1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
|
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Integrating Additional Services</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.73.2"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter 12. Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id399839">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id399862">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id399948">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id399977">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id400123">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id400137">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id401888">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id401943">Questions and Answers</a></span></dt></dl></div><p>
<a class="indexterm" name="id399795"></a>
<a class="indexterm" name="id399802"></a>
<a class="indexterm" name="id399809"></a>
<a class="indexterm" name="id399815"></a>
<a class="indexterm" name="id399822"></a>
You've come a long way now. You have pretty much mastered Samba-3 for
most uses it can be put to. Up until now, you have cast Samba-3 in the leading
role, and where authentication was required, you have used one or another of
Samba's many authentication backends (from flat text files with smbpasswd
to LDAP directory integration with ldapsam). Now you can design a
solution for a new Abmas business. This business is running Windows Server
2003 and Active Directory, and these are to stay. It's time to master
implementing Samba and Samba-supported services in a domain controlled by
the latest Windows authentication technologies. Let's get started this is
leading edge.
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399839"></a>Introduction</h2></div></div></div><p>
Abmas has continued its miraculous growth; indeed, nothing seems to be able
to stop its diversification into multiple (and seemingly unrelated) fields.
Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
business.
</p><p>
With this acquisition comes new challenges for you and your team. Abmas Snack
Foods is a well-developed business with a huge and heterogeneous network. It
already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
The network is mature and well-established, and there is no question of its chosen
user authentication scheme being changed for now. You need to take a wise new
approach.
</p><p>
You have decided to set the ball rolling by introducing Samba-3 into the network
gradually, taking over key services and easing the way to a full migration and,
therefore, integration into Abmas's existing business later.
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399862"></a>Assignment Tasks</h3></div></div></div><p>
<a class="indexterm" name="id399869"></a>
<a class="indexterm" name="id399878"></a>
You've promised the skeptical Abmas Snack Foods management team
that you can show them how Samba can ease itself and other Open Source
technologies into their existing infrastructure and deliver sound business
advantages. Cost cutting is high on their agenda (a major promise of the
acquisition). You have chosen Web proxying and caching as your proving ground.
</p><p>
<a class="indexterm" name="id399894"></a>
<a class="indexterm" name="id399900"></a>
Abmas Snack Foods has several thousand users housed at its head office
and multiple regional offices, plants, and warehouses. A high proportion of
the business's work is done online, so Internet access for most of these
users is essential. All Internet access, including for all regional offices,
is funneled through the head office and is the job of the (now your) networking
team. The bandwidth requirements were horrific (comparable to a small ISP), and
the team soon discovered proxying and caching. In fact, they became one of
the earliest commercial users of Microsoft ISA.
</p><p>
<a class="indexterm" name="id399916"></a>
<a class="indexterm" name="id399922"></a>
<a class="indexterm" name="id399929"></a>
The team is not happy with ISA. Because it never lived up to its marketing promises,
it underperformed and had reliability problems. You have pounced on the opportunity
to show what Open Source can do. The one thing they do like, however, is ISA's
integration with Active Directory. They like that their users, once logged on,
are automatically authenticated against the proxy. If your alternative to ISA
can operate completely seamlessly in their Active Directory domain, it will be
approved.
</p><p>
This is a hands-on exercise. You build software applications so
that you obtain the functionality Abmas needs.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id399948"></a>Dissection and Discussion</h2></div></div></div><p>
The key requirements in this business example are straightforward. You are not required
to do anything new, just to replicate an existing system, not lose any existing features,
and improve performance. The key points are:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Internet access for most employees
</p></li><li><p>
Distributed system to accommodate load and geographical distribution of users
</p></li><li><p>
Seamless and transparent interoperability with the existing Active Directory domain
</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id399977"></a>Technical Issues</h3></div></div></div><p>
<a class="indexterm" name="id399985"></a>
<a class="indexterm" name="id399992"></a>
<a class="indexterm" name="id399998"></a>
<a class="indexterm" name="id400005"></a>
<a class="indexterm" name="id400012"></a>
<a class="indexterm" name="id400019"></a>
<a class="indexterm" name="id400026"></a>
<a class="indexterm" name="id400032"></a>
<a class="indexterm" name="id400039"></a>
<a class="indexterm" name="id400046"></a>
<a class="indexterm" name="id400053"></a>
<a class="indexterm" name="id400060"></a>
<a class="indexterm" name="id400069"></a><a class="indexterm" name="id400075"></a>
Functionally, the user's Internet Explorer requests a browsing session with the
Squid proxy, for which it offers its AD authentication token. Squid hands off
the authentication request to the Samba-3 authentication helper application
called <code class="literal">ntlm_auth</code>. This helper is a hook into winbind, the
Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
against Microsoft Windows domains, including Active Directory domains. As Active
Directory authentication is a modified Kerberos authentication, winbind is assisted
in this by local Kerberos 5 libraries configured to check passwords with the Active
Directory server. Once the token has been checked, a browsing session is established.
This process is entirely transparent and seamless to the user.
</p><p>
Enabling this consists of:
</p><div class="itemizedlist"><ul type="disc"><li><p>
Preparing the necessary environment using preconfigured packages
</p></li><li><p>
Setting up raw Kerberos authentication against the Active Directory domain
</p></li><li><p>
Configuring, compiling, and then installing the supporting Samba-3 components
</p></li><li><p>
Tying it all together
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400123"></a>Political Issues</h3></div></div></div><p>
You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
solution does everything the old one did, but does it better in every way. Only then
will the entrenched positions consider taking up your new way of doing things on a
wider scale.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id400137"></a>Implementation</h2></div></div></div><p>
<a class="indexterm" name="id400145"></a>
First, your system needs to be prepared and in a known good state to proceed. This consists
of making sure that everything the system depends on is present and that everything that could
interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
packages and updating them if necessary. If conflicting packages of these programs are installed,
they must be removed.
</p><p>
<a class="indexterm" name="id400159"></a>
The following packages should be available on your Red Hat Linux system:
</p><div class="itemizedlist"><ul type="disc"><li><p>
<a class="indexterm" name="id400173"></a>
<a class="indexterm" name="id400179"></a>
krb5-libs
</p></li><li><p>
krb5-devel
</p></li><li><p>
krb5-workstation
</p></li><li><p>
krb5-server
</p></li><li><p>
pam_krb5
</p></li></ul></div><p>
<a class="indexterm" name="id400209"></a>
In the case of SUSE Linux, these packages are called:
</p><div class="itemizedlist"><ul type="disc"><li><p>
heimdal-lib
</p></li><li><p>
heimdal-devel
</p></li><li><p>
<a class="indexterm" name="id400232"></a>
heimdal
</p></li><li><p>
pam_krb5
</p></li></ul></div><p>
If the required packages are not present on your system, you must install
them from the vendor's installation media. Follow the administrative guide
for your Linux system to ensure that the packages are correctly updated.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
<a class="indexterm" name="id400255"></a>
<a class="indexterm" name="id400262"></a>
<a class="indexterm" name="id400269"></a>
If the requirement is for interoperation with MS Windows Server 2003, it
will be necessary to ensure that you are using MIT Kerberos version 1.3.1
or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
updating.
</p><p>
<a class="indexterm" name="id400280"></a>
<a class="indexterm" name="id400287"></a>
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-Existing Conflicting RPMs</h3></div></div></div><p>
<a class="indexterm" name="id400308"></a>
If Samba and/or Squid RPMs are installed, they should be updated. You can
build both from source.
</p><p>
<a class="indexterm" name="id400319"></a>
<a class="indexterm" name="id400325"></a>
<a class="indexterm" name="id400332"></a>
Locating the packages to be un-installed can be achieved by running:
</p><pre class="screen">
<code class="prompt">root# </code> rpm -qa | grep -i samba
<code class="prompt">root# </code> rpm -qa | grep -i squid
</pre><p>
The identified packages may be removed using:
</p><pre class="screen">
<code class="prompt">root# </code> rpm -e samba-common
</pre><p>
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id400370"></a>Kerberos Configuration</h3></div></div></div><p>
<a class="indexterm" name="id400378"></a>
<a class="indexterm" name="id400385"></a>
<a class="indexterm" name="id400394"></a>
<a class="indexterm" name="id400401"></a>
The systems Kerberos installation must be configured to communicate with
your primary Active Directory server (ADS KDC).
</p><p>
Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
although the current default Red Hat MIT version 1.2.7 gives acceptable results
unless you are using Windows 2003 servers.
</p><p>
<a class="indexterm" name="id400417"></a>
<a class="indexterm" name="id400423"></a>
<a class="indexterm" name="id400430"></a>
<a class="indexterm" name="id400437"></a>
<a class="indexterm" name="id400444"></a>
<a class="indexterm" name="id400453"></a>
<a class="indexterm" name="id400459"></a>
Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <code class="filename">/etc/krb5.conf</code>
file in order to work correctly. All ADS domains automatically create SRV records in the
DNS zone <code class="constant">Kerberos.REALM.NAME</code> for each KDC in the realm. Since both
MIT and Heimdal, KRB5 libraries default to checking for these records, so they
automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> allows
specifying only a single KDC, even if there is more than one. Using the DNS lookup
allows the KRB5 libraries to use whichever KDCs are available.
</p><div class="procedure"><a name="id400489"></a><p class="title"><b>Procedure 12.1. Kerberos Configuration Steps</b></p><ol type="1"><li><p>
<a class="indexterm" name="id400500"></a>
If you find the need to manually configure the <code class="filename">krb5.conf</code>, you should edit it
to have the contents shown in <a class="link" href="DomApps.html#ch10-krb5conf" title="Example 12.1. Kerberos Configuration File: /etc/krb5.conf">“Kerberos Configuration File: /etc/krb5.conf”</a>. The final fully qualified path for this file
should be <code class="filename">/etc/krb5.conf</code>.
</p></li><li><p>
<a class="indexterm" name="id400533"></a>
<a class="indexterm" name="id400540"></a>
<a class="indexterm" name="id400546"></a>
<a class="indexterm" name="id400553"></a>
<a class="indexterm" name="id400560"></a>
<a class="indexterm" name="id400567"></a>
<a class="indexterm" name="id400573"></a>
<a class="indexterm" name="id400580"></a>
<a class="indexterm" name="id400587"></a>
<a class="indexterm" name="id400596"></a>
<a class="indexterm" name="id400602"></a>
<a class="indexterm" name="id400609"></a>
<a class="indexterm" name="id400616"></a>
The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
be in UPPERCASE, or you will get an error: “<span class="quote">Cannot find KDC for requested realm while getting
initial credentials</span>”. Kerberos is picky about time synchronization. The time
according to your participating servers must be within 5 minutes or you get an error:
“<span class="quote">kinit(v5): Clock skew too great while getting initial credentials</span>”.
Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
5 minutes). A better solution is to implement NTP throughout your server network.
Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
Also, the name that this reverse lookup maps to must either be the NetBIOS name of
the KDC (i.e., the hostname with no domain attached) or the
NetBIOS name followed by the realm. If all else fails, you can add a
<code class="filename">/etc/hosts</code> entry mapping the IP address of your KDC to its
NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
when you try to join the realm.
</p></li><li><p>
<a class="indexterm" name="id400651"></a>
You are now ready to test your installation by issuing the command:
</p><pre class="screen">
<code class="prompt">root# </code> kinit [USERNAME@REALM]
</pre><p>
You are asked for your password, which you should enter. The following
is a typical console sequence:
</p><pre class="screen">
<code class="prompt">root# </code> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
</pre><p>
Make sure that your password is accepted by the Active Directory KDC.
</p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example 12.1. Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></b></p><div class="example-contents"><pre class="screen">
[libdefaults]
default_realm = LONDON.ABMAS.BIZ
[realms]
LONDON.ABMAS.BIZ = {
kdc = w2k3s.london.abmas.biz
}
</pre></div></div><br class="example-break"><p><a class="indexterm" name="id400711"></a>
The command
</p><pre class="screen">
<code class="prompt">root# </code> klist -e
</pre><p>
shows the Kerberos tickets cached by the system.
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id400733"></a>Samba Configuration</h4></div></div></div><p>
<a class="indexterm" name="id400741"></a>
Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
has the necessary components to interface with Active Directory.
</p><div class="procedure"><a name="id400750"></a><p class="title"><b>Procedure 12.2. Securing Samba-3 With ADS Support Steps</b></p><ol type="1"><li><p>
<a class="indexterm" name="id400762"></a>
<a class="indexterm" name="id400768"></a>
<a class="indexterm" name="id400775"></a>
<a class="indexterm" name="id400782"></a>
<a class="indexterm" name="id400789"></a>
Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
<a class="ulink" href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team
RPMs for Red Hat Fedora Linux contain the <code class="literal">ntlm_auth</code> tool
needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
</p><p>
<a class="indexterm" name="id400813"></a>
<a class="indexterm" name="id400820"></a>
The necessary, validated RPM packages for SUSE Linux may be obtained from
the <a class="ulink" href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that
is located in Germany. All SerNet RPMs are validated, have the necessary
<code class="literal">ntlm_auth</code> tool, and are statically linked
against suitably patched Heimdal 0.6 libraries.
</p></li><li><p>
Using your favorite editor, change the <code class="filename">/etc/samba/smb.conf</code>
file so it has contents similar to the example shown in <a class="link" href="DomApps.html#ch10-smbconf" title="Example 12.2. Samba Configuration File: /etc/samba/smb.conf">“Samba Configuration File: /etc/samba/smb.conf”</a>.
</p></li><li><p>
<a class="indexterm" name="id400867"></a>
<a class="indexterm" name="id400874"></a>
<a class="indexterm" name="id400880"></a>i
<a class="indexterm" name="id400892"></a>
<a class="indexterm" name="id400899"></a>
Next you need to create a computer account in the Active Directory.
This sets up the trust relationship needed for other clients to
authenticate to the Samba server with an Active Directory Kerberos ticket.
This is done with the “<span class="quote">net ads join -U [Administrator%Password]</span>”
command, as follows:
</p><pre class="screen">
<code class="prompt">root# </code> net ads join -U administrator%vulcon
</pre><p>
</p></li><li><p>
<a class="indexterm" name="id400930"></a>
<a class="indexterm" name="id400937"></a>
<a class="indexterm" name="id400943"></a>
<a class="indexterm" name="id400950"></a>
<a class="indexterm" name="id400957"></a>
Your new Samba binaries must be started in the standard manner as is applicable
to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
</p><pre class="screen">
<code class="prompt">root# </code> smbd -D
<code class="prompt">root# </code> nmbd -D
<code class="prompt">root# </code> winbindd -B
</pre><p>
</p></li><li><p>
<a class="indexterm" name="id400996"></a>
<a class="indexterm" name="id401002"></a>
<a class="indexterm" name="id401012"></a>
<a class="indexterm" name="id401018"></a>
<a class="indexterm" name="id401025"></a>
We now need to test that Samba is communicating with the Active
Directory domain; most specifically, we want to see whether winbind
is enumerating users and groups. Issue the following commands:
</p><pre class="screen">
<code class="prompt">root# </code> wbinfo -t
checking the trust secret via RPC calls succeeded
</pre><p>
This tests whether we are authenticating against Active Directory:
</p><pre class="screen">
<code class="prompt">root# </code> wbinfo -u
LONDON+Administrator
LONDON+Guest
LONDON+SUPPORT_388945a0
LONDON+krbtgt
LONDON+jht
LONDON+xjht
</pre><p>
This enumerates all the users in your Active Directory tree:
</p><pre class="screen">
<code class="prompt">root# </code> wbinfo -g
LONDON+Domain Computers
LONDON+Domain Controllers
LONDON+Schema Admins
LONDON+Enterprise Admins
LONDON+Domain Admins
LONDON+Domain Users
LONDON+Domain Guests
LONDON+Group Policy Creator Owners
LONDON+DnsUpdateProxy
</pre><p>
This enumerates all the groups in your Active Directory tree.
</p></li><li><p>
<a class="indexterm" name="id401082"></a>
<a class="indexterm" name="id401089"></a>
Squid uses the <code class="literal">ntlm_auth</code> helper build with Samba-3.
You may test <code class="literal">ntlm_auth</code> with the command:
</p><pre class="screen">
<code class="prompt">root# </code> /usr/bin/ntlm_auth --username=jht
password: XXXXXXXX
</pre><p>
You are asked for your password, which you should enter. You are rewarded with:
</p><pre class="screen">
<code class="prompt">root# </code> NT_STATUS_OK: Success (0x0)
</pre><p>
</p></li><li><p>
<a class="indexterm" name="id401139"></a>
<a class="indexterm" name="id401146"></a>
<a class="indexterm" name="id401153"></a>
<a class="indexterm" name="id401159"></a>
<a class="indexterm" name="id401166"></a>
<a class="indexterm" name="id401173"></a>
<a class="indexterm" name="id401180"></a>
<a class="indexterm" name="id401187"></a>
The <code class="literal">ntlm_auth</code> helper, when run from a command line as the user
“<span class="quote">root</span>”, authenticates against your Active Directory domain (with
the aid of winbind). It manages this by reading from the winbind privileged pipe.
Squid is running with the permissions of user “<span class="quote">squid</span>” and group
“<span class="quote">squid</span>” and is not able to do this unless we make a vital change.
Squid cannot read from the winbind privilege pipe unless you change the
permissions of its directory. This is the single biggest cause of failure in the
whole process. Remember to issue the following command (for Red Hat Linux):
</p><pre class="screen">
<code class="prompt">root# </code> chgrp squid /var/cache/samba/winbindd_privileged
<code class="prompt">root# </code> chmod 750 /var/cache/samba/winbindd_privileged
</pre><p>
For SUSE Linux 9, execute the following:
</p><pre class="screen">
<code class="prompt">root# </code> chgrp squid /var/lib/samba/winbindd_privileged
<code class="prompt">root# </code> chmod 750 /var/lib/samba/winbindd_privileged
</pre><p>
</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id401255"></a>NSS Configuration</h4></div></div></div><p>
<a class="indexterm" name="id401262"></a>
<a class="indexterm" name="id401269"></a>
<a class="indexterm" name="id401276"></a>
For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
</p><p>
Edit your <code class="filename">/etc/nsswitch.conf</code> file so it has the parameters shown
in <a class="link" href="DomApps.html#ch10-etcnsscfg" title="Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf">“NSS Configuration File Extract File: /etc/nsswitch.conf”</a>.
</p><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example 12.2. Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id401332"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id401344"></a><em class="parameter"><code>netbios name = W2K3S</code></em></td></tr><tr><td><a class="indexterm" name="id401355"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id401367"></a><em class="parameter"><code>security = ads</code></em></td></tr><tr><td><a class="indexterm" name="id401378"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401390"></a><em class="parameter"><code>password server = w2k3s.london.abmas.biz</code></em></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id401405"></a><em class="parameter"><code>winbind separator = /</code></em></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id401420"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use GIDs from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id401436"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id401451"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401462"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td><a class="indexterm" name="id401474"></a><em class="parameter"><code>winbind user default domain = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example 12.3. NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen">
passwd: files winbind
shadow: files
group: files winbind
</pre></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id401512"></a>Squid Configuration</h4></div></div></div><p>
<a class="indexterm" name="id401520"></a>
<a class="indexterm" name="id401526"></a>
Squid must be configured correctly to interact with the Samba-3
components that handle Active Directory authentication.
</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401540"></a>Configuration</h3></div></div></div></div><div class="procedure"><a name="id401546"></a><p class="title"><b>Procedure 12.3. Squid Configuration Steps</b></p><ol type="1"><li><p>
<a class="indexterm" name="id401557"></a>
<a class="indexterm" name="id401564"></a>
<a class="indexterm" name="id401572"></a>
If your Linux distribution is SUSE Linux 9, the version of Squid
supplied is already enabled to use the winbind helper agent. You
can therefore omit the steps that would build the Squid binary
programs.
</p></li><li><p>
<a class="indexterm" name="id401587"></a>
<a class="indexterm" name="id401594"></a>
<a class="indexterm" name="id401600"></a>
<a class="indexterm" name="id401607"></a>
<a class="indexterm" name="id401614"></a>
Squid, by default, runs as the user <code class="constant">nobody</code>. You need to
add a system user <code class="constant">squid</code> and a system group
<code class="constant">squid</code> if they are not set up already (if the default
Red Hat squid rpms were installed, they will be). Set up a
<code class="constant">squid</code> user in <code class="filename">/etc/passwd</code>
and a <code class="constant">squid</code> group in <code class="filename">/etc/group</code> if these aren't there already.
</p></li><li><p>
<a class="indexterm" name="id401659"></a>
<a class="indexterm" name="id401666"></a>
You now need to change the permissions on Squid's <code class="constant">var</code>
directory. Enter the following command:
</p><pre class="screen">
<code class="prompt">root# </code> chown -R squid /var/cache/squid
</pre><p>
</p></li><li><p>
<a class="indexterm" name="id401696"></a>
<a class="indexterm" name="id401702"></a>
Squid must also have control over its logging. Enter the following commands:
</p><pre class="screen">
<code class="prompt">root# </code> chown -R chown squid:squid /var/log/squid
<code class="prompt">root# </code> chmod 770 /var/log/squid
</pre><p>
</p></li><li><p>
Finally, Squid must be able to write to its disk cache!
Enter the following commands:
</p><pre class="screen">
<code class="prompt">root# </code> chown -R chown squid:squid /var/cache/squid
<code class="prompt">root# </code> chmod 770 /var/cache/squid
</pre><p>
</p></li><li><p>
<a class="indexterm" name="id401760"></a>
The <code class="filename">/etc/squid/squid.conf</code> file must be edited to include the lines from
<a class="link" href="DomApps.html#etcsquidcfg" title="Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">“Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]”</a> and <a class="link" href="DomApps.html#etcsquid2" title="Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">“Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]”</a>.
</p></li><li><p>
<a class="indexterm" name="id401793"></a>
You must create Squid's cache directories before it may be run. Enter the following command:
</p><pre class="screen">
<code class="prompt">root# </code> squid -z
</pre><p>
</p></li><li><p>
Finally, start Squid and enjoy transparent Active Directory authentication.
Enter the following command:
</p><pre class="screen">
<code class="prompt">root# </code> squid
</pre><p>
</p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example 12.4. Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen">
cache_effective_user squid
cache_effective_group squid
</pre></div></div><br class="example-break"><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example 12.5. Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen">
auth_param ntlm program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers
</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id401888"></a>Key Points Learned</h3></div></div></div><p>
<a class="indexterm" name="id401896"></a>
<a class="indexterm" name="id401902"></a>
<a class="indexterm" name="id401909"></a>
<a class="indexterm" name="id401916"></a>
<a class="indexterm" name="id401928"></a>
Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
Windows clients use, even when accessing traditional services such as Web browsers. Depending
on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id401943"></a>Questions and Answers</h2></div></div></div><p>
<a class="indexterm" name="id401950"></a>
<a class="indexterm" name="id401957"></a>
<a class="indexterm" name="id401964"></a>
<a class="indexterm" name="id401971"></a>
The development of the <code class="literal">ntlm_auth</code> module was first discussed in many Open Source circles
in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
<code class="literal">ntlm_auth</code> during one of the late developer meetings that took place. Since that time, the
adoption of <code class="literal">ntlm_auth</code> has spread considerably.
</p><p>
The largest report from a site that uses Squid with <code class="literal">ntlm_auth</code>-based authentication
support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
comments were made with respect to questions regarding the performance of this installation:
</p><div class="blockquote"><blockquote class="blockquote"><p>
[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “<span class="quote">almost</span>”
part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
</p></blockquote></div><p>
You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
</p><div class="qandaset"><dl><dt> <a href="DomApps.html#id402036">
What does Samba have to do with Web proxy serving?
</a></dt><dt> <a href="DomApps.html#id402192">
What other services does Samba provide?
</a></dt><dt> <a href="DomApps.html#id402327">
Does use of Samba (ntlm_auth) improve the performance of Squid?
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id402036"></a><a name="id402038"></a></td><td align="left" valign="top"><p>
What does Samba have to do with Web proxy serving?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
<a class="indexterm" name="id402050"></a>
<a class="indexterm" name="id402057"></a>
<a class="indexterm" name="id402063"></a>
<a class="indexterm" name="id402073"></a>
<a class="indexterm" name="id402079"></a>
To provide transparent interoperability between Windows clients and the network services
that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
of Open Source software is that it can readily be reused. The current <code class="literal">ntlm_auth</code>
module is basically a wrapper around authentication code from the core of the Samba project.
</p><p>
<a class="indexterm" name="id402098"></a>
<a class="indexterm" name="id402105"></a>
<a class="indexterm" name="id402114"></a>
<a class="indexterm" name="id402123"></a>
<a class="indexterm" name="id402132"></a>
<a class="indexterm" name="id402139"></a>
<a class="indexterm" name="id402146"></a>
<a class="indexterm" name="id402153"></a>
<a class="indexterm" name="id402160"></a>
The <code class="literal">ntlm_auth</code> module supports basic plain-text authentication and NTLMSSP
protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
the user being interrupted via his or her Windows logon credentials. This facility is available with
MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
There are a few open source initiatives to provide support for these protocols in the Apache Web server
also.
</p><p>
<a class="indexterm" name="id402180"></a>
The short answer is that by adding a wrapper around key authentication components of Samba, other
projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id402192"></a><a name="id402194"></a></td><td align="left" valign="top"><p>
What other services does Samba provide?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
<a class="indexterm" name="id402205"></a>
<a class="indexterm" name="id402212"></a>
<a class="indexterm" name="id402219"></a>
<a class="indexterm" name="id402225"></a>
<a class="indexterm" name="id402232"></a>
Samba-3 is a file and print server. The core components that provide this functionality are <code class="literal">smbd</code>,
<code class="literal">nmbd</code>, and the identity resolver daemon, <code class="literal">winbindd</code>.
</p><p>
<a class="indexterm" name="id402261"></a>
<a class="indexterm" name="id402268"></a>
Samba-3 is an SMB/CIFS client. The core component that provides this is called <code class="literal">smbclient</code>.
</p><p>
<a class="indexterm" name="id402285"></a>
<a class="indexterm" name="id402292"></a>
<a class="indexterm" name="id402298"></a>
<a class="indexterm" name="id402305"></a>
<a class="indexterm" name="id402312"></a>
Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
server products).
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id402327"></a><a name="id402329"></a></td><td align="left" valign="top"><p>
Does use of Samba (<code class="literal">ntlm_auth</code>) improve the performance of Squid?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Not really. Samba's <code class="literal">ntlm_auth</code> module handles only authentication. It requires that
Squid make an external call to <code class="literal">ntlm_auth</code> and therefore actually incurs a
little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
sufficient memory when using Squid. Just add a little more to accommodate <code class="literal">ntlm_auth</code>.
</p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Active Directory, Kerberos, and Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Performance, Reliability, and Availability</td></tr></table></div></body></html>
|
