1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�12.�Integrating Additional Services</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="kerberos.html" title="Chapter�11.�Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter�13.�Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�12.�Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter�12.�Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id2590894">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2590932">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2591043">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2591076">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2591249">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2591267">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2593269">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2593336">Questions and Answers</a></span></dt></dl></div><p><a class="indexterm" name="id2590838"></a><a class="indexterm" name="id2590846"></a><a class="indexterm" name="id2590854"></a><a class="indexterm" name="id2590862"></a><a class="indexterm" name="id2590870"></a> 2 You've come a long way now. You have pretty much mastered Samba-3 for 3 most uses it can be put to. Up until now, you have cast Samba-3 in the leading 4 role and where authentication was required, you have used one or another of 5 Samba's many authentication backends (from flat text files with smbpasswd 6 to LDAP directory integration with ldapsam). Now you can design a 7 solution for a new Abmas business. This business is running Windows Server 8 2003 and Active Directory, and these are to stay. It's time to master 9 implementing Samba and Samba-supported services in a domain controlled by 10 the latest Windows authentication technologies. Let's get started this is 11 leading edge. 12 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2590894"></a>Introduction</h2></div></div></div><p> 13 Abmas has continued its miraculous growth; indeed, nothing seems to be able 14 to stop its diversification into multiple (and seemingly unrelated) fields. 15 Its latest acquisition is Abmas Snack Foods, a big player in the snack-food 16 business. 17 </p><p> 18 With this acquisition comes new challenges for you and your team. Abmas Snack 19 Foods is a well-developed business with a huge and heterogeneous network. They 20 already have Windows, Netware, and Proprietary UNIX, but as yet no Samba or Linux. 21 The network is mature and well established, and there is no question of their chosen 22 user authentication scheme being changed for now. You need to take a wise new 23 approach. 24 </p><p> 25 You have decided to set the ball rolling by introducing Samba-3 into the network 26 gradually, taking over key services and easing the way to a full migration and, 27 therefore, integration into Abmas's existing business later. 28 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2590932"></a>Assignment Tasks</h3></div></div></div><p><a class="indexterm" name="id2590939"></a><a class="indexterm" name="id2590950"></a> 29 You've promised the skeptical Abmas Snack Foods management team 30 that you can show them how Samba can ease itself and other Open Source 31 technologies into their existing infrastructure and deliver sound business 32 advantages. Cost cutting is high on their agenda (a major promise of the 33 acquisition). You have chosen Web proxying and caching as your proving ground. 34 </p><p><a class="indexterm" name="id2590971"></a><a class="indexterm" name="id2590979"></a> 35 Abmas Snack Foods has several thousand users housed at their Head Office 36 and multiple regional offices, plants, and warehouses. A high proportion of 37 the business's work is done online, so Internet access for most of these 38 users is essential. All Internet access, including all of their regional offices, 39 is funneled through the head office and is the job of the (now your) networking 40 team. The bandwidth requirements were horrific (comparable to a small ISP), and 41 the team soon discovered proxying and caching. In fact, they became one of 42 the earliest commercial users of Microsoft ISA. 43 </p><p><a class="indexterm" name="id2591001"></a><a class="indexterm" name="id2591009"></a><a class="indexterm" name="id2591017"></a> 44 The team is not happy with ISA. Because it never lived up to its marketing promises, 45 it under-performed and had reliability problems. You have pounced on the opportunity 46 to show what Open Source can do. The one thing they do like, however, is ISA's 47 integration with Active Directory. They like that their users, once logged on, 48 are automatically authenticated against the proxy. If your alternative to ISA 49 can operate completely seamlessly in their Active Directory Domain, it will be 50 approved. 51 </p><p> 52 This is a hands-on exercise. You build software applications so 53 that you obtain the functionality Abmas needs. 54 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2591043"></a>Dissection and Discussion</h2></div></div></div><p> 55 The key requirements in this business example are straightforward. You are not required 56 to do anything new, just to replicate an existing system, not lose any existing features, 57 and improve performance. The key points are: 58 </p><div class="itemizedlist"><ul type="disc"><li><p> 59 Internet access for most employees 60 </p></li><li><p> 61 Distributed system to accommodate load and geographical distribution of users 62 </p></li><li><p> 63 Seamless and transparent interoperability with the existing Active Directory domain 64 </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591076"></a>Technical Issues</h3></div></div></div><p><a class="indexterm" name="id2591083"></a><a class="indexterm" name="id2591091"></a><a class="indexterm" name="id2591098"></a><a class="indexterm" name="id2591106"></a><a class="indexterm" name="id2591114"></a><a class="indexterm" name="id2591122"></a><a class="indexterm" name="id2591130"></a><a class="indexterm" name="id2591138"></a><a class="indexterm" name="id2591146"></a><a class="indexterm" name="id2591154"></a><a class="indexterm" name="id2591162"></a><a class="indexterm" name="id2591170"></a><a class="indexterm" name="id2591182"></a><a class="indexterm" name="id2591189"></a> 65 Functionally, the user's Internet Explorer requests a browsing session with the 66 Squid proxy, for which it offers its AD authentication token. Squid hands off 67 the authentication request to the Samba-3 authentication helper application 68 called <span><b class="command">ntlm_auth</b></span>. This helper is a hook into winbind, the 69 Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate 70 against Microsoft Windows Domains, including Active Directory domains. As Active 71 Directory authentication is a modified Kerberos authentication, winbind is assisted 72 in this by local Kerberos 5 libraries configured to check passwords with the Active 73 Directory server. Once the token has been checked, a browsing session is established. 74 This process is entirely transparent and seamless to the user. 75 </p><p> 76 Enabling this consists of: 77 </p><div class="itemizedlist"><ul type="disc"><li><p> 78 Preparing the necessary environment using preconfigured packages 79 </p></li><li><p> 80 Setting up raw Kerberos authentication against the Active Directory domain 81 </p></li><li><p> 82 Configuring, compiling, and then installing the supporting Samba-3 components 83 </p></li><li><p> 84 Tying it all together 85 </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591249"></a>Political Issues</h3></div></div></div><p> 86 You are a stranger in a strange land and all eyes are upon you. Some would even like to see 87 you fail. For you to gain the trust of your newly acquired IT people, it is essential that your 88 solution does everything the old one did, but does it better in every way. Only then 89 will the entrenched positions consider taking up your new way of doing things on a 90 wider scale. 91 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2591267"></a>Implementation</h2></div></div></div><p><a class="indexterm" name="id2591273"></a> 92 First, your system needs to be prepared and in a known good state to proceed. This consists 93 of making sure that everything the system depends on is present and that everything that could 94 interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 95 packages and updating them if necessary. If conflicting packages of these programs are installed, 96 they must be removed. 97 </p><p><a class="indexterm" name="id2591292"></a> 98 The following packages should be available on your Red Hat Linux system: 99 </p><div class="itemizedlist"><ul type="disc"><li><p><a class="indexterm" name="id2591307"></a><a class="indexterm" name="id2591315"></a> 100 krb5-libs 101 </p></li><li><p> 102 krb5-devel 103 </p></li><li><p> 104 krb5-workstation 105 </p></li><li><p> 106 krb5-server 107 </p></li><li><p> 108 pam_krb5 109 </p></li></ul></div><p><a class="indexterm" name="id2591347"></a> 110 In the case of SUSE Linux, these packages are called: 111 </p><div class="itemizedlist"><ul type="disc"><li><p> 112 heimdal-lib 113 </p></li><li><p> 114 heimdal-devel 115 </p></li><li><p><a class="indexterm" name="id2591372"></a> 116 heimdal 117 </p></li><li><p> 118 pam_krb5 119 </p></li></ul></div><p> 120 If the required packages are not present on your system, you must install 121 them from the vendor's installation media. Follow the administrative guide 122 for your Linux system to ensure that the packages are correctly updated. 123 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p><a class="indexterm" name="id2591398"></a><a class="indexterm" name="id2591407"></a><a class="indexterm" name="id2591414"></a> 124 If the requirement is for interoperation with MS Windows Server 2003, it 125 will be necessary to ensure that you are using MIT Kerberos version 1.3.1 126 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires 127 updating. 128 </p><p><a class="indexterm" name="id2591429"></a><a class="indexterm" name="id2591437"></a> 129 Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise 130 Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. 131 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-existing Conflicting RPMs</h3></div></div></div><p><a class="indexterm" name="id2591461"></a> 132 If Samba and/or Squid rpms are installed, they should be updated. You can 133 build both from source. 134 </p><p><a class="indexterm" name="id2591474"></a><a class="indexterm" name="id2591482"></a><a class="indexterm" name="id2591489"></a> 135 Locating the packages to be uninstalled can be achieved by running: 136</p><pre class="screen"> 137<tt class="prompt">root# </tt> rpm -qa | grep -i samba 138<tt class="prompt">root# </tt> rpm -qa | grep -i squid 139</pre><p> 140 The identified packages may be removed using: 141</p><pre class="screen"> 142<tt class="prompt">root# </tt> rpm -e samba-common 143</pre><p> 144 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2591532"></a>Kerberos Configuration</h3></div></div></div><p><a class="indexterm" name="id2591539"></a><a class="indexterm" name="id2591546"></a><a class="indexterm" name="id2591558"></a><a class="indexterm" name="id2591566"></a> 145 The systems Kerberos installation must be configured to communicate with 146 your primary Active Directory server (ADS KDC). 147 </p><p> 148 Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results, 149 although the current default Red Hat MIT version 1.2.7 gives acceptable results 150 unless you are using Windows 2003 servers. 151 </p><p><a class="indexterm" name="id2591586"></a><a class="indexterm" name="id2591593"></a><a class="indexterm" name="id2591601"></a><a class="indexterm" name="id2591609"></a><a class="indexterm" name="id2591617"></a><a class="indexterm" name="id2591628"></a><a class="indexterm" name="id2591636"></a> 152 Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an <tt class="filename">/etc/krb5.conf</tt> 153 file in order to work correctly. All ADS domains automatically create SRV records in the 154 DNS zone <tt class="constant">Kerberos.REALM.NAME</tt> for each KDC in the realm. Since both 155 MIT and Heimdal, KRB5 libraries default to checking for these records, so they 156 automatically find the KDCs. In addition, <tt class="filename">krb5.conf</tt> only allows 157 specifying a single KDC, even there if there is more than one. Using the DNS lookup 158 allows the KRB5 libraries to use whichever KDCs are available. 159 </p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2591680"></a> 160 If you find the need to manually configure the <tt class="filename">krb5.conf</tt>, you should edit it 161 to have the contents shown in <a href="DomApps.html#ch10-krb5conf" title="Example�12.1.�Kerberos Configuration File: /etc/krb5.conf">???</a>. The final fully qualified path for this file 162 should be <tt class="filename">/etc/krb5.conf</tt>. 163 </p></li><li><p><a class="indexterm" name="id2591716"></a><a class="indexterm" name="id2591724"></a><a class="indexterm" name="id2591732"></a><a class="indexterm" name="id2591740"></a><a class="indexterm" name="id2591747"></a><a class="indexterm" name="id2591755"></a><a class="indexterm" name="id2591763"></a><a class="indexterm" name="id2591771"></a><a class="indexterm" name="id2591779"></a><a class="indexterm" name="id2591790"></a><a class="indexterm" name="id2591798"></a><a class="indexterm" name="id2591806"></a><a class="indexterm" name="id2591813"></a> 164 The following gotchas often catch people out. Kerberos is case sensitive. Your realm must 165 be in UPPERCASE, or you will get an error: “<span class="quote"><span class="emphasis"><em>Cannot find KDC for requested realm while getting 166 initial credentials</em></span></span>”. Kerberos is picky about time synchronization. The time 167 according to your participating servers must be within 5 minutes or you get an error 168 “<span class="quote"><span class="emphasis"><em>kinit(v5): Clock skew too great while getting initial credentials</em></span></span>”. 169 Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 170 5 minutes). A better solution is to implement NTP throughout your server network. 171 Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. 172 Also, the name that this reverse lookup maps to must either be the NetBIOS name of 173 the KDC (i.e., the hostname with no domain attached), or it can alternately be the 174 NetBIOS name followed by the realm. If all else fails, you can add a 175 <tt class="filename">/etc/hosts</tt> entry mapping the IP address of your KDC to its 176 NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error 177 when you try to join the realm. 178 </p></li><li><p><a class="indexterm" name="id2591861"></a> 179 You are now ready to test your installation by issuing the command: 180</p><pre class="screen"> 181<tt class="prompt">root# </tt> kinit [USERNAME@REALM] 182</pre><p> 183 You are asked for your password, which you should enter. The following 184 is a typical console sequence: 185</p><pre class="screen"> 186<tt class="prompt">root# </tt> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ 187Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: 188</pre><p> 189 Make sure that your password is accepted by the Active Directory KDC. 190 </p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example�12.1.�Kerberos Configuration File: <tt class="filename">/etc/krb5.conf</tt></b></p><pre class="screen"> 191[libdefaults] 192 default_realm = LONDON.ABMAS.BIZ 193 194[realms] 195 LONDON.ABMAS.BIZ = { 196 kdc = w2k3s.london.abmas.biz 197 } 198</pre></div><p><a class="indexterm" name="id2591928"></a> 199 The command: 200</p><pre class="screen"> 201<tt class="prompt">root# </tt> klist -e 202</pre><p> 203 shows the Kerberos tickets cached by the system: 204 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2591952"></a>Samba Configuration</h4></div></div></div><p><a class="indexterm" name="id2591958"></a> 205 Samba must be configured to correctly use Active Directory. Samba-3 must be used, as 206 this has the necessary components to interface with Active Directory. 207 </p><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2591978"></a><a class="indexterm" name="id2591986"></a><a class="indexterm" name="id2591994"></a><a class="indexterm" name="id2592002"></a><a class="indexterm" name="id2592010"></a> 208 Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team 209 <a href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team 210 RPMs for Red Hat Fedora Linux contain the <span><b class="command">ntlm_auth</b></span> tool 211 needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use. 212 </p><p><a class="indexterm" name="id2592037"></a><a class="indexterm" name="id2592045"></a> 213 The necessary, validated RPM packages for SUSE Linux may be obtained from 214 the <a href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that 215 is located in Germany. All SerNet RPMs are validated, have the necessary 216 <span><b class="command">ntlm_auth</b></span> tool, and are statically linked 217 against suitably patched Heimdal 0.6 libraries. 218 </p></li><li><p> 219 Using your favorite editor, change the <tt class="filename">/etc/samba/smb.conf</tt> 220 file so it has contents similar to the example shown in <a href="DomApps.html#ch10-smbconf" title="Example�12.2.�Samba Configuration File: /etc/samba/smb.conf">???</a>. 221 </p></li><li><p><a class="indexterm" name="id2592098"></a><a class="indexterm" name="id2592105"></a><a class="indexterm" name="id2592113"></a><a class="indexterm" name="id2592127"></a><a class="indexterm" name="id2592135"></a> 222 Next you need to create a computer account in the Active Directory. 223 This sets up the trust relationship needed for other clients to 224 authenticate to the Samba server with an Active Directory Kerberos ticket. 225 This is done with the “<span class="quote"><span class="emphasis"><em>net ads join -U [Administrator%Password]</em></span></span>” 226 command, as follows: 227</p><pre class="screen"> 228<tt class="prompt">root# </tt> net ads join -U administrator%vulcon 229</pre><p> 230 </p></li><li><p><a class="indexterm" name="id2592172"></a><a class="indexterm" name="id2592180"></a><a class="indexterm" name="id2592187"></a><a class="indexterm" name="id2592195"></a><a class="indexterm" name="id2592203"></a> 231 Your new Samba binaries must be started in the standard manner as is applicable 232 to the platform you are running on. Alternately, start your Active Directory 233 enabled Samba with the following commands: 234</p><pre class="screen"> 235<tt class="prompt">root# </tt> smbd -D 236<tt class="prompt">root# </tt> nmbd -D 237<tt class="prompt">root# </tt> winbindd -B 238</pre><p> 239 </p></li><li><p><a class="indexterm" name="id2592245"></a><a class="indexterm" name="id2592253"></a><a class="indexterm" name="id2592264"></a><a class="indexterm" name="id2592272"></a><a class="indexterm" name="id2592280"></a> 240 We now need to test that Samba is communicating with the Active 241 Directory domain; most specifically, we want to see whether winbind 242 is enumerating users and groups. Issue the following commands: 243</p><pre class="screen"> 244<tt class="prompt">root# </tt> wbinfo -t 245checking the trust secret via RPC calls succeeded 246</pre><p> 247 This tests whether we are authenticating against Active Directory: 248</p><pre class="screen"> 249<tt class="prompt">root# </tt> wbinfo -u 250LONDON+Administrator 251LONDON+Guest 252LONDON+SUPPORT_388945a0 253LONDON+krbtgt 254LONDON+jht 255LONDON+xjht 256</pre><p> 257 This enumerates all the users in your Active Directory tree: 258</p><pre class="screen"> 259<tt class="prompt">root# </tt> wbinfo -g 260LONDON+Domain Computers 261LONDON+Domain Controllers 262LONDON+Schema Admins 263LONDON+Enterprise Admins 264LONDON+Domain Admins 265LONDON+Domain Users 266LONDON+Domain Guests 267LONDON+Group Policy Creator Owners 268LONDON+DnsUpdateProxy 269</pre><p> 270 This enumerates all the groups in your Active Directory tree. 271 </p></li><li><p><a class="indexterm" name="id2592346"></a><a class="indexterm" name="id2592354"></a> 272 Squid uses the <span><b class="command">ntlm_auth</b></span> helper build with Samba-3. 273 You may test <span><b class="command">ntlm_auth</b></span> with the command: 274</p><pre class="screen"> 275<tt class="prompt">root# </tt> /usr/bin/ntlm_auth --username=jht 276password: XXXXXXXX 277</pre><p> 278 You are asked for your password, which you should enter. You are rewarded with: 279</p><pre class="screen"> 280<tt class="prompt">root# </tt> NT_STATUS_OK: Success (0x0) 281</pre><p> 282 </p></li><li><p><a class="indexterm" name="id2592408"></a><a class="indexterm" name="id2592415"></a><a class="indexterm" name="id2592423"></a><a class="indexterm" name="id2592431"></a><a class="indexterm" name="id2592439"></a><a class="indexterm" name="id2592447"></a><a class="indexterm" name="id2592455"></a><a class="indexterm" name="id2592463"></a> 283 The <span><b class="command">ntlm_auth</b></span> helper, when run from a command line as the user 284 “<span class="quote"><span class="emphasis"><em>root</em></span></span>”, authenticates against your Active Directory domain (with 285 the aid of winbind). It manages this by reading from the winbind privileged pipe. 286 Squid is running with the permissions of user “<span class="quote"><span class="emphasis"><em>squid</em></span></span>” and group 287 “<span class="quote"><span class="emphasis"><em>squid</em></span></span>” and is not able to do this unless we make a vital change. 288 Squid cannot read from the winbind privilege pipe unless you change the 289 permissions of its directory. This is the single biggest cause of failure in the 290 whole process. Remember to issue the following command (for Red Hat Linux): 291</p><pre class="screen"> 292<tt class="prompt">root# </tt> chgrp squid /var/cache/samba/winbindd_privileged 293<tt class="prompt">root# </tt> chmod 750 /var/cache/samba/winbindd_privileged 294</pre><p> 295 For SUSE Linux 9, execute the following: 296</p><pre class="screen"> 297<tt class="prompt">root# </tt> chgrp squid /var/lib/samba/winbindd_privileged 298<tt class="prompt">root# </tt> chmod 750 /var/lib/samba/winbindd_privileged 299</pre><p> 300 </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2592543"></a>NSS Configuration</h4></div></div></div><p><a class="indexterm" name="id2592550"></a><a class="indexterm" name="id2592558"></a><a class="indexterm" name="id2592566"></a> 301 For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. 302 </p><div class="procedure"><ul><li><p> 303 Edit your <tt class="filename">/etc/nsswitch.conf</tt> file so it has the parameters shown 304 in <a href="DomApps.html#ch10-etcnsscfg" title="Example�12.3.�NSS Configuration File Extract File: /etc/nsswitch.conf">???</a>. 305 </p></li></ul></div><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example�12.2.�Samba Configuration File: /etc/samba/smb.conf</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2592625"></a><i class="parameter"><tt> 306 307 workgroup = LONDON</tt></i></td></tr><tr><td><a class="indexterm" name="id2592640"></a><i class="parameter"><tt> 308 309 netbios name = W2K3S</tt></i></td></tr><tr><td><a class="indexterm" name="id2592655"></a><i class="parameter"><tt> 310 311 realm = LONDON.ABMAS.BIZ</tt></i></td></tr><tr><td><a class="indexterm" name="id2592671"></a><i class="parameter"><tt> 312 313 security = ads</tt></i></td></tr><tr><td><a class="indexterm" name="id2592686"></a><i class="parameter"><tt> 314 315 encrypt passwords = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2592702"></a><i class="parameter"><tt> 316 317 password server = w2k3s.london.abmas.biz</tt></i></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id2592725"></a><i class="parameter"><tt> 318 319 winbind separator = /</tt></i></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2592747"></a><i class="parameter"><tt> 320 321 idmap uid = 10000-20000</tt></i></td></tr><tr><td><a class="indexterm" name="id2592763"></a><i class="parameter"><tt> 322 323 idmap gid = 10000-20000</tt></i></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2592786"></a><i class="parameter"><tt> 324 325 winbind enum users = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2592801"></a><i class="parameter"><tt> 326 327 winbind enum groups = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2592816"></a><i class="parameter"><tt> 328 329 winbind user default domain = yes</tt></i></td></tr></table></div><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example�12.3.�NSS Configuration File Extract File: <tt class="filename">/etc/nsswitch.conf</tt></b></p><pre class="screen"> 330passwd: files winbind 331shadow: files 332group: files winbind 333</pre></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2592858"></a>Squid Configuration</h4></div></div></div><p><a class="indexterm" name="id2592865"></a><a class="indexterm" name="id2592873"></a> 334 Squid must be configured correctly to interact with the Samba-3 335 components that handle Active Directory authentication. 336 </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2592891"></a>Configuration</h3></div></div></div></div><div class="procedure"><ol type="1"><li><p><a class="indexterm" name="id2592904"></a><a class="indexterm" name="id2592911"></a><a class="indexterm" name="id2592919"></a> 337 If your Linux distribution is SUSE Linux 9, the version of Squid 338 supplied is already enabled to use the winbind helper agent. You 339 can, therefore, omit the steps that would build the Squid binary 340 programs. 341 </p></li><li><p><a class="indexterm" name="id2592938"></a><a class="indexterm" name="id2592945"></a><a class="indexterm" name="id2592953"></a><a class="indexterm" name="id2592961"></a><a class="indexterm" name="id2592969"></a> 342 Squid, by default, runs as the user <tt class="constant">nobody</tt>. You need to 343 add a system user <tt class="constant">squid</tt> and a system group 344 <tt class="constant">squid</tt> if they are not set up already (if the default 345 Red Hat squid rpms were installed, they will be). Set up a 346 <tt class="constant">squid</tt> user in <tt class="filename">/etc/passwd</tt> 347 and a <tt class="constant">squid</tt> group in <tt class="filename">/etc/group</tt> if these aren't there already. 348 </p></li><li><p><a class="indexterm" name="id2593018"></a><a class="indexterm" name="id2593026"></a> 349 You now need to change the permissions on Squid's <tt class="constant">var</tt> 350 directory. Enter the following command: 351</p><pre class="screen"> 352<tt class="prompt">root# </tt> chown -R squid /var/cache/squid 353</pre><p> 354 </p></li><li><p><a class="indexterm" name="id2593058"></a><a class="indexterm" name="id2593065"></a> 355 Squid must also have control over its logging. Enter the following commands: 356</p><pre class="screen"> 357<tt class="prompt">root# </tt> chown -R chown squid:squid /var/log/squid 358<tt class="prompt">root# </tt> chmod 770 /var/log/squid 359</pre><p> 360 </p></li><li><p> 361 Finally, Squid must be able to write to its disk cache! 362 Enter the following commands: 363</p><pre class="screen"> 364<tt class="prompt">root# </tt> chown -R chown squid:squid /var/cache/squid 365<tt class="prompt">root# </tt> chmod 770 /var/cache/squid 366</pre><p> 367 </p></li><li><p><a class="indexterm" name="id2593126"></a> 368 The <tt class="filename">/etc/squid/squid.conf</tt> file must be edited to include the lines from 369 <a href="DomApps.html#etcsquidcfg" title="Example�12.4.�Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">???</a> and <a href="DomApps.html#etcsquid2" title="Example�12.5.�Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">???</a>. 370 </p></li><li><p><a class="indexterm" name="id2593162"></a> 371 You must create Squid's cache directories before it may be run. Enter the following command: 372</p><pre class="screen"> 373<tt class="prompt">root# </tt> squid -z 374</pre><p> 375 </p></li><li><p> 376 Finally, start Squid and enjoy transparent Active Directory authentication. 377 Enter the following command: 378</p><pre class="screen"> 379<tt class="prompt">root# </tt> squid 380</pre><p> 381 </p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example�12.4.�Squid Configuration File Extract <tt class="filename">/etc/squid.conf</tt> [ADMINISTRATIVE PARAMETERS Section]</b></p><pre class="screen"> 382 cache_effective_user squid 383 cache_effective_group squid 384</pre></div><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example�12.5.�Squid Configuration File extract File: <tt class="filename">/etc/squid.conf</tt> [AUTHENTICATION PARAMETERS Section]</b></p><pre class="screen"> 385 auth_param ntlm program /usr/bin/ntlm_auth \ 386 --helper-protocol=squid-2.5-ntlmssp 387 auth_param ntlm children 5 388 auth_param ntlm max_challenge_reuses 0 389 auth_param ntlm max_challenge_lifetime 2 minutes 390 auth_param basic program /usr/bin/ntlm_auth \ 391 --helper-protocol=squid-2.5-basic 392 auth_param basic children 5 393 auth_param basic realm Squid proxy-caching web server 394 auth_param basic credentialsttl 2 hours 395 acl AuthorizedUsers proxy_auth REQUIRED 396 http_access allow all AuthorizedUsers 397</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2593269"></a>Key Points Learned</h3></div></div></div><p><a class="indexterm" name="id2593276"></a><a class="indexterm" name="id2593284"></a><a class="indexterm" name="id2593292"></a><a class="indexterm" name="id2593300"></a><a class="indexterm" name="id2593314"></a> 398 Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft 399 Windows clients use, even when accessing traditional services such as Web browsers. Depending 400 on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, 401 the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over 402 the cookie-based authentication regime used by all competing browsers. It is Samba's implementation 403 of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. 404 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2593336"></a>Questions and Answers</h2></div></div></div><p><a class="indexterm" name="id2593343"></a><a class="indexterm" name="id2593351"></a><a class="indexterm" name="id2593359"></a><a class="indexterm" name="id2593367"></a> 405 The development of the <span><b class="command">ntlm_auth</b></span> module was first discussed in many Open Source circles 406 in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of 407 <span><b class="command">ntlm_auth</b></span> during one of the late developer meetings that took place. Since that time, the 408 adoption of <span><b class="command">ntlm_auth</b></span> has spread considerably. 409 </p><p> 410 The largest report from a site that uses Squid with <span><b class="command">ntlm_auth</b></span>-based authentication 411 support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000 412 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who 413 wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following 414 comments were made with respect to questions regarding the performance of this installation: 415 </p><div class="blockquote"><blockquote class="blockquote"><p> 416 [In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The “<span class="quote"><span class="emphasis"><em>almost</em></span></span>” 417 part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case 418 scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication]. 419 </p></blockquote></div><p> 420 You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory. 421 Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run 422 out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. 423 </p><div class="qandaset"><dl><dt> <a href="DomApps.html#id2593448"> 424 What does Samba have to do with Web proxy serving? 425 </a></dt><dt> <a href="DomApps.html#id2593634"> 426 What other services does Samba provide? 427 </a></dt><dt> <a href="DomApps.html#id2593790"> 428 Does use of Samba (ntlm_auth) improve the performance of Squid? 429 </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2593448"></a><a name="id2593450"></a><b></b></td><td align="left" valign="top"><p> 430 What does Samba have to do with Web proxy serving? 431 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2593461"></a><a class="indexterm" name="id2593469"></a><a class="indexterm" name="id2593477"></a><a class="indexterm" name="id2593489"></a><a class="indexterm" name="id2593497"></a> 432 To provide transparent interoperability between Windows clients and the network services 433 that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit 434 of Open Source software is that it can readily be reused. The current <span><b class="command">ntlm_auth</b></span> 435 module is basically a wrapper around authentication code from the core of the Samba project. 436 </p><p><a class="indexterm" name="id2593520"></a><a class="indexterm" name="id2593528"></a><a class="indexterm" name="id2593539"></a><a class="indexterm" name="id2593550"></a><a class="indexterm" name="id2593561"></a><a class="indexterm" name="id2593569"></a><a class="indexterm" name="id2593577"></a><a class="indexterm" name="id2593585"></a><a class="indexterm" name="id2593593"></a> 437 The <span><b class="command">ntlm_auth</b></span> module supports basic plain-text authentication and NTLMSSP 438 protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without 439 the user being interrupted via his/her Windows logon credentials. This facility is available with 440 MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server. 441 There are a few open source initiatives to provide support for these protocols in the Apache Web server 442 also. 443 </p><p><a class="indexterm" name="id2593619"></a> 444 The short answer is that by adding a wrapper around key authentication components of Samba, other 445 projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. 446 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2593634"></a><a name="id2593637"></a><b></b></td><td align="left" valign="top"><p> 447 What other services does Samba provide? 448 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2593647"></a><a class="indexterm" name="id2593655"></a><a class="indexterm" name="id2593663"></a><a class="indexterm" name="id2593671"></a><a class="indexterm" name="id2593679"></a> 449 Samba-3 is a file and print server. The core components that provide this functionality are <span><b class="command">smbd</b></span>, 450 <span><b class="command">nmbd</b></span>, and the Identity resolver daemon, <span><b class="command">winbindd</b></span>. 451 </p><p><a class="indexterm" name="id2593710"></a><a class="indexterm" name="id2593718"></a> 452 Samba-3 is an SMB/CIFS client. The core component that provides this is called <span><b class="command">smbclient</b></span>. 453 </p><p><a class="indexterm" name="id2593737"></a><a class="indexterm" name="id2593745"></a><a class="indexterm" name="id2593752"></a><a class="indexterm" name="id2593760"></a><a class="indexterm" name="id2593768"></a> 454 Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities. 455 Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux 456 servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts 457 as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switcher modules 458 to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial 459 server products). 460 </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2593790"></a><a name="id2593792"></a><b></b></td><td align="left" valign="top"><p> 461 Does use of Samba (<span><b class="command">ntlm_auth</b></span>) improve the performance of Squid? 462 </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> 463 Not really. Samba's <span><b class="command">ntlm_auth</b></span> module handles only authentication. It requires that 464 Squid make an external call to <span><b class="command">ntlm_auth</b></span> and, therefore, actually incurs a 465 little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since 466 Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide 467 sufficient memory when using Squid. Just add a little more to accommodate <span><b class="command">ntlm_auth</b></span>. 468 </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�11.�Active Directory, Kerberos, and Security�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�13.�Performance, Reliability, and Availability</td></tr></table></div></body></html> 469