samba - May 2017 - Problems with Samba 4.6.3 Authentication

Hi,

I have posted the following message to Squid-Users forum (
squid-users at lists.squid-cache.org).

"I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid
authentication doesn't work.

In samba 4.2.1 is working properly.

This is my authentication block:

auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w
password -h 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
auth_param basic children 50
auth_param basic realm Access Monitored
auth_param basic credentialsttl 8 hours
auth_param basic casesensitive off

I'm using Squid 3.4.8

Can anybody help me ?"


*Answer of the Squid-Users forum: *

"

*If the only thing that changed was Samba its clearly an issue with that
end of the system.I suggest you compare those LDAP parameters with what the
new Samba version needs, and if there is no issue there please contact your
vendor or the Samba help channels*."



Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?

Regards,

Márcio Bacci

On Mon, 22 May 2017 18:12:58 -0300
Marcio Demetrio Bacci via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I have posted the following message to Squid-Users forum (
> squid-users at lists.squid-cache.org).
> 
> "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now my Squid
> authentication doesn't work.
> 
> In samba 4.2.1 is working properly.
> 
> This is my authentication block:
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R -b
> DC=empresa,DC=com,DC=br -D CN=proxy,CN=Users,DC=empresa,DC=com,DC=br
> -w password -h 192.168.10.4 -p 389 -s sub -v 3 -f
"sAMAccountName=%s"
> auth_param basic children 50
> auth_param basic realm Access Monitored
> auth_param basic credentialsttl 8 hours
> auth_param basic casesensitive off
> 
> I'm using Squid 3.4.8
> 
> Can anybody help me ?"
> 
> 
> *Answer of the Squid-Users forum: *
> 
> "
> 
> *If the only thing that changed was Samba its clearly an issue with
> that end of the system.I suggest you compare those LDAP parameters
> with what the new Samba version needs, and if there is no issue there
> please contact your vendor or the Samba help channels*."
> 
> 
> 
> Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?
> 
> Regards,
> 
> Márcio Bacci
Try using TLS '-Z' I think

Rowland

Not really a samba question but.. 

I suggest you switch to kerberos auth.
Thats this line: 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/hostname.internal.dnsdomain.tld at REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

Or 
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM
If you have problem with A/PTR record matching in your REALM and upn/spn. 


This is what works with samba +ldap + tls.
## SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \
    -D ldapbindusers at internal.dnsdomain.tld \
    -W /etc/squid/private/ldap-bind \
    -f sAMAccountName=%s \
    -H ldaps://dc2.internal.dnsdomain.tld \
    -H ldaps://dc1.internal.dnsdomain.tld

A not ssl setup is a small change. 
    -h ldaps://dc2.internal.dnsdomain.tld \
    -h ldaps://dc1.internal.dnsdomain.tld

For ssl you need to configure : 
/etc/ldap/ldap.conf

Add your rootCA cert to  : TLS_CACERT      /etc/ssl/certs/ca-certificates.crt 
use : update-ca-certificates, unknow to you? Google for it this simplifies the
setup with certificates.

Add: 
TLS_REQCERT allow
If needed configure BASE and URI. 

These above are tested as for squid 3.4.8 ( debian jessie default ) 
Up to squid from debian sid recompiled for jessie up to 3.5.24. 

And for you convients, this is the smb.conf im using on my proxy. 
Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is installed for the
keytabs.

( config is setup with a winbind 4.6.3 and samba AD DC's , backend AD. ) 
[global]
    workgroup = NTDOM
    security = ads
    realm = REALM

    netbios name = PROXY1
    preferred master = no
    domain master = no
    host msdfs = no

    interfaces = 192.168.0.50 127.0.0.1
    bind interfaces only = yes
    dns proxy = yes

    ## map id's outside to domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999

    ## map ids from the domain  the range may not overlap !
    idmap config NTDOM: backend = ad
    idmap config NTDOM: schema_mode = rfc2307
    idmap config NTDOM: range = 10000-3999999
    idmap config NTDOM: unix_nss_info = yes

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    # renew the kerberos ticket
    winbind refresh tickets = yes
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = no
    winbind enum groups = no

    # enable offline logins
    winbind offline logon = yes

    # check depth of nested groups, ! slows down you samba, if to much groups
depth
    winbind expand groups = 4

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/samba_usermapping

    # disable usershares creating, when set empty no error log messages.
    usershare path 
    # Disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes


And no shares. 



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marcio Demetrio Bacci via samba
> Verzonden: maandag 22 mei 2017 23:13
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication
> 
> Hi,
> 
> I have posted the following message to Squid-Users forum ( 
> squid-users at lists.squid-cache.org).
> 
> "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now 
> my Squid authentication doesn't work.
> 
> In samba 4.2.1 is working properly.
> 
> This is my authentication block:
> 
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R 
> -b DC=empresa,DC=com,DC=br -D 
> CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h 
> 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
> auth_param basic children 50
> auth_param basic realm Access Monitored
> auth_param basic credentialsttl 8 hours
> auth_param basic casesensitive off
> 
> I'm using Squid 3.4.8
> 
> Can anybody help me ?"
> 
> 
> *Answer of the Squid-Users forum: *
> 
> "
> 
> *If the only thing that changed was Samba its clearly an 
> issue with that end of the system.I suggest you compare those 
> LDAP parameters with what the new Samba version needs, and if 
> there is no issue there please contact your vendor or the 
> Samba help channels*."
> 
> 
> 
> Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?
> 
> Regards,
> 
> Márcio Bacci
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

For got to mention.

If you dont have any certificates setup and not using tls. 
Set on the DC's. 

       ldap server require strong auth = allow_sasl_over_tls
Or 
       ldap server require strong auth = no

And you may need to enable NTLM v1 on the proxy also, but thats why i recommends
kerberos auth.
SO preffered imo, try to avoid any NTLM to improve your security. 
For NTLM v1 then you need to set on the proxy and DC
   ntlm auth = no
   lanman auth = no



Greetz, 

Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> L.P.H. van Belle via samba
> Verzonden: dinsdag 23 mei 2017 8:40
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problems with Samba 4.6.3 Authentication
> 
> Not really a samba question but.. 
> 
> I suggest you switch to kerberos auth.
> Thats this line: 
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
> HTTP/hostname.internal.dnsdomain.tld at REALM \
>     --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego 
> --domain=NTDOM
> 
> Or
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s 
> GSS_C_NO_NAME \
>     --ntlm /usr/bin/ntlm_auth 
> --helper-protocol=squid-2.5-ntlmssp --domain=NTDOM If you 
> have problem with A/PTR record matching in your REALM and upn/spn. 
> 
> 
> This is what works with samba +ldap + tls.
> ## SSL enabled ( URI format -H )
> auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
>     -b "ou=Company,dc=internal,dc=dnsdomain,dc=tld" \
>     -D ldapbindusers at internal.dnsdomain.tld \
>     -W /etc/squid/private/ldap-bind \
>     -f sAMAccountName=%s \
>     -H ldaps://dc2.internal.dnsdomain.tld \
>     -H ldaps://dc1.internal.dnsdomain.tld
> 
> A not ssl setup is a small change. 
>     -h ldaps://dc2.internal.dnsdomain.tld \
>     -h ldaps://dc1.internal.dnsdomain.tld
> 
> For ssl you need to configure : 
> /etc/ldap/ldap.conf
> 
> Add your rootCA cert to  : TLS_CACERT      
> /etc/ssl/certs/ca-certificates.crt 
> use : update-ca-certificates, unknow to you? Google for it 
> this simplifies the setup with certificates.
> 
> Add: 
> TLS_REQCERT allow
> If needed configure BASE and URI. 
> 
> These above are tested as for squid 3.4.8 ( debian jessie default ) 
> Up to squid from debian sid recompiled for jessie up to 3.5.24. 
> 
> And for you convients, this is the smb.conf im using on my proxy. 
> Jessie/samba 4.5.8 or 4.6.3 ( my own deb) but only winbind is 
> installed for the keytabs. 
> 
> ( config is setup with a winbind 4.6.3 and samba AD DC's , 
> backend AD. ) 
> [global]
>     workgroup = NTDOM
>     security = ads
>     realm = REALM
> 
>     netbios name = PROXY1
>     preferred master = no
>     domain master = no
>     host msdfs = no
> 
>     interfaces = 192.168.0.50 127.0.0.1
>     bind interfaces only = yes
>     dns proxy = yes
> 
>     ## map id's outside to domain to tdb files.
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
> 
>     ## map ids from the domain  the range may not overlap !
>     idmap config NTDOM: backend = ad
>     idmap config NTDOM: schema_mode = rfc2307
>     idmap config NTDOM: range = 10000-3999999
>     idmap config NTDOM: unix_nss_info = yes
> 
>     dedicated keytab file = /etc/krb5.keytab
>     kerberos method = secrets and keytab
> 
>     # renew the kerberos ticket
>     winbind refresh tickets = yes
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = no
>     winbind enum groups = no
> 
>     # enable offline logins
>     winbind offline logon = yes
> 
>     # check depth of nested groups, ! slows down you samba, 
> if to much groups depth
>     winbind expand groups = 4
> 
>     # user Administrator workaround, without it you are 
> unable to set privileges
>     username map = /etc/samba/samba_usermapping
> 
>     # disable usershares creating, when set empty no error 
> log messages.
>     usershare path > 
>     # Disable printing completely
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
> 
> 
> And no shares. 
> 
> 
> 
> Greetz, 
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Marcio Demetrio Bacci via samba
> > Verzonden: maandag 22 mei 2017 23:13
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Problems with Samba 4.6.3 Authentication
> > 
> > Hi,
> > 
> > I have posted the following message to Squid-Users forum ( 
> > squid-users at lists.squid-cache.org).
> > 
> > "I have migrated of Samba 4.2.1 to Samba 4.6.3 as DC, but now 
> > my Squid authentication doesn't work.
> > 
> > In samba 4.2.1 is working properly.
> > 
> > This is my authentication block:
> > 
> > auth_param basic program /usr/lib/squid3/basic_ldap_auth -R 
> > -b DC=empresa,DC=com,DC=br -D 
> > CN=proxy,CN=Users,DC=empresa,DC=com,DC=br -w password -h 
> > 192.168.10.4 -p 389 -s sub -v 3 -f "sAMAccountName=%s"
> > auth_param basic children 50
> > auth_param basic realm Access Monitored
> > auth_param basic credentialsttl 8 hours
> > auth_param basic casesensitive off
> > 
> > I'm using Squid 3.4.8
> > 
> > Can anybody help me ?"
> > 
> > 
> > *Answer of the Squid-Users forum: *
> > 
> > "
> > 
> > *If the only thing that changed was Samba its clearly an 
> > issue with that end of the system.I suggest you compare those 
> > LDAP parameters with what the new Samba version needs, and if 
> > there is no issue there please contact your vendor or the 
> > Samba help channels*."
> > 
> > 
> > 
> > Thus, are there changes LDAP parameters in Samba 4.2.1 to 4.6.3 ?
> > 
> > Regards,
> > 
> > Márcio Bacci
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 23 May 2017 08:50:57 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> For got to mention.
> 
> If you dont have any certificates setup and not using tls. 
> Set on the DC's. 
> 
>        ldap server require strong auth = allow_sasl_over_tls
> Or 
>        ldap server require strong auth = no
> 
> And you may need to enable NTLM v1 on the proxy also, but thats why i
> recommends kerberos auth. SO preffered imo, try to avoid any NTLM to
> improve your security. For NTLM v1 then you need to set on the proxy
> and DC ntlm auth = no
>    lanman auth = no
Obviously the first will not work if you don't have any certificates ;-)

Yes, kerberos is probably the way to go, the older way of doing things
has proved to be insecure and this is why I keep harping on about
upgrading from NT4-style domains to AD.

There has just been the wannacry crime and I wouldn't be surprised if
Microsoft used this as a reason to kill NTLM, on windows 10 at least. 

Rowland