Kontrol-Suporte
2019-Apr-18 21:33 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
Hello everyone, Just made a brand new installation of the Samba 4.10 for FreeBSD (got it from FreeNAS project) and it worked very well but I am facing some issues while working with it + Squid 4.6 Here is the thing. I could Join the machine to my Domain with absolutely no problems. I also created the Kerberos keytab, etc. For some reason, the Squid Helpers are showing an error message, like the one below. Although, NTLM helper is working fine and authenticating with no errors, Kerberos helper is not working at all and it fails crashing the Squid as it Terminated abnormally. **start error log** Initialising global parameters Processing section "[global]" Initialising global parameters Processing section "[global]" Initialising global parameters directory_create_or_exist_strict: invalid ownership on directory /var/run/samba4/msg.lock Processing section "[global]" cmdline_messaging_context: Unable to initialize messaging context. lp_load_ex: refreshing parameters **end of error log** I tried several different ownerships with no success, also I compared with old versions. Same thing. The Kerberos helper fails with the following Error log: **start error log** 2019/04/18 18:25:05 kid1| WARNING: negotiateauthenticator #Hlpr1 exited 2019/04/18 18:25:05 kid1| FATAL: The negotiateauthenticator helpers are crashing too rapidly, need help! 2019/04/18 18:25:05 kid1| Squid Cache (Version 4.6): Terminated abnormally. CPU Usage: 0.105 seconds = 0.053 user + 0.053 sys Maximum Resident Size: 122672 KB Page faults with physical i/o: 0 ** end error log** Here is my smb4.conf file, just in case I am using any deprecated/Invalid configuration. **smb4.conf** ######################### [global] workgroup = DOMAIN realm = DOMAIN.CORP client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 map to guest = never security = ads template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind nested groups = yes winbind use default domain = yes encrypt passwords = yes log level = 3 passdb:5 winbind:3 usershare allow guests = no printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes ############################## **Here the krb5.conf** ############################ [libdefaults] default_realm = DOMAIN.CORP dns_lookup_kdc = yes dns_lookup_realm = yes ticket_lifetime = 24h default_keytab_name = /etc/krb5.keytab forwardable = yes default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 DOMAIN.CORP = { kdc = kontroldc01.domain.corp admin_server = kontroldc01.domain.corp default_domain = domain.corp } .domain.corp = DOMAIN.CORP domain.corp = DOMAIN.CORP [logging] kdc = FILE:/var/log/kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log #################### I know it seems something wrong with SQUID, not SAMBA 4.10, but I am just wondering if I committed any mistake during the configuration process. Any help will be very welcome and appreciated! Thanks! Fabricio.
Rowland Penny
2019-Apr-19 07:44 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
On Thu, 18 Apr 2019 18:33:03 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Just made a brand new installation of the Samba 4.10 for FreeBSD (got > it from FreeNAS project) and it worked very well but I am facing some > issues while working with it + Squid 4.6 > > Here is the thing. I could Join the machine to my Domain with > absolutely no problems. I also created the Kerberos keytab, etc. > > For some reason, the Squid Helpers are showing an error message, like > the one below. > > Although, NTLM helper is working fine and authenticating with no > errors, Kerberos helper is not working at all and it fails crashing > the Squid as it Terminated abnormally. > > > > Here is my smb4.conf file, just in case I am using any > deprecated/Invalid configuration.Not so much deprecated or invalid, but un-needed/missing ? Remove the defaults: [global] workgroup = DOMAIN realm = DOMAIN.CORP security = ads idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes The missing: idmap config * : backend = tdb idmap config * : range = 3999-7999> > > I know it seems something wrong with SQUID, not SAMBA 4.10, but I am > just wondering if I committed any mistake during the configuration > process.The probably missing (part 2): ntlm auth = mschapv2-and-ntlmv2-only Not sure what Samba version you used last, but NTLMv1 is now turned off by default. Rowland
Suporte - KONTROL
2019-Apr-20 21:56 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
Hi Rowland Appreciate the message and the tips. I updated my smb file, although the Kerberos error still showing up. Thanks Anyway. Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Friday, April 19, 2019 4:45 AM To: samba at lists.samba.org Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder On Thu, 18 Apr 2019 18:33:03 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello everyone, > > Just made a brand new installation of the Samba 4.10 for FreeBSD (got > it from FreeNAS project) and it worked very well but I am facing some > issues while working with it + Squid 4.6 > > Here is the thing. I could Join the machine to my Domain with > absolutely no problems. I also created the Kerberos keytab, etc. > > For some reason, the Squid Helpers are showing an error message, like > the one below. > > Although, NTLM helper is working fine and authenticating with no > errors, Kerberos helper is not working at all and it fails crashing > the Squid as it Terminated abnormally. > > > > Here is my smb4.conf file, just in case I am using any > deprecated/Invalid configuration.Not so much deprecated or invalid, but un-needed/missing ? Remove the defaults: [global] workgroup = DOMAIN realm = DOMAIN.CORP security = ads idmap config DOMAIN : backend = rid idmap config DOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes The missing: idmap config * : backend = tdb idmap config * : range = 3999-7999> > > I know it seems something wrong with SQUID, not SAMBA 4.10, but I am > just wondering if I committed any mistake during the configuration > process.The probably missing (part 2): ntlm auth = mschapv2-and-ntlmv2-only Not sure what Samba version you used last, but NTLMv1 is now turned off by default. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2019-Apr-23 08:04 UTC
[Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh install - Error ownership folder
In addition. Everything Rowland noticed it correct and i notieced, you probley missing the HTTP/spn. Because squid 4.6 with samba and kerberos works great here. Read this.. https://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos Now, in addition, the krb5.conf shown there. Is not needed, keep your default. If you need to adjust it, then is probley. [libdefaults] default_realm = ADDCDOM.REALM.TLD ; for Windows 2008 with AES ; this is optional, but if you have problems, set it, it wont hurt. default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 The keytab part, Dont use msktutil. Just setup a member with winbind installed only and join the domain. Then when this server is domain joined run this : kinit administrator export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab net ads keytab CREATE net ads keytab ADD HTTP unset KRB5_KTNAME chmod proxy:proxy /etc/squid/HTTP.keytab ! Change users/group here if needed, i dont know freebsd.. And ( by example ) in debian 8/9/10. /etc/default/squid Add in the beginning the part, or put it in your init script. KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME And for smb.conf i use for references. [global] workgroup = ADDCDOM security = ads realm = ADDCDOM.REALM.TLD netbios name = PROXY1 preferred master = no domain master = no host msdfs = no # explicit set, because i use a caching and forwarding dns on the proxy. interfaces = 192.168.0.11 127.0.0.1 bind interfaces only = yes dns proxy = yes server signing = mandatory ntlm auth = no #Add and Update TLS Key tls enabled = yes # i have my own certs configured, using the default works also. tls keyfile = /etc/ssl/local/private/xxxxx.key.pem tls certfile = /etc/ssl/local/certs/xxxxxx.cert.pem tls cafile = /etc/ssl/certs/xxxxx-ca.pem ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config ADDCDOM: backend = ad idmap config ADDCDOM: schema_mode = rfc2307 idmap config ADDCDOM: range = 10000-3999999 # if you need to login also with ssh you need a uid. idmap config ADDCDOM: unix_nss_info = yes # Keytab and method. dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab # renew the kerberos ticket, is a must have. winbind refresh tickets = yes # Use home directory and shell information from AD # winbind nss info = rfc2307 overrulled by unix_nss_info (PER DOMAIN) option # show domain prefix # set to no, dont use the default domain, output shows: DOMAIN\user # set to yes, use the default domain, output shows: user winbind use default domain = yes # show users with : getent passwd username winbind enum users = no winbind enum groups = no # enable offline logins winbind offline logon = yes # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping # disable usershares creating, when set empty no error log messages. usershare path # Disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes Then use one of these to setup squid and its helpers. # If you have a correct DNS, A and PTR for every server. auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.rotterdam.bazuin.nl at ADDCDOM.REALM.TLD \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=ADDCDOM ## or same, check the -s ! This setup does not require A+PTR #auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ # --kerberos /usr/lib/squid/negotiate_kerberos_auth -s GSS_C_NO_NAME \ # --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=BAZRTD # optinal, add the ldap (basic) fallback also, then you have 3. # kerberos => NTLM => Basic. This should help you going, more questions, just ask. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Suporte - KONTROL via samba > Verzonden: zaterdag 20 april 2019 23:57 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh > install - Error ownership folder > Urgentie: Hoog > > Hi Rowland > > Appreciate the message and the tips. > I updated my smb file, although the Kerberos error still showing up. > > Thanks Anyway. > > Fabricio. > > -----Original Message----- > From: samba <samba-bounces at lists.samba.org> On Behalf Of > Rowland Penny via samba > Sent: Friday, April 19, 2019 4:45 AM > To: samba at lists.samba.org > Subject: Re: [Samba] samba 4.10 + SQUID 4.6 (FreeBSD) Fresh > install - Error ownership folder > > On Thu, 18 Apr 2019 18:33:03 -0300 > Kontrol-Suporte via samba <samba at lists.samba.org> wrote: > > > Hello everyone, > > > > Just made a brand new installation of the Samba 4.10 for > FreeBSD (got > > it from FreeNAS project) and it worked very well but I am > facing some > > issues while working with it + Squid 4.6 > > > > Here is the thing. I could Join the machine to my Domain with > > absolutely no problems. I also created the Kerberos keytab, etc. > > > > For some reason, the Squid Helpers are showing an error > message, like > > the one below. > > > > Although, NTLM helper is working fine and authenticating with no > > errors, Kerberos helper is not working at all and it fails crashing > > the Squid as it Terminated abnormally. > > > > > > > > Here is my smb4.conf file, just in case I am using any > > deprecated/Invalid configuration. > > Not so much deprecated or invalid, but un-needed/missing ? > > Remove the defaults: > > [global] > workgroup = DOMAIN > realm = DOMAIN.CORP > security = ads > > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 10000-20000 > > template shell = /bin/bash > winbind offline logon = yes > winbind refresh tickets = yes > winbind use default domain = yes > log level = 3 passdb:5 winbind:3 > printcap name = /dev/null > load printers = no > printing = bsd > local master = no > kerberos method = secrets and keytab > > [homes] > comment = Home Directories > valid users = %s, %D%W%S > browseable = no > read only = no > inherit acls = yes > > The missing: > > idmap config * : backend = tdb > idmap config * : range = 3999-7999 > > > > > > > I know it seems something wrong with SQUID, not SAMBA 4.10, > but I am > > just wondering if I committed any mistake during the configuration > > process. > > The probably missing (part 2): > > ntlm auth = mschapv2-and-ntlmv2-only > > Not sure what Samba version you used last, but NTLMv1 is now > turned off by default. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Apparently Analagous Threads
- samba4+squid3+ntlm
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab
- Problem with keytab: "Client not found in Kerberos database"
- Failed to find cifs/fs-share@dom.corp (kvno 109) in keytab