--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Integrating Additional Services</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter 12. Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id2584664">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2584695">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2584795">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2584828">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2584993">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2585011">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2586876">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2586936">Questions and Answers</a></span></dt></dl></div><p>
+ <a class="indexterm" name="id2584615"></a>
+ <a class="indexterm" name="id2584621"></a>
+ <a class="indexterm" name="id2584628"></a>
+ <a class="indexterm" name="id2584635"></a>
+ <a class="indexterm" name="id2584642"></a>
+ You've come a long way now. You have pretty much mastered Samba-3 for
+ most uses it can be put to. Up until now, you have cast Samba-3 in the leading
+ role, and where authentication was required, you have used one or another of
+ Samba's many authentication backends (from flat text files with smbpasswd
+ to LDAP directory integration with ldapsam). Now you can design a
+ solution for a new Abmas business. This business is running Windows Server
+ 2003 and Active Directory, and these are to stay. It's time to master
+ implementing Samba and Samba-supported services in a domain controlled by
+ the latest Windows authentication technologies. Let's get started this is
+ leading edge.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2584664"></a>Introduction</h2></div></div></div><p>
+ Abmas has continued its miraculous growth; indeed, nothing seems to be able
+ to stop its diversification into multiple (and seemingly unrelated) fields.
+ Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
+ business.
+ </p><p>
+ With this acquisition comes new challenges for you and your team. Abmas Snack
+ Foods is a well-developed business with a huge and heterogeneous network. It
+ already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
+ The network is mature and well-established, and there is no question of its chosen
+ user authentication scheme being changed for now. You need to take a wise new
+ approach.
+ </p><p>
+ You have decided to set the ball rolling by introducing Samba-3 into the network
+ gradually, taking over key services and easing the way to a full migration and,
+ therefore, integration into Abmas's existing business later.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2584695"></a>Assignment Tasks</h3></div></div></div><p>
+ <a class="indexterm" name="id2584703"></a>
+ <a class="indexterm" name="id2584712"></a>
+ You've promised the skeptical Abmas Snack Foods management team
+ that you can show them how Samba can ease itself and other Open Source
+ technologies into their existing infrastructure and deliver sound business
+ advantages. Cost cutting is high on their agenda (a major promise of the
+ acquisition). You have chosen Web proxying and caching as your proving ground.
+ </p><p>
+ <a class="indexterm" name="id2584730"></a>
+ <a class="indexterm" name="id2584737"></a>
+ Abmas Snack Foods has several thousand users housed at its head office
+ and multiple regional offices, plants, and warehouses. A high proportion of
+ the business's work is done online, so Internet access for most of these
+ users is essential. All Internet access, including for all regional offices,
+ is funneled through the head office and is the job of the (now your) networking
+ team. The bandwidth requirements were horrific (comparable to a small ISP), and
+ the team soon discovered proxying and caching. In fact, they became one of
+ the earliest commercial users of Microsoft ISA.
+ </p><p>
+ <a class="indexterm" name="id2584757"></a>
+ <a class="indexterm" name="id2584764"></a>
+ <a class="indexterm" name="id2584771"></a>
+ The team is not happy with ISA. Because it never lived up to its marketing promises,
+ it underperformed and had reliability problems. You have pounced on the opportunity
+ to show what Open Source can do. The one thing they do like, however, is ISA's
+ integration with Active Directory. They like that their users, once logged on,
+ are automatically authenticated against the proxy. If your alternative to ISA
+ can operate completely seamlessly in their Active Directory domain, it will be
+ approved.
+ </p><p>
+ This is a hands-on exercise. You build software applications so
+ that you obtain the functionality Abmas needs.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2584795"></a>Dissection and Discussion</h2></div></div></div><p>
+ The key requirements in this business example are straightforward. You are not required
+ to do anything new, just to replicate an existing system, not lose any existing features,
+ and improve performance. The key points are:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Internet access for most employees
+ </p></li><li><p>
+ Distributed system to accommodate load and geographical distribution of users
+ </p></li><li><p>
+ Seamless and transparent interoperability with the existing Active Directory domain
+ </p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2584828"></a>Technical Issues</h3></div></div></div><p>
+ <a class="indexterm" name="id2584836"></a>
+ <a class="indexterm" name="id2584843"></a>
+ <a class="indexterm" name="id2584850"></a>
+ <a class="indexterm" name="id2584857"></a>
+ <a class="indexterm" name="id2584864"></a>
+ <a class="indexterm" name="id2584870"></a>
+ <a class="indexterm" name="id2584877"></a>
+ <a class="indexterm" name="id2584884"></a>
+ <a class="indexterm" name="id2584891"></a>
+ <a class="indexterm" name="id2584898"></a>
+ <a class="indexterm" name="id2584905"></a>
+ <a class="indexterm" name="id2584912"></a>
+ <a class="indexterm" name="id2584921"></a><a class="indexterm" name="id2584927"></a>
+ Functionally, the user's Internet Explorer requests a browsing session with the
+ Squid proxy, for which it offers its AD authentication token. Squid hands off
+ the authentication request to the Samba-3 authentication helper application
+ called <span><strong class="command">ntlm_auth</strong></span>. This helper is a hook into winbind, the
+ Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
+ against Microsoft Windows domains, including Active Directory domains. As Active
+ Directory authentication is a modified Kerberos authentication, winbind is assisted
+ in this by local Kerberos 5 libraries configured to check passwords with the Active
+ Directory server. Once the token has been checked, a browsing session is established.
+ This process is entirely transparent and seamless to the user.
+ </p><p>
+ Enabling this consists of:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Preparing the necessary environment using preconfigured packages
+ </p></li><li><p>
+ Setting up raw Kerberos authentication against the Active Directory domain
+ </p></li><li><p>
+ Configuring, compiling, and then installing the supporting Samba-3 components
+ </p></li><li><p>
+ Tying it all together
+ </p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2584993"></a>Political Issues</h3></div></div></div><p>
+ You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
+ you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
+ solution does everything the old one did, but does it better in every way. Only then
+ will the entrenched positions consider taking up your new way of doing things on a
+ wider scale.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2585011"></a>Implementation</h2></div></div></div><p>
+ <a class="indexterm" name="id2585019"></a>
+ First, your system needs to be prepared and in a known good state to proceed. This consists
+ of making sure that everything the system depends on is present and that everything that could
+ interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
+ packages and updating them if necessary. If conflicting packages of these programs are installed,
+ they must be removed.
+ </p><p>
+ <a class="indexterm" name="id2585036"></a>
+ The following packages should be available on your Red Hat Linux system:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ <a class="indexterm" name="id2585051"></a>
+ <a class="indexterm" name="id2585058"></a>
+ krb5-libs
+ </p></li><li><p>
+ krb5-devel
+ </p></li><li><p>
+ krb5-workstation
+ </p></li><li><p>
+ krb5-server
+ </p></li><li><p>
+ pam_krb5
+ </p></li></ul></div><p>
+ <a class="indexterm" name="id2585088"></a>
+ In the case of SUSE Linux, these packages are called:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ heimdal-lib
+ </p></li><li><p>
+ heimdal-devel
+ </p></li><li><p>
+ <a class="indexterm" name="id2585112"></a>
+ heimdal
+ </p></li><li><p>
+ pam_krb5
+ </p></li></ul></div><p>
+ If the required packages are not present on your system, you must install
+ them from the vendor's installation media. Follow the administrative guide
+ for your Linux system to ensure that the packages are correctly updated.
+ </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2585138"></a>
+ <a class="indexterm" name="id2585145"></a>
+ <a class="indexterm" name="id2585151"></a>
+ If the requirement is for interoperation with MS Windows Server 2003, it
+ will be necessary to ensure that you are using MIT Kerberos version 1.3.1
+ or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
+ updating.
+ </p><p>
+ <a class="indexterm" name="id2585165"></a>
+ <a class="indexterm" name="id2585172"></a>
+ Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
+ Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
+ </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-Existing Conflicting RPMs</h3></div></div></div><p>
+ <a class="indexterm" name="id2585195"></a>
+ If Samba and/or Squid RPMs are installed, they should be updated. You can
+ build both from source.
+ </p><p>
+ <a class="indexterm" name="id2585206"></a>
+ <a class="indexterm" name="id2585213"></a>
+ <a class="indexterm" name="id2585220"></a>
+ Locating the packages to be un-installed can be achieved by running:
+</p><pre class="screen">
+<code class="prompt">root# </code> rpm -qa | grep -i samba
+<code class="prompt">root# </code> rpm -qa | grep -i squid
+</pre><p>
+ The identified packages may be removed using:
+</p><pre class="screen">
+<code class="prompt">root# </code> rpm -e samba-common
+</pre><p>
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2585260"></a>Kerberos Configuration</h3></div></div></div><p>
+ <a class="indexterm" name="id2585268"></a>
+ <a class="indexterm" name="id2585275"></a>
+ <a class="indexterm" name="id2585284"></a>
+ <a class="indexterm" name="id2585290"></a>
+ The systems Kerberos installation must be configured to communicate with
+ your primary Active Directory server (ADS KDC).
+ </p><p>
+ Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
+ although the current default Red Hat MIT version 1.2.7 gives acceptable results
+ unless you are using Windows 2003 servers.
+ </p><p>
+ <a class="indexterm" name="id2585310"></a>
+ <a class="indexterm" name="id2585316"></a>
+ <a class="indexterm" name="id2585323"></a>
+ <a class="indexterm" name="id2585330"></a>
+ <a class="indexterm" name="id2585337"></a>
+ <a class="indexterm" name="id2585346"></a>
+ <a class="indexterm" name="id2585352"></a>
+ Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <code class="filename">/etc/krb5.conf</code>
+ file in order to work correctly. All ADS domains automatically create SRV records in the
+ DNS zone <code class="constant">Kerberos.REALM.NAME</code> for each KDC in the realm. Since both
+ MIT and Heimdal, KRB5 libraries default to checking for these records, so they
+ automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> allows
+ specifying only a single KDC, even if there is more than one. Using the DNS lookup
+ allows the KRB5 libraries to use whichever KDCs are available.
+ </p><div class="procedure"><a name="id2585386"></a><p class="title"><b>Procedure 12.1. Kerberos Configuration Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2585398"></a>
+ If you find the need to manually configure the <code class="filename">krb5.conf</code>, you should edit it
+ to have the contents shown in <a href="DomApps.html#ch10-krb5conf" title="Example 12.1. Kerberos Configuration File: /etc/krb5.conf">???</a>. The final fully qualified path for this file
+ should be <code class="filename">/etc/krb5.conf</code>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2585433"></a>
+ <a class="indexterm" name="id2585440"></a>
+ <a class="indexterm" name="id2585446"></a>
+ <a class="indexterm" name="id2585453"></a>
+ <a class="indexterm" name="id2585460"></a>
+ <a class="indexterm" name="id2585467"></a>
+ <a class="indexterm" name="id2585474"></a>
+ <a class="indexterm" name="id2585480"></a>
+ <a class="indexterm" name="id2585487"></a>
+ <a class="indexterm" name="id2585496"></a>
+ <a class="indexterm" name="id2585503"></a>
+ <a class="indexterm" name="id2585510"></a>
+ <a class="indexterm" name="id2585516"></a>
+ The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
+ be in UPPERCASE, or you will get an error: “<span class="quote">Cannot find KDC for requested realm while getting
+ initial credentials</span>”. Kerberos is picky about time synchronization. The time
+ according to your participating servers must be within 5 minutes or you get an error:
+ “<span class="quote">kinit(v5): Clock skew too great while getting initial credentials</span>”.
+ Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
+ 5 minutes). A better solution is to implement NTP throughout your server network.
+ Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
+ Also, the name that this reverse lookup maps to must either be the NetBIOS name of
+ the KDC (i.e., the hostname with no domain attached) or the
+ NetBIOS name followed by the realm. If all else fails, you can add a
+ <code class="filename">/etc/hosts</code> entry mapping the IP address of your KDC to its
+ NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
+ when you try to join the realm.
+ </p></li><li><p>
+ <a class="indexterm" name="id2585561"></a>
+ You are now ready to test your installation by issuing the command:
+</p><pre class="screen">
+<code class="prompt">root# </code> kinit [USERNAME@REALM]
+</pre><p>
+ You are asked for your password, which you should enter. The following
+ is a typical console sequence:
+</p><pre class="screen">
+<code class="prompt">root# </code> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
+Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
+</pre><p>
+ Make sure that your password is accepted by the Active Directory KDC.
+ </p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example 12.1. Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></b></p><pre class="screen">
+[libdefaults]
+ default_realm = LONDON.ABMAS.BIZ
+
+[realms]
+ LONDON.ABMAS.BIZ = {
+ kdc = w2k3s.london.abmas.biz
+ }
+</pre></div><p><a class="indexterm" name="id2585626"></a>
+ The command
+</p><pre class="screen">
+<code class="prompt">root# </code> klist -e
+</pre><p>
+ shows the Kerberos tickets cached by the system.
+ </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2585649"></a>Samba Configuration</h4></div></div></div><p>
+ <a class="indexterm" name="id2585656"></a>
+ Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
+ has the necessary components to interface with Active Directory.
+ </p><div class="procedure"><a name="id2585667"></a><p class="title"><b>Procedure 12.2. Securing Samba-3 With ADS Support Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2585679"></a>
+ <a class="indexterm" name="id2585686"></a>
+ <a class="indexterm" name="id2585693"></a>
+ <a class="indexterm" name="id2585700"></a>
+ <a class="indexterm" name="id2585706"></a>
+ Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
+ <a href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team
+ RPMs for Red Hat Fedora Linux contain the <span><strong class="command">ntlm_auth</strong></span> tool
+ needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
+ </p><p>
+ <a class="indexterm" name="id2585733"></a>
+ <a class="indexterm" name="id2585740"></a>
+ The necessary, validated RPM packages for SUSE Linux may be obtained from
+ the <a href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that
+ is located in Germany. All SerNet RPMs are validated, have the necessary
+ <span><strong class="command">ntlm_auth</strong></span> tool, and are statically linked
+ against suitably patched Heimdal 0.6 libraries.
+ </p></li><li><p>
+ Using your favorite editor, change the <code class="filename">/etc/samba/smb.conf</code>
+ file so it has contents similar to the example shown in <a href="DomApps.html#ch10-smbconf" title="Example 12.2. Samba Configuration File: /etc/samba/smb.conf">???</a>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2585791"></a>
+ <a class="indexterm" name="id2585798"></a>
+ <a class="indexterm" name="id2585805"></a>i
+ <a class="indexterm" name="id2585816"></a>
+ <a class="indexterm" name="id2585823"></a>
+ Next you need to create a computer account in the Active Directory.
+ This sets up the trust relationship needed for other clients to
+ authenticate to the Samba server with an Active Directory Kerberos ticket.
+ This is done with the “<span class="quote">net ads join -U [Administrator%Password]</span>”
+ command, as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> net ads join -U administrator%vulcon
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2585857"></a>
+ <a class="indexterm" name="id2585864"></a>
+ <a class="indexterm" name="id2585871"></a>
+ <a class="indexterm" name="id2585877"></a>
+ <a class="indexterm" name="id2585884"></a>
+ Your new Samba binaries must be started in the standard manner as is applicable
+ to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbd -D
+<code class="prompt">root# </code> nmbd -D
+<code class="prompt">root# </code> winbindd -B
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2585925"></a>
+ <a class="indexterm" name="id2585932"></a>
+ <a class="indexterm" name="id2585941"></a>
+ <a class="indexterm" name="id2585948"></a>
+ <a class="indexterm" name="id2585955"></a>
+ We now need to test that Samba is communicating with the Active
+ Directory domain; most specifically, we want to see whether winbind
+ is enumerating users and groups. Issue the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> wbinfo -t
+checking the trust secret via RPC calls succeeded
+</pre><p>
+ This tests whether we are authenticating against Active Directory:
+</p><pre class="screen">
+<code class="prompt">root# </code> wbinfo -u
+LONDON+Administrator
+LONDON+Guest
+LONDON+SUPPORT_388945a0
+LONDON+krbtgt
+LONDON+jht
+LONDON+xjht
+</pre><p>
+ This enumerates all the users in your Active Directory tree:
+</p><pre class="screen">
+<code class="prompt">root# </code> wbinfo -g
+LONDON+Domain Computers
+LONDON+Domain Controllers
+LONDON+Schema Admins
+LONDON+Enterprise Admins
+LONDON+Domain Admins
+LONDON+Domain Users
+LONDON+Domain Guests
+LONDON+Group Policy Creator Owners
+LONDON+DnsUpdateProxy
+</pre><p>
+ This enumerates all the groups in your Active Directory tree.
+ </p></li><li><p>
+ <a class="indexterm" name="id2586019"></a>
+ <a class="indexterm" name="id2586026"></a>
+ Squid uses the <span><strong class="command">ntlm_auth</strong></span> helper build with Samba-3.
+ You may test <span><strong class="command">ntlm_auth</strong></span> with the command:
+</p><pre class="screen">
+<code class="prompt">root# </code> /usr/bin/ntlm_auth --username=jht
+password: XXXXXXXX
+</pre><p>
+ You are asked for your password, which you should enter. You are rewarded with:
+</p><pre class="screen">
+<code class="prompt">root# </code> NT_STATUS_OK: Success (0x0)
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2586078"></a>
+ <a class="indexterm" name="id2586085"></a>
+ <a class="indexterm" name="id2586092"></a>
+ <a class="indexterm" name="id2586098"></a>
+ <a class="indexterm" name="id2586105"></a>
+ <a class="indexterm" name="id2586112"></a>
+ <a class="indexterm" name="id2586119"></a>
+ <a class="indexterm" name="id2586126"></a>
+ The <span><strong class="command">ntlm_auth</strong></span> helper, when run from a command line as the user
+ “<span class="quote">root</span>”, authenticates against your Active Directory domain (with
+ the aid of winbind). It manages this by reading from the winbind privileged pipe.
+ Squid is running with the permissions of user “<span class="quote">squid</span>” and group
+ “<span class="quote">squid</span>” and is not able to do this unless we make a vital change.
+ Squid cannot read from the winbind privilege pipe unless you change the
+ permissions of its directory. This is the single biggest cause of failure in the
+ whole process. Remember to issue the following command (for Red Hat Linux):
+</p><pre class="screen">
+<code class="prompt">root# </code> chgrp squid /var/cache/samba/winbindd_privileged
+<code class="prompt">root# </code> chmod 750 /var/cache/samba/winbindd_privileged
+</pre><p>
+ For SUSE Linux 9, execute the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> chgrp squid /var/lib/samba/winbindd_privileged
+<code class="prompt">root# </code> chmod 750 /var/lib/samba/winbindd_privileged
+</pre><p>
+ </p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2586201"></a>NSS Configuration</h4></div></div></div><p>
+ <a class="indexterm" name="id2586209"></a>
+ <a class="indexterm" name="id2586215"></a>
+ <a class="indexterm" name="id2586222"></a>
+ For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
+ </p><p>
+ Edit your <code class="filename">/etc/nsswitch.conf</code> file so it has the parameters shown
+ in <a href="DomApps.html#ch10-etcnsscfg" title="Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf">???</a>.
+ </p><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example 12.2. Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2586281"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2586293"></a><em class="parameter"><code>netbios name = W2K3S</code></em></td></tr><tr><td><a class="indexterm" name="id2586306"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2586319"></a><em class="parameter"><code>security = ads</code></em></td></tr><tr><td><a class="indexterm" name="id2586332"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586345"></a><em class="parameter"><code>password server = w2k3s.london.abmas.biz</code></em></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id2586362"></a><em class="parameter"><code>winbind separator = /</code></em></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2586379"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use GIDs from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id2586396"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2586413"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586426"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2586439"></a><em class="parameter"><code>winbind user default domain = yes</code></em></td></tr></table></div><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example 12.3. NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></b></p><pre class="screen">
+passwd: files winbind
+shadow: files
+group: files winbind
+</pre></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2586479"></a>Squid Configuration</h4></div></div></div><p>
+ <a class="indexterm" name="id2586487"></a>
+ <a class="indexterm" name="id2586494"></a>
+ Squid must be configured correctly to interact with the Samba-3
+ components that handle Active Directory authentication.
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2586509"></a>Configuration</h3></div></div></div></div><div class="procedure"><a name="id2586514"></a><p class="title"><b>Procedure 12.3. Squid Configuration Steps</b></p><ol type="1"><li><p>
+ <a class="indexterm" name="id2586526"></a>
+ <a class="indexterm" name="id2586533"></a>
+ <a class="indexterm" name="id2586540"></a>
+ If your Linux distribution is SUSE Linux 9, the version of Squid
+ supplied is already enabled to use the winbind helper agent. You
+ can therefore omit the steps that would build the Squid binary
+ programs.
+ </p></li><li><p>
+ <a class="indexterm" name="id2586558"></a>
+ <a class="indexterm" name="id2586564"></a>
+ <a class="indexterm" name="id2586571"></a>
+ <a class="indexterm" name="id2586578"></a>
+ <a class="indexterm" name="id2586585"></a>
+ Squid, by default, runs as the user <code class="constant">nobody</code>. You need to
+ add a system user <code class="constant">squid</code> and a system group
+ <code class="constant">squid</code> if they are not set up already (if the default
+ Red Hat squid rpms were installed, they will be). Set up a
+ <code class="constant">squid</code> user in <code class="filename">/etc/passwd</code>
+ and a <code class="constant">squid</code> group in <code class="filename">/etc/group</code> if these aren't there already.
+ </p></li><li><p>
+ <a class="indexterm" name="id2586632"></a>
+ <a class="indexterm" name="id2586639"></a>
+ You now need to change the permissions on Squid's <code class="constant">var</code>
+ directory. Enter the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown -R squid /var/cache/squid
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2586670"></a>
+ <a class="indexterm" name="id2586677"></a>
+ Squid must also have control over its logging. Enter the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown -R chown squid:squid /var/log/squid
+<code class="prompt">root# </code> chmod 770 /var/log/squid
+</pre><p>
+ </p></li><li><p>
+ Finally, Squid must be able to write to its disk cache!
+ Enter the following commands:
+</p><pre class="screen">
+<code class="prompt">root# </code> chown -R chown squid:squid /var/cache/squid
+<code class="prompt">root# </code> chmod 770 /var/cache/squid
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2586737"></a>
+ The <code class="filename">/etc/squid/squid.conf</code> file must be edited to include the lines from
+ <a href="DomApps.html#etcsquidcfg" title="Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">???</a> and <a href="DomApps.html#etcsquid2" title="Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">???</a>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2586771"></a>
+ You must create Squid's cache directories before it may be run. Enter the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> squid -z
+</pre><p>
+ </p></li><li><p>
+ Finally, start Squid and enjoy transparent Active Directory authentication.
+ Enter the following command:
+</p><pre class="screen">
+<code class="prompt">root# </code> squid
+</pre><p>
+ </p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example 12.4. Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</b></p><pre class="screen">
+ cache_effective_user squid
+ cache_effective_group squid
+</pre></div><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example 12.5. Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</b></p><pre class="screen">
+ auth_param ntlm program /usr/bin/ntlm_auth \
+ --helper-protocol=squid-2.5-ntlmssp
+ auth_param ntlm children 5
+ auth_param ntlm max_challenge_reuses 0
+ auth_param ntlm max_challenge_lifetime 2 minutes
+ auth_param basic program /usr/bin/ntlm_auth \
+ --helper-protocol=squid-2.5-basic
+ auth_param basic children 5
+ auth_param basic realm Squid proxy-caching web server
+ auth_param basic credentialsttl 2 hours
+ acl AuthorizedUsers proxy_auth REQUIRED
+ http_access allow all AuthorizedUsers
+</pre></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2586876"></a>Key Points Learned</h3></div></div></div><p>
+ <a class="indexterm" name="id2586884"></a>
+ <a class="indexterm" name="id2586891"></a>
+ <a class="indexterm" name="id2586898"></a>
+ <a class="indexterm" name="id2586905"></a>
+ <a class="indexterm" name="id2586916"></a>
+ Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
+ Windows clients use, even when accessing traditional services such as Web browsers. Depending
+ on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
+ the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
+ the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
+ of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2586936"></a>Questions and Answers</h2></div></div></div><p>
+ <a class="indexterm" name="id2586944"></a>
+ <a class="indexterm" name="id2586951"></a>
+ <a class="indexterm" name="id2586958"></a>
+ <a class="indexterm" name="id2586965"></a>
+ The development of the <span><strong class="command">ntlm_auth</strong></span> module was first discussed in many Open Source circles
+ in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
+ <span><strong class="command">ntlm_auth</strong></span> during one of the late developer meetings that took place. Since that time, the
+ adoption of <span><strong class="command">ntlm_auth</strong></span> has spread considerably.
+ </p><p>
+ The largest report from a site that uses Squid with <span><strong class="command">ntlm_auth</strong></span>-based authentication
+ support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
+ users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
+ wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
+ comments were made with respect to questions regarding the performance of this installation:
+ </p><div class="blockquote"><blockquote class="blockquote"><p>
+ [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “<span class="quote">almost</span>”
+ part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
+ scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
+ </p></blockquote></div><p>
+ You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
+ Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
+ out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
+ </p><div class="qandaset"><dl><dt> <a href="DomApps.html#id2587042">
+ What does Samba have to do with Web proxy serving?
+ </a></dt><dt> <a href="DomApps.html#id2587216">
+ What other services does Samba provide?
+ </a></dt><dt> <a href="DomApps.html#id2587360">
+ Does use of Samba (ntlm_auth) improve the performance of Squid?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2587042"></a><a name="id2587044"></a><b></b></td><td align="left" valign="top"><p>
+ What does Samba have to do with Web proxy serving?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2587056"></a>
+ <a class="indexterm" name="id2587063"></a>
+ <a class="indexterm" name="id2587070"></a>
+ <a class="indexterm" name="id2587079"></a>
+ <a class="indexterm" name="id2587086"></a>
+ To provide transparent interoperability between Windows clients and the network services
+ that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
+ of Open Source software is that it can readily be reused. The current <span><strong class="command">ntlm_auth</strong></span>
+ module is basically a wrapper around authentication code from the core of the Samba project.
+ </p><p>
+ <a class="indexterm" name="id2587108"></a>
+ <a class="indexterm" name="id2587115"></a>
+ <a class="indexterm" name="id2587125"></a>
+ <a class="indexterm" name="id2587134"></a>
+ <a class="indexterm" name="id2587142"></a>
+ <a class="indexterm" name="id2587149"></a>
+ <a class="indexterm" name="id2587156"></a>
+ <a class="indexterm" name="id2587163"></a>
+ <a class="indexterm" name="id2587170"></a>
+ The <span><strong class="command">ntlm_auth</strong></span> module supports basic plain-text authentication and NTLMSSP
+ protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
+ the user being interrupted via his or her Windows logon credentials. This facility is available with
+ MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
+ There are a few open source initiatives to provide support for these protocols in the Apache Web server
+ also.
+ </p><p>
+ <a class="indexterm" name="id2587203"></a>
+ The short answer is that by adding a wrapper around key authentication components of Samba, other
+ projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2587216"></a><a name="id2587218"></a><b></b></td><td align="left" valign="top"><p>
+ What other services does Samba provide?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ <a class="indexterm" name="id2587230"></a>
+ <a class="indexterm" name="id2587237"></a>
+ <a class="indexterm" name="id2587244"></a>
+ <a class="indexterm" name="id2587251"></a>
+ <a class="indexterm" name="id2587257"></a>
+ Samba-3 is a file and print server. The core components that provide this functionality are <span><strong class="command">smbd</strong></span>,
+ <span><strong class="command">nmbd</strong></span>, and the identity resolver daemon, <span><strong class="command">winbindd</strong></span>.
+ </p><p>
+ <a class="indexterm" name="id2587288"></a>
+ <a class="indexterm" name="id2587295"></a>
+ Samba-3 is an SMB/CIFS client. The core component that provides this is called <span><strong class="command">smbclient</strong></span>.
+ </p><p>
+ <a class="indexterm" name="id2587312"></a>
+ <a class="indexterm" name="id2587319"></a>
+ <a class="indexterm" name="id2587326"></a>
+ <a class="indexterm" name="id2587333"></a>
+ <a class="indexterm" name="id2587340"></a>
+ Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
+ Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
+ servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
+ as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
+ to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
+ server products).
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2587360"></a><a name="id2587362"></a><b></b></td><td align="left" valign="top"><p>
+ Does use of Samba (<span><strong class="command">ntlm_auth</strong></span>) improve the performance of Squid?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Not really. Samba's <span><strong class="command">ntlm_auth</strong></span> module handles only authentication. It requires that
+ Squid make an external call to <span><strong class="command">ntlm_auth</strong></span> and therefore actually incurs a
+ little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
+ Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
+ sufficient memory when using Squid. Just add a little more to accommodate <span><strong class="command">ntlm_auth</strong></span>.
+ </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Active Directory, Kerberos, and Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Performance, Reliability, and Availability</td></tr></table></div></body></html>
projects / samba / blobdiff