Suporte - KONTROL
2018-Apr-05 21:57 UTC
[Samba] Question: Samba and YP-Yellow Pages relation.
Hi Rowland, Actually I don't want to disable the Yellow Pages, that's a situation I already have in the pFsense, cause YP was disabled by the pfsense developers. So my doubt is: Is there a way to make samba (latest version) to work without the YP enabled? What about what people made with that samba version 4.4.16 I mentioned? Not sure how they did that. The only thing I know is that it is working fine even without the YP. The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and Win2016. It is working today with all of them. No problems, Here is the smb4.conf file: ################################# [global] workgroup = KONTROL map to guest = never logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no use spnego = yes client use spnego = yes min protocol = LANMAN2 idmap gid = 10000-20000 idmap uid = 10000-20000 realm = KONTROL.CORP security = ads template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 log level = 3 passdb:5 winbind:3 usershare allow guests = no printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes ################################# -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Thursday, April 5, 2018 6:03 PM To: Suporte - KONTROL <suporte at kontrolsecurity.com.br> Cc: samba at lists.samba.org Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation. On Thu, 5 Apr 2018 17:01:22 -0300 "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:> Hi Rowland, > First of all, thanks Much for the message. Appreciate it! > > Here more details... > The users do not log into the pfSense. The Samba is being used to > authenticate users with the proxy (squid) in a pfsense environment > (Freebsd) The PfSense box is added to the AD Domain as a "Member" > only, so that way the proxy can authenticate against the AD via > NTLM/Kerberos. > > Here is part of my script to add/leave Domain and also to create a > keytab file to use against Kerberos. > > > #joining a Domain > net ads join createupn=HTTP/hostname001.corp at DOMAIN.CORP -k echo > #adding SPN HTTP echo "Adding the SPN HTTP" > net ads keytab add HTTP > echo > #Generating keytab file > net ads keytab create -k >You can get the keytab created during the join by adding: dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab To smb.conf before the join, not sure about the UPN though, never tried it. It sounds like you are running Samba as a Unix domain member, any chance of seeing the (sanitized) smb.conf ? Also what is the AD DC ? Not sure why you want to disable YP, squid is known to work with the default Samba Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Thu, 5 Apr 2018 18:57:03 -0300 "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:> Hi Rowland, > Actually I don't want to disable the Yellow Pages, that's a situation > I already have in the pFsense, cause YP was disabled by the pfsense > developers.Yellow pages is the old name for NIS and unless it is installed it isn't used by Linux and I suspect the same goes for freebsd.>So my doubt is: Is there a way to make samba (latest > version) to work without the YP enabled? What about what people made > with that samba version 4.4.16 I mentioned? Not sure how they did > that. The only thing I know is that it is working fine even without > the YP.I would love to know what they did, perhaps the relevant code has been accepted into Samba.> > The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and > Win2016. It is working today with all of them. >Here is the good part, Unless you extend Windows by installing 'IDMU', it has no knowledge of NIS and you cannot install 'IDMU' on Win2016> No problems, Here is the smb4.conf file:and here is my version for 4.7.6, basically yours with default lines remove and the deprecated 'idmap uid & gid' lines replaced with their modern counterparts: [global] workgroup = SAMDOM security = ads realm = SAMDOM.EXAMPLE.COM ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes With that smb.conf, I joined it to my domain with: net ads join createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' to dns domain 'samdom.example.com' and if I examine the keytab created, I find this: ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM So the required UPN is there, so all I can suggest is, give it a try. I do not use Squid, but I know a man that does ;-) So over to you Louis. Rowland
Suporte - KONTROL
2018-Apr-06 13:57 UTC
[Samba] Question: Samba and YP-Yellow Pages relation.
Hi Rowland, That looks GREAT! I will give it a try for sure and let you know. I am trying to talk to the guys who "modified/patched" the Samba 44 to get details. If I got it, I will send it to you. Many Thanks!!! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Friday, April 6, 2018 5:15 AM To: samba at lists.samba.org Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation. On Thu, 5 Apr 2018 18:57:03 -0300 "Suporte - KONTROL" <suporte at kontrolsecurity.com.br> wrote:> Hi Rowland, > Actually I don't want to disable the Yellow Pages, that's a situation > I already have in the pFsense, cause YP was disabled by the pfsense > developers.Yellow pages is the old name for NIS and unless it is installed it isn't used by Linux and I suspect the same goes for freebsd.>So my doubt is: Is there a way to make samba (latest > version) to work without the YP enabled? What about what people made >with that samba version 4.4.16 I mentioned? Not sure how they did >that. The only thing I know is that it is working fine even without >the YP.I would love to know what they did, perhaps the relevant code has been accepted into Samba.> > The Microsoft environment is mixed. I have Win2008R2 / Win2012 R2 and > Win2016. It is working today with all of them. >Here is the good part, Unless you extend Windows by installing 'IDMU', it has no knowledge of NIS and you cannot install 'IDMU' on Win2016> No problems, Here is the smb4.conf file:and here is my version for 4.7.6, basically yours with default lines remove and the deprecated 'idmap uid & gid' lines replaced with their modern counterparts: [global] workgroup = SAMDOM security = ads realm = SAMDOM.EXAMPLE.COM ## map ids outside of domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the ranges may not overlap ! idmap config SAMDOM : backend = rid idmap config SAMDOM : range = 10000-999999 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes With that smb.conf, I joined it to my domain with: net ads join createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' to dns domain 'samdom.example.com' and if I examine the keytab created, I find this: ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM 11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM 16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM 20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM So the required UPN is there, so all I can suggest is, give it a try. I do not use Squid, but I know a man that does ;-) So over to you Louis. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2018-Apr-06 14:47 UTC
[Samba] Question: Samba and YP-Yellow Pages relation.
Hai,
Someone called me called??
I did a quick read here in this thread..
The upn part is done, so your almost there.
You need to make sure your DNS is working as it should.
To check on the proxy with
dig a hostname.FQDN.
dig -x ip_the_server
Test this for the DC hostnames/ips also.
If that all ok, you can try these settings in squid
# For squid ( works for me as of squid 3.2 up to 3.5 )
# negotiate kerberos and ntlm authentication + ldap fallback.
# Debugging. -d in the kerberos line, --diagnostics in ntlm)
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
--kerberos /usr/lib/squid/negotiate_kerberos_auth -s
HTTP/your.server.hostname.in.fqdn at YOUR_REALM \
--ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
# adjust this to you needs, you might want to lower the childeren and startups.
auth_param negotiate children 10 startup=2 idle=2
auth_param negotiate keep_alive on
# My advice, put everything on ssl, so dont use this one, but handy to
have/know.
# ! Do note the -h and -H parameters.
# ! The user : SeparatedUser4bind2Ldap at internal.domain.tld
# ! : set disable pre kerberos auth and password does not expire, and
can not change it.
# ! : set as trusted and can not be delegated.
# Non-SSL
#auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
# -b "ou=Company,dc=internal,dc=domain,dc=tld" \
# -D SeparatedUser4bind2Ldap at internal.domain.tld \
# -W /etc/squid/private/your_userPassword_in_Here \
# -f (sAMAccountName=%s) \
# -h dc2.internal.domain.tld \
# -h dc1.internal.domain.tld
# SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
-b "ou=Company,dc=internal,dc=domain,dc=tld" \
-D SeparatedUser4bind2Ldap at internal.domain.tld \
-W /etc/squid/private/your_userPassword_in_Here \
-f sAMAccountName=%s \
-H ldaps://dc2.internal.domain.tld \
-H ldaps://dc1.internal.domain.tld
auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours
In smb.conf
Set these to no after you tested. > winbind enum users = no
> winbind enum groups = no
Good luck,
If you have questions just mail me or the list.
Ps. Back Monday, and if you lucky, i'll responce in the weekend.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Suporte - KONTROL via samba
> Verzonden: vrijdag 6 april 2018 15:58
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> Hi Rowland,
> That looks GREAT!
> I will give it a try for sure and let you know.
>
> I am trying to talk to the guys who "modified/patched" the
> Samba 44 to get details. If I got it, I will send it to you.
>
> Many Thanks!!!
>
> Fabricio.
>
>
> -----Original Message-----
> From: samba <samba-bounces at lists.samba.org> On Behalf Of
> Rowland Penny via samba
> Sent: Friday, April 6, 2018 5:15 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
>
> On Thu, 5 Apr 2018 18:57:03 -0300
> "Suporte - KONTROL" <suporte at kontrolsecurity.com.br>
wrote:
>
> > Hi Rowland,
> > Actually I don't want to disable the Yellow Pages, that's a
> situation
> > I already have in the pFsense, cause YP was disabled by the pfsense
> > developers.
>
> Yellow pages is the old name for NIS and unless it is
> installed it isn't used by Linux and I suspect the same goes
> for freebsd.
>
> >So my doubt is: Is there a way to make samba (latest
> > version) to work without the YP enabled? What about what
> people made
> >with that samba version 4.4.16 I mentioned? Not sure how they did
> >that. The only thing I know is that it is working fine even without
> >the YP.
>
> I would love to know what they did, perhaps the relevant code
> has been accepted into Samba.
>
> >
> > The Microsoft environment is mixed. I have Win2008R2 /
> Win2012 R2 and
> > Win2016. It is working today with all of them.
> >
>
> Here is the good part, Unless you extend Windows by
> installing 'IDMU', it has no knowledge of NIS and you cannot
> install 'IDMU' on Win2016
>
> > No problems, Here is the smb4.conf file:
>
> and here is my version for 4.7.6, basically yours with
> default lines remove and the deprecated 'idmap uid & gid'
> lines replaced with their modern counterparts:
>
> [global]
> workgroup = SAMDOM
> security = ads
> realm = SAMDOM.EXAMPLE.COM
>
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain the ranges may not overlap !
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
>
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
>
> log level = 3 passdb:5 winbind:3
> printcap name = /dev/null
> load printers = no
> printing = bsd
> local master = no
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> [homes]
> comment = Home Directories
> valid users = %s, %D%W%S
> browseable = no
> read only = no
> inherit acls = yes
>
> With that smb.conf, I joined it to my domain with:
>
> net ads join
> createupn=HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.C
> OM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1'
> to dns domain 'samdom.example.com'
>
> and if I examine the keytab created, I find this:
>
> ktutil
> ktutil: rkt /etc/krb5.keytab
> ktutil: l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
> 1 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 2 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 3 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 4 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 5 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 6 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 7 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 8 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 9 2 host/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 10 2 host/TESTCLIENT1 at SAMDOM.EXAMPLE.COM
> 11 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 12 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 13 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 14 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 15 2 TESTCLIENT1$@SAMDOM.EXAMPLE.COM
> 16 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 17 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 18 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 19 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
> 20 2 HTTP/testclient1.samdom.example.com at SAMDOM.EXAMPLE.COM
>
> So the required UPN is there, so all I can suggest is, give it a try.
>
> I do not use Squid, but I know a man that does ;-)
>
> So over to you Louis.
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>