that changed was Samba its clearly an > issue with that end of the system.I suggest you compare those > LDAP parameters with what the new Samba version needs, and if > there is no issue there please contact your vendor or the > Samba help channels*." > > > > Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ? > > Regards, > > Márcio Bacci > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
For got to mention. If you dont have any certificates setup and not using tls. Set on the DC's. ldap server require strong auth = allow_sasl_over_tls Or ldap server require strong auth = no And you may need to enable NTLM v1 on the proxy also, but thats why i recommends kerberos auth. SO preffered imo, try to avoid any NTLM to improve your security. For NTLM v1 then you need to set on the proxy and DC ntlm auth = no lanman auth = no Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: dinsdag 23 mei 2017 8:40 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problems with Samba 4.6.3 Authentication > > Not really a samba question but.. > > I suggest you switch to kerberos auth. > Thats this line: > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > HTTP/hostname.internal.dnsdomain.tld at REALM \ > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego > --domain=NTDOM > > Or > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s > GSS_C_NO_NAME \ > --ntlm /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM If you > have problem with A/PTR record matching in your REALM and upn/spn. > > > This is what works with samba +ldap + tls. > ## SSL enabled ( URI format -H ) > auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \ > -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \ > -D ldapbindusers at internal.dnsdomain.tld \ > -W /etc/squid/private/ldap-bind \ > -f sAMAccountName=%s \ > -H ldaps://dc2.internal.dnsdomain.tld \ > -H ldaps://dc1.internal.dnsdomain.tld > > A not ssl setup is a small change. > -h ldaps://dc2.internal.dnsdomain.tld \ > -h ldaps://dc1.internal.dnsdomain.tld > > For ssl you need to configure : > /etc/ldap/ldap.conf > > Add your rootCA cert to : TLS_CACERT > /etc/ssl/certs/ca-certificates.crt > use : update-ca-certificates, unknow to you? Google for it > this simplifies the setup with certificates. > > Add: > TLS_REQCERT allow > If needed configure BASE and URI. > > These above are tested as for squid 3.4.8 ( debian jessie default ) > Up to squid from debian sid recompiled for jessie up to 3.5.24. > > And for you convients, this is the smb.conf im using on my proxy. > Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is > installed for the keytabs. > > ( config is setup with a winbind 4.6.3 and samba AD DC's , > backend AD. ) > [global] > workgroup = NTDOM > security = ads > realm = REALM > > netbios name = PROXY1 > preferred master = no > domain master = no > host msdfs = no > > interfaces = 192.168.0.50 127.0.0.1 > bind interfaces only = yes > dns proxy = yes > > ## map id's outside to domain to tdb files. > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > > ## map ids from the domain the range may not overlap ! > idmap config NTDOM: backend = ad > idmap config NTDOM: schema_mode = rfc2307 > idmap config NTDOM: range = 10000-3999999 > idmap config NTDOM: unix_nss_info = yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > # renew the kerberos ticket > winbind refresh tickets = yes > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = no > winbind enum groups = no > > # enable offline logins > winbind offline logon = yes > > # check depth of nested groups, ! slows down you samba, > if to much groups depth > winbind expand groups = 4 > > # user Administrator workaround, without it you are > unable to set privileges > username map = /etc/samba/samba_usermapping > > # disable usershares creating, when set empty no error > log messages. > usershare path > > # Disable printing completely > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > > And no shares. > > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Marcio Demetrio Bacci via samba > > Verzonden: maandag 22 mei 2017 23:13 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication > > > > Hi, > > > > I have posted the following message to Squid-Users forum ( > > squid-users at lists.squid-cache.org). > > > > "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now > > my Squid authentication doesn't work. > > > > In samba 4.2.1 is working properly. > > > > This is my authentication block: > > > > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R > > -b DC=empresa,DC=com,DC=br -D > > CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h > > 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s" > > auth_param basic children 50 > > auth_param basic realm Access Monitored > > auth_param basic credentialsttl 8 hours > > auth_param basic casesensitive off > > > > I'm using Squid 3.4.8 > > > > Can anybody help me ?" > > > > > > *Answer of the Squid-Users forum: * > > > > " > > > > *If the only thing that changed was Samba its clearly an > > issue with that end of the system.I suggest you compare those > > LDAP parameters with what the new Samba version needs, and if > > there is no issue there please contact your vendor or the > > Samba help channels*." > > > > > > > > Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ? > > > > Regards, > > > > Márcio Bacci > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Tue, 23 May 2017 08:50:57 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> For got to mention. > > If you dont have any certificates setup and not using tls. > Set on the DC's. > > ldap server require strong auth = allow_sasl_over_tls > Or > ldap server require strong auth = no > > And you may need to enable NTLM v1 on the proxy also, but thats why i > recommends kerberos auth. SO preffered imo, try to avoid any NTLM to > improve your security. For NTLM v1 then you need to set on the proxy > and DC ntlm auth = no > lanman auth = noObviously the first will not work if you don't have any certificates ;-) Yes, kerberos is probably the way to go, the older way of doing things has proved to be insecure and this is why I keep harping on about upgrading from NT4-style domains to AD. There has just been the wannacry crime and I wouldn't be surprised if Microsoft used this as a reason to kill NTLM, on windows 10 at least. Rowland
Apparently Analagous Threads
- Problems with Samba 4.6.3 Authentication
- problems with authentication
- Question: Samba and YP-Yellow Pages relation.
- [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3
- [squid-users] debian Jessie squid with auth (kerberos/ntlm/basic) ERROR type NTLM type 3