Suporte - KONTROL
2018-Apr-05 20:01 UTC
[Samba] Question: Samba and YP-Yellow Pages relation.
Hi Rowland, First of all, thanks Much for the message. Appreciate it! Here more details... The users do not log into the pfSense. The Samba is being used to authenticate users with the proxy (squid) in a pfsense environment (Freebsd) The PfSense box is added to the AD Domain as a "Member" only, so that way the proxy can authenticate against the AD via NTLM/Kerberos. Here is part of my script to add/leave Domain and also to create a keytab file to use against Kerberos. #joining a Domain net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k echo #adding SPN HTTP echo "Adding the SPN HTTP" net ads keytab add HTTP echo #Generating keytab file net ads keytab create -k After that the pfsense box is part of the Domain and I have a keytab file to use for Kerberos authentication. That's how I add the box to a domain. Now the problem is that it only works when I use that "special" Samba 4.4.16 version. I would like to use the LATEST SAMBA version available for security reasons. Thanks Once again! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Thursday, April 5, 2018 4:39 PM To: samba at lists.samba.org Cc: Suporte - KONTROL <suporte at kontrolsecurity.com.br> Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation. On Thu, 5 Apr 2018 15:39:45 -0300 Suporte - KONTROL via samba <samba at lists.samba.org> wrote:> Hello Everyone, > I am pretty new on this SAMBA list, so greetings! > I have a technical question about the relation of SAMBA and YP (Yellow > Pages/ NiS) > > I´ve been learning on how to make my Firewall/proxy solution (based on > FREEBSD/PfSense) to have a trust-relationship with the Microsoft > AD/Domain so I can have Single Sign-on with NTLM/Kerberos integration. > PfSense has the YP (Yellow Pages) disabled by default, what makes > SAMBA fail according to pfSense technical forum people. > Recently, I found a supposed “patched” version of SAMBA 4.4.16 that > doesn’t require the YP enabled. Not sure how people did that, or, if > that is something normal for the version 4.4.16 of Samba. (probably > not) the point is that Samba 4.4.16 works perfectly. > If I try to do the same with other newer versions, I got error > messages like this: /usr/local/lib/samba4/libsmbconf.so.0: Undefined > symbol "yp_match" > > The question is: Can I also patch the latest SAMBA version the same > way? What are the side effects in the end and What exactly should I > change in the Source Code before compiling it? (if possible) – Maybe > to enable YP back would be better? > I really want to replace the version 4.4.16 by the latest one > available for obvious reasons (too old, Insecure at this point). > > Thanks in Advance! > > Cordially, > Fabricio. > >Hi, around here we call YP NIS ;-) I am having trouble trying to understand what you are trying to achieve, do your users need to log into the pfsense machine ? I think you need to explain in a bit more depth how your Firewall/proxy works, starting with how you want to run Samba, is it as a DC, Unix domain member or a standalone server. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Thu, 5 Apr 2018 17:01:22 -0300 "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:> Hi Rowland, > First of all, thanks Much for the message. Appreciate it! > > Here more details... > The users do not log into the pfSense. The Samba is being used to > authenticate users with the proxy (squid) in a pfsense environment > (Freebsd) The PfSense box is added to the AD Domain as a "Member" > only, so that way the proxy can authenticate against the AD via > NTLM/Kerberos. > > Here is part of my script to add/leave Domain and also to create a > keytab file to use against Kerberos. > > > #joining a Domain > net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k > echo > #adding SPN HTTP > echo "Adding the SPN HTTP" > net ads keytab add HTTP > echo > #Generating keytab file > net ads keytab create -k >You can get the keytab created during the join by adding: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab To smb.conf before the join, not sure about the UPN though, never tried it. It sounds like you are running Samba as a Unix domain member, any chance of seeing the (sanitized) smb.conf ? Also what is the AD DC ? Not sure why you want to disable YP, squid is known to work with the default Samba Rowland
Suporte - KONTROL
2018-Apr-05 21:57 UTC
[Samba] Question: Samba and YP-Yellow Pages relation.
Hi Rowland, Actually I don't want to disable the Yellow Pages, that's a situation I already have in the pFsense, cause YP was disabled by the pfsense developers. So my doubt is: Is there a way to make samba (latest version) to work without the YP enabled? What about what people made with that samba version 4.4.16 I mentioned? Not sure how they did that. The only thing I know is that it is working fine even without the YP. The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and Win2016. It is working today with all of them. No problems, Here is the smb4.conf file: ################################# [global] workgroup = KONTROL map to guest = never logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no use spnego = yes client use spnego = yes min protocol = LANMAN2 idmap gid = 10000-20000 idmap uid = 10000-20000 realm = KONTROL.CORP security = ads template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 log level = 3 passdb:5 winbind:3 usershare allow guests = no printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes ################################# -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Thursday, April 5, 2018 6:03 PM To: Suporte - KONTROL <suporte at kontrolsecurity.com.br> Cc: samba at lists.samba.org Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation. On Thu, 5 Apr 2018 17:01:22 -0300 "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:> Hi Rowland, > First of all, thanks Much for the message. Appreciate it! > > Here more details... > The users do not log into the pfSense. The Samba is being used to > authenticate users with the proxy (squid) in a pfsense environment > (Freebsd) The PfSense box is added to the AD Domain as a "Member" > only, so that way the proxy can authenticate against the AD via > NTLM/Kerberos. > > Here is part of my script to add/leave Domain and also to create a > keytab file to use against Kerberos. > > > #joining a Domain > net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k echo > #adding SPN HTTP echo "Adding the SPN HTTP" > net ads keytab add HTTP > echo > #Generating keytab file > net ads keytab create -k >You can get the keytab created during the join by adding: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab To smb.conf before the join, not sure about the UPN though, never tried it. It sounds like you are running Samba as a Unix domain member, any chance of seeing the (sanitized) smb.conf ? Also what is the AD DC ? Not sure why you want to disable YP, squid is known to work with the default Samba Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba