1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3 4<chapter id="DomApps"> 5<title>Integrating Additional Services</title> 6 7 <para> 8 <indexterm><primary>authentication</primary></indexterm> 9 <indexterm><primary>backends</primary></indexterm> 10 <indexterm><primary>smbpasswd</primary></indexterm> 11 <indexterm><primary>ldapsam</primary></indexterm> 12 <indexterm><primary>Active Directory</primary></indexterm> 13 You've come a long way now. You have pretty much mastered Samba-3 for 14 most uses it can be put to. Up until now, you have cast Samba-3 in the leading 15 role, and where authentication was required, you have used one or another of 16 Samba's many authentication backends (from flat text files with smbpasswd 17 to LDAP directory integration with ldapsam). Now you can design a 18 solution for a new Abmas business. This business is running Windows Server 19 2003 and Active Directory, and these are to stay. It's time to master 20 implementing Samba and Samba-supported services in a domain controlled by 21 the latest Windows authentication technologies. Let's get started &smbmdash; this is 22 leading edge. 23 </para> 24 25<sect1> 26 <title>Introduction</title> 27 28 <para> 29 Abmas has continued its miraculous growth; indeed, nothing seems to be able 30 to stop its diversification into multiple (and seemingly unrelated) fields. 31 Its latest acquisition is Abmas Snack Foods, a big player in the snack-food 32 business. 33 </para> 34 35 <para> 36 With this acquisition comes new challenges for you and your team. Abmas Snack 37 Foods is a well-developed business with a huge and heterogeneous network. It 38 already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. 39 The network is mature and well-established, and there is no question of its chosen 40 user authentication scheme being changed for now. You need to take a wise new 41 approach. 42 </para> 43 44 <para> 45 You have decided to set the ball rolling by introducing Samba-3 into the network 46 gradually, taking over key services and easing the way to a full migration and, 47 therefore, integration into Abmas's existing business later. 48 </para> 49 50 <sect2> 51 <title>Assignment Tasks</title> 52 53 <para> 54 <indexterm><primary>web</primary><secondary>proxying</secondary></indexterm> 55 <indexterm><primary>web</primary><secondary>caching</secondary></indexterm> 56 You've promised the skeptical Abmas Snack Foods management team 57 that you can show them how Samba can ease itself and other Open Source 58 technologies into their existing infrastructure and deliver sound business 59 advantages. Cost cutting is high on their agenda (a major promise of the 60 acquisition). You have chosen Web proxying and caching as your proving ground. 61 </para> 62 63 <para> 64 <indexterm><primary>bandwidth</primary></indexterm> 65 <indexterm><primary>Microsoft ISA</primary></indexterm> 66 Abmas Snack Foods has several thousand users housed at its head office 67 and multiple regional offices, plants, and warehouses. A high proportion of 68 the business's work is done online, so Internet access for most of these 69 users is essential. All Internet access, including for all regional offices, 70 is funneled through the head office and is the job of the (now your) networking 71 team. The bandwidth requirements were horrific (comparable to a small ISP), and 72 the team soon discovered proxying and caching. In fact, they became one of 73 the earliest commercial users of Microsoft ISA. 74 </para> 75 76 <para> 77 <indexterm><primary>Active Directory</primary></indexterm> 78 <indexterm><primary>authenticated</primary></indexterm> 79 <indexterm><primary>proxy</primary></indexterm> 80 The team is not happy with ISA. Because it never lived up to its marketing promises, 81 it underperformed and had reliability problems. You have pounced on the opportunity 82 to show what Open Source can do. The one thing they do like, however, is ISA's 83 integration with Active Directory. They like that their users, once logged on, 84 are automatically authenticated against the proxy. If your alternative to ISA 85 can operate completely seamlessly in their Active Directory domain, it will be 86 approved. 87 </para> 88 89 <para> 90 This is a hands-on exercise. You build software applications so 91 that you obtain the functionality Abmas needs. 92 </para> 93 94 </sect2> 95</sect1> 96 97<sect1> 98<title>Dissection and Discussion</title> 99 100 <para> 101 The key requirements in this business example are straightforward. You are not required 102 to do anything new, just to replicate an existing system, not lose any existing features, 103 and improve performance. The key points are: 104 </para> 105 106 <itemizedlist> 107 <listitem><para> 108 Internet access for most employees 109 </para></listitem> 110 <listitem><para> 111 Distributed system to accommodate load and geographical distribution of users 112 </para></listitem> 113 <listitem><para> 114 Seamless and transparent interoperability with the existing Active Directory domain 115 </para></listitem> 116 </itemizedlist> 117 118 119 <sect2> 120 <title>Technical Issues</title> 121 122 <para> 123 <indexterm><primary>browsing</primary></indexterm> 124 <indexterm><primary>Squid proxy</primary></indexterm> 125 <indexterm><primary>proxy</primary></indexterm> 126 <indexterm><primary>authentication</primary></indexterm> 127 <indexterm><primary>Internet Explorer</primary></indexterm> 128 <indexterm><primary>winbind</primary></indexterm> 129 <indexterm><primary>NTLM</primary></indexterm> 130 <indexterm><primary>NTLM authentication daemon</primary></indexterm> 131 <indexterm><primary>authentication</primary></indexterm> 132 <indexterm><primary>daemon</primary></indexterm> 133 <indexterm><primary>Active Directory</primary></indexterm> 134 <indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm> 135 <indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm> 136 Functionally, the user's Internet Explorer requests a browsing session with the 137 Squid proxy, for which it offers its AD authentication token. Squid hands off 138 the authentication request to the Samba-3 authentication helper application 139 called <command>ntlm_auth</command>. This helper is a hook into winbind, the 140 Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate 141 against Microsoft Windows domains, including Active Directory domains. As Active 142 Directory authentication is a modified Kerberos authentication, winbind is assisted 143 in this by local Kerberos 5 libraries configured to check passwords with the Active 144 Directory server. Once the token has been checked, a browsing session is established. 145 This process is entirely transparent and seamless to the user. 146 </para> 147 148 <para> 149 Enabling this consists of: 150 </para> 151 152 <itemizedlist> 153 <listitem><para> 154 Preparing the necessary environment using preconfigured packages 155 </para></listitem> 156 157 <listitem><para> 158 Setting up raw Kerberos authentication against the Active Directory domain 159 </para></listitem> 160 161 <listitem><para> 162 Configuring, compiling, and then installing the supporting Samba-3 components 163 </para></listitem> 164 165 <listitem><para> 166 Tying it all together 167 </para></listitem> 168 </itemizedlist> 169 170 </sect2> 171 172 173 <sect2> 174 <title>Political Issues</title> 175 176 <para> 177 You are a stranger in a strange land, and all eyes are upon you. Some would even like to see 178 you fail. For you to gain the trust of your newly acquired IT people, it is essential that your 179 solution does everything the old one did, but does it better in every way. Only then 180 will the entrenched positions consider taking up your new way of doing things on a 181 wider scale. 182 </para> 183 184 </sect2> 185 186</sect1> 187 188<sect1> 189 <title>Implementation</title> 190 191 <para> 192 <indexterm><primary>Squid</primary></indexterm> 193 First, your system needs to be prepared and in a known good state to proceed. This consists 194 of making sure that everything the system depends on is present and that everything that could 195 interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 196 packages and updating them if necessary. If conflicting packages of these programs are installed, 197 they must be removed. 198 </para> 199 200 <para> 201 <indexterm><primary>Red Hat Linux</primary></indexterm> 202 The following packages should be available on your Red Hat Linux system: 203 </para> 204 205 <itemizedlist> 206 <listitem><para> 207 <indexterm><primary>krb5</primary></indexterm> 208 <indexterm><primary>Kerberos</primary></indexterm> 209 krb5-libs 210 </para></listitem> 211 212 <listitem><para> 213 krb5-devel 214 </para></listitem> 215 216 <listitem><para> 217 krb5-workstation 218 </para></listitem> 219 220 <listitem><para> 221 krb5-server 222 </para></listitem> 223 224 <listitem><para> 225 pam_krb5 226 </para></listitem> 227 </itemizedlist> 228 229 <para> 230 <indexterm><primary>SUSE Linux</primary></indexterm> 231 In the case of SUSE Linux, these packages are called: 232 </para> 233 234 <itemizedlist> 235 <listitem><para> 236 heimdal-lib 237 </para></listitem> 238 239 <listitem><para> 240 heimdal-devel 241 </para></listitem> 242 243 <listitem><para> 244 <indexterm><primary>Heimdal</primary></indexterm> 245 heimdal 246 </para></listitem> 247 248 <listitem><para> 249 pam_krb5 250 </para></listitem> 251 </itemizedlist> 252 253 <para> 254 If the required packages are not present on your system, you must install 255 them from the vendor's installation media. Follow the administrative guide 256 for your Linux system to ensure that the packages are correctly updated. 257 </para> 258 259 <note><para> 260 <indexterm><primary>MS Windows Server 2003</primary></indexterm> 261 <indexterm><primary>Kerberos</primary></indexterm> 262 <indexterm><primary>MIT</primary></indexterm> 263 If the requirement is for interoperation with MS Windows Server 2003, it 264 will be necessary to ensure that you are using MIT Kerberos version 1.3.1 265 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires 266 updating. 267 </para> 268 269 <para> 270 <indexterm><primary>Heimdal</primary></indexterm> 271 <indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm> 272 Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise 273 Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. 274 </para></note> 275 276 <sect2 id="ch10-one"> 277 <title>Removal of Pre-Existing Conflicting RPMs</title> 278 279 <para> 280 <indexterm><primary>Squid</primary></indexterm> 281 If Samba and/or Squid RPMs are installed, they should be updated. You can 282 build both from source. 283 </para> 284 285 <para> 286 <indexterm><primary>rpm</primary></indexterm> 287 <indexterm><primary>samba</primary></indexterm> 288 <indexterm><primary>squid</primary></indexterm> 289 Locating the packages to be un-installed can be achieved by running: 290<screen> 291&rootprompt; rpm -qa | grep -i samba 292&rootprompt; rpm -qa | grep -i squid 293</screen> 294 The identified packages may be removed using: 295<screen> 296&rootprompt; rpm -e samba-common 297</screen> 298 </para> 299 300 <sect2> 301 <title>Kerberos Configuration</title> 302 303 <para> 304 <indexterm><primary>Kerberos</primary></indexterm> 305 <indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm> 306 <indexterm><primary>ADS</primary></indexterm> 307 <indexterm><primary>KDC</primary></indexterm> 308 The systems Kerberos installation must be configured to communicate with 309 your primary Active Directory server (ADS KDC). 310 </para> 311 312 <para> 313 Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, 314 although the current default Red Hat MIT version 1.2.7 gives acceptable results 315 unless you are using Windows 2003 servers. 316 </para> 317 318 <para> 319 <indexterm><primary>MIT</primary></indexterm> 320 <indexterm><primary>Heimdal</primary></indexterm> 321 <indexterm><primary>Kerberos</primary></indexterm> 322 <indexterm><primary>/etc/krb5.conf</primary></indexterm> 323 <indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm> 324 <indexterm><primary>KDC</primary></indexterm> 325 <indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm> 326 Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename> 327 file in order to work correctly. All ADS domains automatically create SRV records in the 328 DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both 329 MIT and Heimdal, KRB5 libraries default to checking for these records, so they 330 automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows 331 specifying only a single KDC, even if there is more than one. Using the DNS lookup 332 allows the KRB5 libraries to use whichever KDCs are available. 333 </para> 334 335 <procedure> 336 <title>Kerberos Configuration Steps</title> 337 338 <step><para> 339 <indexterm><primary>krb5.conf</primary></indexterm> 340 If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it 341 to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file 342 should be <filename>/etc/krb5.conf</filename>. 343 </para></step> 344 345 <step><para> 346 <indexterm><primary>Kerberos</primary></indexterm> 347 <indexterm><primary>realm</primary></indexterm> 348 <indexterm><primary>case-sensitive</primary></indexterm> 349 <indexterm><primary>KDC</primary></indexterm> 350 <indexterm><primary>synchronization</primary></indexterm> 351 <indexterm><primary>initial credentials</primary></indexterm> 352 <indexterm><primary>Clock skew</primary></indexterm> 353 <indexterm><primary>NTP</primary></indexterm> 354 <indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm> 355 <indexterm><primary>reverse DNS</primary></indexterm> 356 <indexterm><primary>NetBIOS name </primary></indexterm> 357 <indexterm><primary>/etc/hosts</primary></indexterm> 358 <indexterm><primary>mapping</primary></indexterm> 359 The following gotchas often catch people out. Kerberos is case sensitive. Your realm must 360 be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting 361 initial credentials</quote>. Kerberos is picky about time synchronization. The time 362 according to your participating servers must be within 5 minutes or you get an error: 363 <quote>kinit(v5): Clock skew too great while getting initial credentials</quote>. 364 Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 365 5 minutes). A better solution is to implement NTP throughout your server network. 366 Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. 367 Also, the name that this reverse lookup maps to must either be the NetBIOS name of 368 the KDC (i.e., the hostname with no domain attached) or the 369 NetBIOS name followed by the realm. If all else fails, you can add a 370 <filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its 371 NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error 372 when you try to join the realm. 373 </para></step> 374 375 <step><para> 376 <indexterm><primary>kinit</primary></indexterm> 377 You are now ready to test your installation by issuing the command: 378<screen> 379&rootprompt; kinit [USERNAME@REALM] 380</screen> 381 You are asked for your password, which you should enter. The following 382 is a typical console sequence: 383<screen> 384&rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ 385Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: 386</screen> 387 Make sure that your password is accepted by the Active Directory KDC. 388 </para></step> 389 </procedure> 390 391<example id="ch10-krb5conf"> 392<title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title> 393<screen> 394[libdefaults] 395 default_realm = LONDON.ABMAS.BIZ 396 397[realms] 398 LONDON.ABMAS.BIZ = { 399 kdc = w2k3s.london.abmas.biz 400 } 401</screen> 402</example> 403 404 <para><indexterm> 405 <primary>klist</primary> 406 </indexterm> 407 The command 408<screen> 409&rootprompt; klist -e 410</screen> 411 shows the Kerberos tickets cached by the system. 412 </para> 413 414 <sect3> 415 <title>Samba Configuration</title> 416 417 <para> 418 <indexterm><primary>Active Directory</primary></indexterm> 419 Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it 420 has the necessary components to interface with Active Directory. 421 </para> 422 423 <procedure> 424 <title>Securing Samba-3 With ADS Support Steps</title> 425 426 <step><para> 427 <indexterm><primary>Red Hat Linux</primary></indexterm> 428 <indexterm><primary>Samba Tea</primary></indexterm> 429 <indexterm><primary>Red Hat Fedora Linux</primary></indexterm> 430 <indexterm><primary>MIT KRB5</primary></indexterm> 431 <indexterm><primary>ntlm_auth</primary></indexterm> 432 Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team 433 <ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team 434 RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool 435 needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use. 436 </para> 437 438 <para> 439 <indexterm><primary>SerNet</primary></indexterm> 440 <indexterm><primary>RPMs</primary></indexterm> 441 The necessary, validated RPM packages for SUSE Linux may be obtained from 442 the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that 443 is located in Germany. All SerNet RPMs are validated, have the necessary 444 <command>ntlm_auth</command> tool, and are statically linked 445 against suitably patched Heimdal 0.6 libraries. 446 </para></step> 447 448 <step><para> 449 Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename> 450 file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>. 451 </para></step> 452 453 <step><para> 454 <indexterm><primary>computer account</primary></indexterm> 455 <indexterm><primary>Active Directory</primary></indexterm> 456 <indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i 457 <indexterm><primary>Kerberos ticket</primary></indexterm> 458 <indexterm><primary>ticket</primary></indexterm> 459 Next you need to create a computer account in the Active Directory. 460 This sets up the trust relationship needed for other clients to 461 authenticate to the Samba server with an Active Directory Kerberos ticket. 462 This is done with the <quote>net ads join -U [Administrator%Password]</quote> 463 command, as follows: 464<screen> 465&rootprompt; net ads join -U administrator%vulcon 466</screen> 467 </para></step> 468 469 <step><para> 470 <indexterm><primary>smbd</primary></indexterm> 471 <indexterm><primary>nmbd</primary></indexterm> 472 <indexterm><primary>winbindd</primary></indexterm> 473 <indexterm><primary>Active Directory</primary></indexterm> 474 <indexterm><primary>Samba</primary></indexterm> 475 Your new Samba binaries must be started in the standard manner as is applicable 476 to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands: 477<screen> 478&rootprompt; smbd -D 479&rootprompt; nmbd -D 480&rootprompt; winbindd -D 481</screen> 482 </para></step> 483 484 <step><para> 485 <indexterm><primary>winbind</primary></indexterm> 486 <indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm> 487 <indexterm><primary>wbinfo</primary></indexterm> 488 <indexterm><primary>enumerating</primary></indexterm> 489 <indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm> 490 We now need to test that Samba is communicating with the Active 491 Directory domain; most specifically, we want to see whether winbind 492 is enumerating users and groups. Issue the following commands: 493<screen> 494&rootprompt; wbinfo -t 495checking the trust secret via RPC calls succeeded 496</screen> 497 This tests whether we are authenticating against Active Directory: 498<screen> 499&rootprompt; wbinfo -u 500LONDON+Administrator 501LONDON+Guest 502LONDON+SUPPORT_388945a0 503LONDON+krbtgt 504LONDON+jht 505LONDON+xjht 506</screen> 507 This enumerates all the users in your Active Directory tree: 508<screen> 509&rootprompt; wbinfo -g 510LONDON+Domain Computers 511LONDON+Domain Controllers 512LONDON+Schema Admins 513LONDON+Enterprise Admins 514LONDON+Domain Admins 515LONDON+Domain Users 516LONDON+Domain Guests 517LONDON+Group Policy Creator Owners 518LONDON+DnsUpdateProxy 519</screen> 520 This enumerates all the groups in your Active Directory tree. 521 </para></step> 522 523 <step><para> 524 <indexterm><primary>Squid</primary></indexterm> 525 <indexterm><primary>ntlm_auth</primary></indexterm> 526 Squid uses the <command>ntlm_auth</command> helper build with Samba-3. 527 You may test <command>ntlm_auth</command> with the command: 528<screen> 529&rootprompt; /usr/bin/ntlm_auth --username=jht 530password: XXXXXXXX 531</screen> 532 You are asked for your password, which you should enter. You are rewarded with: 533<screen> 534&rootprompt; NT_STATUS_OK: Success (0x0) 535</screen> 536 </para></step> 537 538 <step><para> 539 <indexterm><primary>ntlm_auth</primary></indexterm> 540 <indexterm><primary>authenticate</primary></indexterm> 541 <indexterm><primary>winbind</primary></indexterm> 542 <indexterm><primary>privileged pipe</primary></indexterm> 543 <indexterm><primary>squid</primary></indexterm> 544 <indexterm><primary>chgrp</primary></indexterm> 545 <indexterm><primary>chmod</primary></indexterm> 546 <indexterm><primary>failure</primary></indexterm> 547 The <command>ntlm_auth</command> helper, when run from a command line as the user 548 <quote>root</quote>, authenticates against your Active Directory domain (with 549 the aid of winbind). It manages this by reading from the winbind privileged pipe. 550 Squid is running with the permissions of user <quote>squid</quote> and group 551 <quote>squid</quote> and is not able to do this unless we make a vital change. 552 Squid cannot read from the winbind privilege pipe unless you change the 553 permissions of its directory. This is the single biggest cause of failure in the 554 whole process. Remember to issue the following command (for Red Hat Linux): 555<screen> 556&rootprompt; chgrp squid /var/cache/samba/winbindd_privileged 557&rootprompt; chmod 750 /var/cache/samba/winbindd_privileged 558</screen> 559 For SUSE Linux 9, execute the following: 560<screen> 561&rootprompt; chgrp squid /var/lib/samba/winbindd_privileged 562&rootprompt; chmod 750 /var/lib/samba/winbindd_privileged 563</screen> 564 </para></step> 565 566 </procedure> 567 </sect3> 568 569 <sect3> 570 <title>NSS Configuration</title> 571 572 <para> 573 <indexterm><primary>NSS</primary></indexterm> 574 <indexterm><primary>winbind</primary></indexterm> 575 <indexterm><primary>authentication</primary></indexterm> 576 For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. 577 </para> 578 579 <para> 580 Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown 581 in <link linkend="ch10-etcnsscfg"/>. 582 </para> 583 584<example id="ch10-smbconf"> 585<title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title> 586<smbconfblock> 587<smbconfsection name="[global]"/> 588<smbconfoption name="workgroup">LONDON</smbconfoption> 589<smbconfoption name="netbios name">W2K3S</smbconfoption> 590<smbconfoption name="realm">LONDON.ABMAS.BIZ</smbconfoption> 591<smbconfoption name="security">ads</smbconfoption> 592<smbconfoption name="encrypt passwords">yes</smbconfoption> 593<smbconfoption name="password server">w2k3s.london.abmas.biz</smbconfoption> 594 595<smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment> 596<smbconfoption name="winbind separator">/</smbconfoption> 597 598<smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment> 599<smbconfoption name="idmap uid">10000-20000</smbconfoption> 600<smbconfcomment>use GIDs from 10000 to 20000 for domain groups</smbconfcomment> 601<smbconfoption name="idmap gid">10000-20000</smbconfoption> 602 603<smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment> 604<smbconfoption name="winbind enum users">yes</smbconfoption> 605<smbconfoption name="winbind enum groups">yes</smbconfoption> 606<smbconfoption name="winbind user default domain">yes</smbconfoption> 607</smbconfblock> 608</example> 609 610<example id="ch10-etcnsscfg"> 611<title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title> 612<screen> 613passwd: files winbind 614shadow: files 615group: files winbind 616</screen> 617</example> 618 619 </sect3> 620 621 <sect3> 622 <title>Squid Configuration</title> 623 624 <para> 625 <indexterm><primary>Squid</primary></indexterm> 626 <indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm> 627 Squid must be configured correctly to interact with the Samba-3 628 components that handle Active Directory authentication. 629 </para> 630 631 </sect3> 632 633 </sect2> 634 635 <sect2> 636 <title>Configuration</title></sect2> 637 638 <procedure> 639 <title>Squid Configuration Steps</title> 640 641 <step><para> 642 <indexterm><primary>SUSE Linux</primary></indexterm> 643 <indexterm><primary>Squid</primary> </indexterm> 644 <indexterm><primary>helper agent</primary></indexterm> 645 If your Linux distribution is SUSE Linux 9, the version of Squid 646 supplied is already enabled to use the winbind helper agent. You 647 can therefore omit the steps that would build the Squid binary 648 programs. 649 </para></step> 650 651 <step><para> 652 <indexterm><primary>nobody</primary></indexterm> 653 <indexterm><primary>squid</primary></indexterm> 654 <indexterm><primary>rpms</primary></indexterm> 655 <indexterm><primary>/etc/passwd</primary></indexterm> 656 <indexterm><primary>/etc/group</primary></indexterm> 657 Squid, by default, runs as the user <constant>nobody</constant>. You need to 658 add a system user <constant>squid</constant> and a system group 659 <constant>squid</constant> if they are not set up already (if the default 660 Red Hat squid rpms were installed, they will be). Set up a 661 <constant>squid</constant> user in <filename>/etc/passwd</filename> 662 and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already. 663 </para></step> 664 665 <step><para> 666 <indexterm><primary>permissions</primary></indexterm> 667 <indexterm><primary>chown</primary></indexterm> 668 You now need to change the permissions on Squid's <constant>var</constant> 669 directory. Enter the following command: 670<screen> 671&rootprompt; chown -R squid /var/cache/squid 672</screen> 673 </para></step> 674 675 <step><para> 676 <indexterm><primary>logging</primary></indexterm> 677 <indexterm><primary>Squid</primary></indexterm> 678 Squid must also have control over its logging. Enter the following commands: 679<screen> 680&rootprompt; chown -R chown squid:squid /var/log/squid 681&rootprompt; chmod 770 /var/log/squid 682</screen> 683 </para></step> 684 685 <step><para> 686 Finally, Squid must be able to write to its disk cache! 687 Enter the following commands: 688<screen> 689&rootprompt; chown -R chown squid:squid /var/cache/squid 690&rootprompt; chmod 770 /var/cache/squid 691</screen> 692 </para></step> 693 694 <step><para> 695 <indexterm><primary>/etc/squid/squid.conf</primary></indexterm> 696 The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from 697 <link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>. 698 </para></step> 699 700 <step><para> 701 <indexterm><primary>cache directories</primary></indexterm> 702 You must create Squid's cache directories before it may be run. Enter the following command: 703<screen> 704&rootprompt; squid -z 705</screen> 706 </para></step> 707 708 <step><para> 709 Finally, start Squid and enjoy transparent Active Directory authentication. 710 Enter the following command: 711<screen> 712&rootprompt; squid 713</screen> 714 </para></step> 715 </procedure> 716 717<example id="etcsquidcfg"> 718<title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title> 719<screen> 720 cache_effective_user squid 721 cache_effective_group squid 722</screen> 723</example> 724 725<example id="etcsquid2"> 726<title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title> 727<screen> 728 auth_param ntlm program /usr/bin/ntlm_auth \ 729 --helper-protocol=squid-2.5-ntlmssp 730 auth_param ntlm children 5 731 auth_param ntlm max_challenge_reuses 0 732 auth_param ntlm max_challenge_lifetime 2 minutes 733 auth_param basic program /usr/bin/ntlm_auth \ 734 --helper-protocol=squid-2.5-basic 735 auth_param basic children 5 736 auth_param basic realm Squid proxy-caching web server 737 auth_param basic credentialsttl 2 hours 738 acl AuthorizedUsers proxy_auth REQUIRED 739 http_access allow all AuthorizedUsers 740</screen> 741</example> 742 743 </sect2> 744 745 <sect2> 746 <title>Key Points Learned</title> 747 748 <para> 749 <indexterm><primary>Web browsers</primary></indexterm> 750 <indexterm><primary>services</primary></indexterm> 751 <indexterm><primary>authentication protocols</primary></indexterm> 752 <indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm> 753 <indexterm><primary>NTLMSSP</primary></indexterm> 754 Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft 755 Windows clients use, even when accessing traditional services such as Web browsers. Depending 756 on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, 757 the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over 758 the cookie-based authentication regime used by all competing browsers. It is Samba's implementation 759 of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. 760 </para> 761 762 </sect2> 763 764</sect1> 765 766<sect1> 767 <title>Questions and Answers</title> 768 769 <para> 770 <indexterm><primary>ntlm_auth</primary></indexterm> 771 <indexterm><primary>SambaXP conference</primary></indexterm> 772 <indexterm><primary>Goettingen</primary></indexterm> 773 <indexterm><primary>Italian</primary></indexterm> 774 The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles 775 in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of 776 <command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the 777 adoption of <command>ntlm_auth</command> has spread considerably. 778 </para> 779 780 <para> 781 The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication 782 support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000 783 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who 784 wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following 785 comments were made with respect to questions regarding the performance of this installation: 786 </para> 787 788 <blockquote><para> 789 [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote> 790 part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case 791 scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication]. 792 </para></blockquote> 793 794 <para> 795 You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory. 796 Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run 797 out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. 798 </para> 799 800 <qandaset defaultlabel="chap10bqa" type="number"> 801 <qandaentry> 802 <question> 803 804 <para> 805 What does Samba have to do with Web proxy serving? 806 </para> 807 808 </question> 809 <answer> 810 811 <para> 812 <indexterm><secondary>transparent inter-operability</secondary></indexterm> 813 <indexterm><primary>Windows clients</primary></indexterm> 814 <indexterm><primary>network</primary><secondary>services</secondary></indexterm> 815 <indexterm><primary>authentication</primary></indexterm> 816 <indexterm><primary>wrapper</primary></indexterm> 817 To provide transparent interoperability between Windows clients and the network services 818 that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit 819 of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command> 820 module is basically a wrapper around authentication code from the core of the Samba project. 821 </para> 822 823 <para> 824 <indexterm><primary>plain-text</primary></indexterm> 825 <indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm> 826 <indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm> 827 <indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm> 828 <indexterm><primary>NTLMSSP</primary></indexterm> 829 <indexterm><primary>logon credentials</primary></indexterm> 830 <indexterm><primary>Windows explorer</primary></indexterm> 831 <indexterm><primary>Internet Information Server</primary></indexterm> 832 <indexterm><primary>Apache Web server</primary></indexterm> 833 The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP 834 protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without 835 the user being interrupted via his or her Windows logon credentials. This facility is available with 836 MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server. 837 There are a few open source initiatives to provide support for these protocols in the Apache Web server 838 also. 839 </para> 840 841 <para> 842 <indexterm><primary>wrapper</primary></indexterm> 843 The short answer is that by adding a wrapper around key authentication components of Samba, other 844 projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. 845 </para> 846 847 </answer> 848 </qandaentry> 849 850 <qandaentry> 851 <question> 852 853 <para> 854 What other services does Samba provide? 855 </para> 856 857 </question> 858 <answer> 859 860 <para> 861 <indexterm><primary>winbindd</primary></indexterm> 862 <indexterm><primary>Identity resolver</primary></indexterm> 863 <indexterm><primary>daemon</primary></indexterm> 864 <indexterm><primary>smbd</primary></indexterm> 865 <indexterm><primary>file and print server</primary></indexterm> 866 Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>, 867 <command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>. 868 </para> 869 870 <para> 871 <indexterm><primary>SMB/CIFS</primary></indexterm> 872 <indexterm><primary>smbclient</primary></indexterm> 873 Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>. 874 </para> 875 876 <para> 877 <indexterm><primary>modules</primary></indexterm> 878 <indexterm><primary>utilities</primary></indexterm> 879 <indexterm><primary>validation</primary></indexterm> 880 <indexterm><primary>inter-operability</primary></indexterm> 881 <indexterm><primary>authentication</primary></indexterm> 882 Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities. 883 Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux 884 servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts 885 as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules 886 to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial 887 server products). 888 </para> 889 890 </answer> 891 </qandaentry> 892 893 <qandaentry> 894 <question> 895 896 <para> 897 Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid? 898 </para> 899 900 </question> 901 <answer> 902 903 <para> 904 Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that 905 Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a 906 little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since 907 Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide 908 sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>. 909 </para> 910 911 </answer> 912 </qandaentry> 913 </qandaset> 914 915</sect1> 916 917</chapter> 918 919