Context Navigation

source: branches/samba-3.2.x/docs-xml/Samba3-ByExample/SBE-DomainAppsSupport.xml

Visit:

Last change on this file was 232, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 branch to 3.2.8
File size: 36.3 KB

Line
1	<?xml version="1.0" encoding="iso-8859-1"?>
2	<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
4	<chapter id="DomApps">
5	<title>Integrating Additional Services</title>
6
7	<para>
8	<indexterm><primary>authentication</primary></indexterm>
9	<indexterm><primary>backends</primary></indexterm>
10	<indexterm><primary>smbpasswd</primary></indexterm>
11	<indexterm><primary>ldapsam</primary></indexterm>
12	<indexterm><primary>Active Directory</primary></indexterm>
13	You've come a long way now. You have pretty much mastered Samba-3 for
14	most uses it can be put to. Up until now, you have cast Samba-3 in the leading
15	role, and where authentication was required, you have used one or another of
16	Samba's many authentication backends (from flat text files with smbpasswd
17	to LDAP directory integration with ldapsam). Now you can design a
18	solution for a new Abmas business. This business is running Windows Server
19	2003 and Active Directory, and these are to stay. It's time to master
20	implementing Samba and Samba-supported services in a domain controlled by
21	the latest Windows authentication technologies. Let's get started &smbmdash; this is
22	leading edge.
23	</para>
24
25	<sect1>
26	<title>Introduction</title>
27
28	<para>
29	Abmas has continued its miraculous growth; indeed, nothing seems to be able
30	to stop its diversification into multiple (and seemingly unrelated) fields.
31	Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
32	business.
33	</para>
34
35	<para>
36	With this acquisition comes new challenges for you and your team. Abmas Snack
37	Foods is a well-developed business with a huge and heterogeneous network. It
38	already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
39	The network is mature and well-established, and there is no question of its chosen
40	user authentication scheme being changed for now. You need to take a wise new
41	approach.
42	</para>
43
44	<para>
45	You have decided to set the ball rolling by introducing Samba-3 into the network
46	gradually, taking over key services and easing the way to a full migration and,
47	therefore, integration into Abmas's existing business later.
48	</para>
49
50	<sect2>
51	<title>Assignment Tasks</title>
52
53	<para>
54	<indexterm><primary>web</primary><secondary>proxying</secondary></indexterm>
55	<indexterm><primary>web</primary><secondary>caching</secondary></indexterm>
56	You've promised the skeptical Abmas Snack Foods management team
57	that you can show them how Samba can ease itself and other Open Source
58	technologies into their existing infrastructure and deliver sound business
59	advantages. Cost cutting is high on their agenda (a major promise of the
60	acquisition). You have chosen Web proxying and caching as your proving ground.
61	</para>
62
63	<para>
64	<indexterm><primary>bandwidth</primary></indexterm>
65	<indexterm><primary>Microsoft ISA</primary></indexterm>
66	Abmas Snack Foods has several thousand users housed at its head office
67	and multiple regional offices, plants, and warehouses. A high proportion of
68	the business's work is done online, so Internet access for most of these
69	users is essential. All Internet access, including for all regional offices,
70	is funneled through the head office and is the job of the (now your) networking
71	team. The bandwidth requirements were horrific (comparable to a small ISP), and
72	the team soon discovered proxying and caching. In fact, they became one of
73	the earliest commercial users of Microsoft ISA.
74	</para>
75
76	<para>
77	<indexterm><primary>Active Directory</primary></indexterm>
78	<indexterm><primary>authenticated</primary></indexterm>
79	<indexterm><primary>proxy</primary></indexterm>
80	The team is not happy with ISA. Because it never lived up to its marketing promises,
81	it underperformed and had reliability problems. You have pounced on the opportunity
82	to show what Open Source can do. The one thing they do like, however, is ISA's
83	integration with Active Directory. They like that their users, once logged on,
84	are automatically authenticated against the proxy. If your alternative to ISA
85	can operate completely seamlessly in their Active Directory domain, it will be
86	approved.
87	</para>
88
89	<para>
90	This is a hands-on exercise. You build software applications so
91	that you obtain the functionality Abmas needs.
92	</para>
93
94	</sect2>
95	</sect1>
96
97	<sect1>
98	<title>Dissection and Discussion</title>
99
100	<para>
101	The key requirements in this business example are straightforward. You are not required
102	to do anything new, just to replicate an existing system, not lose any existing features,
103	and improve performance. The key points are:
104	</para>
105
106	<itemizedlist>
107	<listitem><para>
108	Internet access for most employees
109	</para></listitem>
110	<listitem><para>
111	Distributed system to accommodate load and geographical distribution of users
112	</para></listitem>
113	<listitem><para>
114	Seamless and transparent interoperability with the existing Active Directory domain
115	</para></listitem>
116	</itemizedlist>
117
118
119	<sect2>
120	<title>Technical Issues</title>
121
122	<para>
123	<indexterm><primary>browsing</primary></indexterm>
124	<indexterm><primary>Squid proxy</primary></indexterm>
125	<indexterm><primary>proxy</primary></indexterm>
126	<indexterm><primary>authentication</primary></indexterm>
127	<indexterm><primary>Internet Explorer</primary></indexterm>
128	<indexterm><primary>winbind</primary></indexterm>
129	<indexterm><primary>NTLM</primary></indexterm>
130	<indexterm><primary>NTLM authentication daemon</primary></indexterm>
131	<indexterm><primary>authentication</primary></indexterm>
132	<indexterm><primary>daemon</primary></indexterm>
133	<indexterm><primary>Active Directory</primary></indexterm>
134	<indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm>
135	<indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm>
136	Functionally, the user's Internet Explorer requests a browsing session with the
137	Squid proxy, for which it offers its AD authentication token. Squid hands off
138	the authentication request to the Samba-3 authentication helper application
139	called <command>ntlm_auth</command>. This helper is a hook into winbind, the
140	Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
141	against Microsoft Windows domains, including Active Directory domains. As Active
142	Directory authentication is a modified Kerberos authentication, winbind is assisted
143	in this by local Kerberos 5 libraries configured to check passwords with the Active
144	Directory server. Once the token has been checked, a browsing session is established.
145	This process is entirely transparent and seamless to the user.
146	</para>
147
148	<para>
149	Enabling this consists of:
150	</para>
151
152	<itemizedlist>
153	<listitem><para>
154	Preparing the necessary environment using preconfigured packages
155	</para></listitem>
156
157	<listitem><para>
158	Setting up raw Kerberos authentication against the Active Directory domain
159	</para></listitem>
160
161	<listitem><para>
162	Configuring, compiling, and then installing the supporting Samba-3 components
163	</para></listitem>
164
165	<listitem><para>
166	Tying it all together
167	</para></listitem>
168	</itemizedlist>
169
170	</sect2>
171
172
173	<sect2>
174	<title>Political Issues</title>
175
176	<para>
177	You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
178	you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
179	solution does everything the old one did, but does it better in every way. Only then
180	will the entrenched positions consider taking up your new way of doing things on a
181	wider scale.
182	</para>
183
184	</sect2>
185
186	</sect1>
187
188	<sect1>
189	<title>Implementation</title>
190
191	<para>
192	<indexterm><primary>Squid</primary></indexterm>
193	First, your system needs to be prepared and in a known good state to proceed. This consists
194	of making sure that everything the system depends on is present and that everything that could
195	interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
196	packages and updating them if necessary. If conflicting packages of these programs are installed,
197	they must be removed.
198	</para>
199
200	<para>
201	<indexterm><primary>Red Hat Linux</primary></indexterm>
202	The following packages should be available on your Red Hat Linux system:
203	</para>
204
205	<itemizedlist>
206	<listitem><para>
207	<indexterm><primary>krb5</primary></indexterm>
208	<indexterm><primary>Kerberos</primary></indexterm>
209	krb5-libs
210	</para></listitem>
211
212	<listitem><para>
213	krb5-devel
214	</para></listitem>
215
216	<listitem><para>
217	krb5-workstation
218	</para></listitem>
219
220	<listitem><para>
221	krb5-server
222	</para></listitem>
223
224	<listitem><para>
225	pam_krb5
226	</para></listitem>
227	</itemizedlist>
228
229	<para>
230	<indexterm><primary>SUSE Linux</primary></indexterm>
231	In the case of SUSE Linux, these packages are called:
232	</para>
233
234	<itemizedlist>
235	<listitem><para>
236	heimdal-lib
237	</para></listitem>
238
239	<listitem><para>
240	heimdal-devel
241	</para></listitem>
242
243	<listitem><para>
244	<indexterm><primary>Heimdal</primary></indexterm>
245	heimdal
246	</para></listitem>
247
248	<listitem><para>
249	pam_krb5
250	</para></listitem>
251	</itemizedlist>
252
253	<para>
254	If the required packages are not present on your system, you must install
255	them from the vendor's installation media. Follow the administrative guide
256	for your Linux system to ensure that the packages are correctly updated.
257	</para>
258
259	<note><para>
260	<indexterm><primary>MS Windows Server 2003</primary></indexterm>
261	<indexterm><primary>Kerberos</primary></indexterm>
262	<indexterm><primary>MIT</primary></indexterm>
263	If the requirement is for interoperation with MS Windows Server 2003, it
264	will be necessary to ensure that you are using MIT Kerberos version 1.3.1
265	or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
266	updating.
267	</para>
268
269	<para>
270	<indexterm><primary>Heimdal</primary></indexterm>
271	<indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
272	Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
273	Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
274	</para></note>
275
276	<sect2 id="ch10-one">
277	<title>Removal of Pre-Existing Conflicting RPMs</title>
278
279	<para>
280	<indexterm><primary>Squid</primary></indexterm>
281	If Samba and/or Squid RPMs are installed, they should be updated. You can
282	build both from source.
283	</para>
284
285	<para>
286	<indexterm><primary>rpm</primary></indexterm>
287	<indexterm><primary>samba</primary></indexterm>
288	<indexterm><primary>squid</primary></indexterm>
289	Locating the packages to be un-installed can be achieved by running:
290	<screen>
291	&rootprompt; rpm -qa \| grep -i samba
292	&rootprompt; rpm -qa \| grep -i squid
293	</screen>
294	The identified packages may be removed using:
295	<screen>
296	&rootprompt; rpm -e samba-common
297	</screen>
298	</para>
299
300	<sect2>
301	<title>Kerberos Configuration</title>
302
303	<para>
304	<indexterm><primary>Kerberos</primary></indexterm>
305	<indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
306	<indexterm><primary>ADS</primary></indexterm>
307	<indexterm><primary>KDC</primary></indexterm>
308	The systems Kerberos installation must be configured to communicate with
309	your primary Active Directory server (ADS KDC).
310	</para>
311
312	<para>
313	Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
314	although the current default Red Hat MIT version 1.2.7 gives acceptable results
315	unless you are using Windows 2003 servers.
316	</para>
317
318	<para>
319	<indexterm><primary>MIT</primary></indexterm>
320	<indexterm><primary>Heimdal</primary></indexterm>
321	<indexterm><primary>Kerberos</primary></indexterm>
322	<indexterm><primary>/etc/krb5.conf</primary></indexterm>
323	<indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm>
324	<indexterm><primary>KDC</primary></indexterm>
325	<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
326	Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename>
327	file in order to work correctly. All ADS domains automatically create SRV records in the
328	DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both
329	MIT and Heimdal, KRB5 libraries default to checking for these records, so they
330	automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows
331	specifying only a single KDC, even if there is more than one. Using the DNS lookup
332	allows the KRB5 libraries to use whichever KDCs are available.
333	</para>
334
335	<procedure>
336	<title>Kerberos Configuration Steps</title>
337
338	<step><para>
339	<indexterm><primary>krb5.conf</primary></indexterm>
340	If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
341	to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file
342	should be <filename>/etc/krb5.conf</filename>.
343	</para></step>
344
345	<step><para>
346	<indexterm><primary>Kerberos</primary></indexterm>
347	<indexterm><primary>realm</primary></indexterm>
348	<indexterm><primary>case-sensitive</primary></indexterm>
349	<indexterm><primary>KDC</primary></indexterm>
350	<indexterm><primary>synchronization</primary></indexterm>
351	<indexterm><primary>initial credentials</primary></indexterm>
352	<indexterm><primary>Clock skew</primary></indexterm>
353	<indexterm><primary>NTP</primary></indexterm>
354	<indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
355	<indexterm><primary>reverse DNS</primary></indexterm>
356	<indexterm><primary>NetBIOS name </primary></indexterm>
357	<indexterm><primary>/etc/hosts</primary></indexterm>
358	<indexterm><primary>mapping</primary></indexterm>
359	The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
360	be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
361	initial credentials</quote>. Kerberos is picky about time synchronization. The time
362	according to your participating servers must be within 5 minutes or you get an error:
363	<quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
364	Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
365	5 minutes). A better solution is to implement NTP throughout your server network.
366	Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
367	Also, the name that this reverse lookup maps to must either be the NetBIOS name of
368	the KDC (i.e., the hostname with no domain attached) or the
369	NetBIOS name followed by the realm. If all else fails, you can add a
370	<filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
371	NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
372	when you try to join the realm.
373	</para></step>
374
375	<step><para>
376	<indexterm><primary>kinit</primary></indexterm>
377	You are now ready to test your installation by issuing the command:
378	<screen>
379	&rootprompt; kinit [USERNAME@REALM]
380	</screen>
381	You are asked for your password, which you should enter. The following
382	is a typical console sequence:
383	<screen>
384	&rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
385	Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
386	</screen>
387	Make sure that your password is accepted by the Active Directory KDC.
388	</para></step>
389	</procedure>
390
391	<example id="ch10-krb5conf">
392	<title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title>
393	<screen>
394	[libdefaults]
395	default_realm = LONDON.ABMAS.BIZ
396
397	[realms]
398	LONDON.ABMAS.BIZ = {
399	kdc = w2k3s.london.abmas.biz
400	}
401	</screen>
402	</example>
403
404	<para><indexterm>
405	<primary>klist</primary>
406	</indexterm>
407	The command
408	<screen>
409	&rootprompt; klist -e
410	</screen>
411	shows the Kerberos tickets cached by the system.
412	</para>
413
414	<sect3>
415	<title>Samba Configuration</title>
416
417	<para>
418	<indexterm><primary>Active Directory</primary></indexterm>
419	Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
420	has the necessary components to interface with Active Directory.
421	</para>
422
423	<procedure>
424	<title>Securing Samba-3 With ADS Support Steps</title>
425
426	<step><para>
427	<indexterm><primary>Red Hat Linux</primary></indexterm>
428	<indexterm><primary>Samba Tea</primary></indexterm>
429	<indexterm><primary>Red Hat Fedora Linux</primary></indexterm>
430	<indexterm><primary>MIT KRB5</primary></indexterm>
431	<indexterm><primary>ntlm_auth</primary></indexterm>
432	Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
433	<ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
434	RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
435	needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
436	</para>
437
438	<para>
439	<indexterm><primary>SerNet</primary></indexterm>
440	<indexterm><primary>RPMs</primary></indexterm>
441	The necessary, validated RPM packages for SUSE Linux may be obtained from
442	the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
443	is located in Germany. All SerNet RPMs are validated, have the necessary
444	<command>ntlm_auth</command> tool, and are statically linked
445	against suitably patched Heimdal 0.6 libraries.
446	</para></step>
447
448	<step><para>
449	Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename>
450	file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
451	</para></step>
452
453	<step><para>
454	<indexterm><primary>computer account</primary></indexterm>
455	<indexterm><primary>Active Directory</primary></indexterm>
456	<indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i
457	<indexterm><primary>Kerberos ticket</primary></indexterm>
458	<indexterm><primary>ticket</primary></indexterm>
459	Next you need to create a computer account in the Active Directory.
460	This sets up the trust relationship needed for other clients to
461	authenticate to the Samba server with an Active Directory Kerberos ticket.
462	This is done with the <quote>net ads join -U [Administrator%Password]</quote>
463	command, as follows:
464	<screen>
465	&rootprompt; net ads join -U administrator%vulcon
466	</screen>
467	</para></step>
468
469	<step><para>
470	<indexterm><primary>smbd</primary></indexterm>
471	<indexterm><primary>nmbd</primary></indexterm>
472	<indexterm><primary>winbindd</primary></indexterm>
473	<indexterm><primary>Active Directory</primary></indexterm>
474	<indexterm><primary>Samba</primary></indexterm>
475	Your new Samba binaries must be started in the standard manner as is applicable
476	to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
477	<screen>
478	&rootprompt; smbd -D
479	&rootprompt; nmbd -D
480	&rootprompt; winbindd -D
481	</screen>
482	</para></step>
483
484	<step><para>
485	<indexterm><primary>winbind</primary></indexterm>
486	<indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm>
487	<indexterm><primary>wbinfo</primary></indexterm>
488	<indexterm><primary>enumerating</primary></indexterm>
489	<indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm>
490	We now need to test that Samba is communicating with the Active
491	Directory domain; most specifically, we want to see whether winbind
492	is enumerating users and groups. Issue the following commands:
493	<screen>
494	&rootprompt; wbinfo -t
495	checking the trust secret via RPC calls succeeded
496	</screen>
497	This tests whether we are authenticating against Active Directory:
498	<screen>
499	&rootprompt; wbinfo -u
500	LONDON+Administrator
501	LONDON+Guest
502	LONDON+SUPPORT_388945a0
503	LONDON+krbtgt
504	LONDON+jht
505	LONDON+xjht
506	</screen>
507	This enumerates all the users in your Active Directory tree:
508	<screen>
509	&rootprompt; wbinfo -g
510	LONDON+Domain Computers
511	LONDON+Domain Controllers
512	LONDON+Schema Admins
513	LONDON+Enterprise Admins
514	LONDON+Domain Admins
515	LONDON+Domain Users
516	LONDON+Domain Guests
517	LONDON+Group Policy Creator Owners
518	LONDON+DnsUpdateProxy
519	</screen>
520	This enumerates all the groups in your Active Directory tree.
521	</para></step>
522
523	<step><para>
524	<indexterm><primary>Squid</primary></indexterm>
525	<indexterm><primary>ntlm_auth</primary></indexterm>
526	Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
527	You may test <command>ntlm_auth</command> with the command:
528	<screen>
529	&rootprompt; /usr/bin/ntlm_auth --username=jht
530	password: XXXXXXXX
531	</screen>
532	You are asked for your password, which you should enter. You are rewarded with:
533	<screen>
534	&rootprompt; NT_STATUS_OK: Success (0x0)
535	</screen>
536	</para></step>
537
538	<step><para>
539	<indexterm><primary>ntlm_auth</primary></indexterm>
540	<indexterm><primary>authenticate</primary></indexterm>
541	<indexterm><primary>winbind</primary></indexterm>
542	<indexterm><primary>privileged pipe</primary></indexterm>
543	<indexterm><primary>squid</primary></indexterm>
544	<indexterm><primary>chgrp</primary></indexterm>
545	<indexterm><primary>chmod</primary></indexterm>
546	<indexterm><primary>failure</primary></indexterm>
547	The <command>ntlm_auth</command> helper, when run from a command line as the user
548	<quote>root</quote>, authenticates against your Active Directory domain (with
549	the aid of winbind). It manages this by reading from the winbind privileged pipe.
550	Squid is running with the permissions of user <quote>squid</quote> and group
551	<quote>squid</quote> and is not able to do this unless we make a vital change.
552	Squid cannot read from the winbind privilege pipe unless you change the
553	permissions of its directory. This is the single biggest cause of failure in the
554	whole process. Remember to issue the following command (for Red Hat Linux):
555	<screen>
556	&rootprompt; chgrp squid /var/cache/samba/winbindd_privileged
557	&rootprompt; chmod 750 /var/cache/samba/winbindd_privileged
558	</screen>
559	For SUSE Linux 9, execute the following:
560	<screen>
561	&rootprompt; chgrp squid /var/lib/samba/winbindd_privileged
562	&rootprompt; chmod 750 /var/lib/samba/winbindd_privileged
563	</screen>
564	</para></step>
565
566	</procedure>
567	</sect3>
568
569	<sect3>
570	<title>NSS Configuration</title>
571
572	<para>
573	<indexterm><primary>NSS</primary></indexterm>
574	<indexterm><primary>winbind</primary></indexterm>
575	<indexterm><primary>authentication</primary></indexterm>
576	For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
577	</para>
578
579	<para>
580	Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown
581	in <link linkend="ch10-etcnsscfg"/>.
582	</para>
583
584	<example id="ch10-smbconf">
585	<title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title>
586	<smbconfblock>
587	<smbconfsection name="[global]"/>
588	<smbconfoption name="workgroup">LONDON</smbconfoption>
589	<smbconfoption name="netbios name">W2K3S</smbconfoption>
590	<smbconfoption name="realm">LONDON.ABMAS.BIZ</smbconfoption>
591	<smbconfoption name="security">ads</smbconfoption>
592	<smbconfoption name="encrypt passwords">yes</smbconfoption>
593	<smbconfoption name="password server">w2k3s.london.abmas.biz</smbconfoption>
594
595	<smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment>
596	<smbconfoption name="winbind separator">/</smbconfoption>
597
598	<smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment>
599	<smbconfoption name="idmap uid">10000-20000</smbconfoption>
600	<smbconfcomment>use GIDs from 10000 to 20000 for domain groups</smbconfcomment>
601	<smbconfoption name="idmap gid">10000-20000</smbconfoption>
602
603	<smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment>
604	<smbconfoption name="winbind enum users">yes</smbconfoption>
605	<smbconfoption name="winbind enum groups">yes</smbconfoption>
606	<smbconfoption name="winbind user default domain">yes</smbconfoption>
607	</smbconfblock>
608	</example>
609
610	<example id="ch10-etcnsscfg">
611	<title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
612	<screen>
613	passwd: files winbind
614	shadow: files
615	group: files winbind
616	</screen>
617	</example>
618
619	</sect3>
620
621	<sect3>
622	<title>Squid Configuration</title>
623
624	<para>
625	<indexterm><primary>Squid</primary></indexterm>
626	<indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm>
627	Squid must be configured correctly to interact with the Samba-3
628	components that handle Active Directory authentication.
629	</para>
630
631	</sect3>
632
633	</sect2>
634
635	<sect2>
636	<title>Configuration</title></sect2>
637
638	<procedure>
639	<title>Squid Configuration Steps</title>
640
641	<step><para>
642	<indexterm><primary>SUSE Linux</primary></indexterm>
643	<indexterm><primary>Squid</primary> </indexterm>
644	<indexterm><primary>helper agent</primary></indexterm>
645	If your Linux distribution is SUSE Linux 9, the version of Squid
646	supplied is already enabled to use the winbind helper agent. You
647	can therefore omit the steps that would build the Squid binary
648	programs.
649	</para></step>
650
651	<step><para>
652	<indexterm><primary>nobody</primary></indexterm>
653	<indexterm><primary>squid</primary></indexterm>
654	<indexterm><primary>rpms</primary></indexterm>
655	<indexterm><primary>/etc/passwd</primary></indexterm>
656	<indexterm><primary>/etc/group</primary></indexterm>
657	Squid, by default, runs as the user <constant>nobody</constant>. You need to
658	add a system user <constant>squid</constant> and a system group
659	<constant>squid</constant> if they are not set up already (if the default
660	Red Hat squid rpms were installed, they will be). Set up a
661	<constant>squid</constant> user in <filename>/etc/passwd</filename>
662	and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
663	</para></step>
664
665	<step><para>
666	<indexterm><primary>permissions</primary></indexterm>
667	<indexterm><primary>chown</primary></indexterm>
668	You now need to change the permissions on Squid's <constant>var</constant>
669	directory. Enter the following command:
670	<screen>
671	&rootprompt; chown -R squid /var/cache/squid
672	</screen>
673	</para></step>
674
675	<step><para>
676	<indexterm><primary>logging</primary></indexterm>
677	<indexterm><primary>Squid</primary></indexterm>
678	Squid must also have control over its logging. Enter the following commands:
679	<screen>
680	&rootprompt; chown -R chown squid:squid /var/log/squid
681	&rootprompt; chmod 770 /var/log/squid
682	</screen>
683	</para></step>
684
685	<step><para>
686	Finally, Squid must be able to write to its disk cache!
687	Enter the following commands:
688	<screen>
689	&rootprompt; chown -R chown squid:squid /var/cache/squid
690	&rootprompt; chmod 770 /var/cache/squid
691	</screen>
692	</para></step>
693
694	<step><para>
695	<indexterm><primary>/etc/squid/squid.conf</primary></indexterm>
696	The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from
697	<link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
698	</para></step>
699
700	<step><para>
701	<indexterm><primary>cache directories</primary></indexterm>
702	You must create Squid's cache directories before it may be run. Enter the following command:
703	<screen>
704	&rootprompt; squid -z
705	</screen>
706	</para></step>
707
708	<step><para>
709	Finally, start Squid and enjoy transparent Active Directory authentication.
710	Enter the following command:
711	<screen>
712	&rootprompt; squid
713	</screen>
714	</para></step>
715	</procedure>
716
717	<example id="etcsquidcfg">
718	<title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title>
719	<screen>
720	cache_effective_user squid
721	cache_effective_group squid
722	</screen>
723	</example>
724
725	<example id="etcsquid2">
726	<title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title>
727	<screen>
728	auth_param ntlm program /usr/bin/ntlm_auth \
729	--helper-protocol=squid-2.5-ntlmssp
730	auth_param ntlm children 5
731	auth_param ntlm max_challenge_reuses 0
732	auth_param ntlm max_challenge_lifetime 2 minutes
733	auth_param basic program /usr/bin/ntlm_auth \
734	--helper-protocol=squid-2.5-basic
735	auth_param basic children 5
736	auth_param basic realm Squid proxy-caching web server
737	auth_param basic credentialsttl 2 hours
738	acl AuthorizedUsers proxy_auth REQUIRED
739	http_access allow all AuthorizedUsers
740	</screen>
741	</example>
742
743	</sect2>
744
745	<sect2>
746	<title>Key Points Learned</title>
747
748	<para>
749	<indexterm><primary>Web browsers</primary></indexterm>
750	<indexterm><primary>services</primary></indexterm>
751	<indexterm><primary>authentication protocols</primary></indexterm>
752	<indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm>
753	<indexterm><primary>NTLMSSP</primary></indexterm>
754	Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
755	Windows clients use, even when accessing traditional services such as Web browsers. Depending
756	on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
757	the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
758	the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
759	of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
760	</para>
761
762	</sect2>
763
764	</sect1>
765
766	<sect1>
767	<title>Questions and Answers</title>
768
769	<para>
770	<indexterm><primary>ntlm_auth</primary></indexterm>
771	<indexterm><primary>SambaXP conference</primary></indexterm>
772	<indexterm><primary>Goettingen</primary></indexterm>
773	<indexterm><primary>Italian</primary></indexterm>
774	The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
775	in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
776	<command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the
777	adoption of <command>ntlm_auth</command> has spread considerably.
778	</para>
779
780	<para>
781	The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
782	support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
783	users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
784	wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
785	comments were made with respect to questions regarding the performance of this installation:
786	</para>
787
788	<blockquote><para>
789	[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote>
790	part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
791	scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
792	</para></blockquote>
793
794	<para>
795	You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
796	Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
797	out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
798	</para>
799
800	<qandaset defaultlabel="chap10bqa" type="number">
801	<qandaentry>
802	<question>
803
804	<para>
805	What does Samba have to do with Web proxy serving?
806	</para>
807
808	</question>
809	<answer>
810
811	<para>
812	<indexterm><secondary>transparent inter-operability</secondary></indexterm>
813	<indexterm><primary>Windows clients</primary></indexterm>
814	<indexterm><primary>network</primary><secondary>services</secondary></indexterm>
815	<indexterm><primary>authentication</primary></indexterm>
816	<indexterm><primary>wrapper</primary></indexterm>
817	To provide transparent interoperability between Windows clients and the network services
818	that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
819	of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
820	module is basically a wrapper around authentication code from the core of the Samba project.
821	</para>
822
823	<para>
824	<indexterm><primary>plain-text</primary></indexterm>
825	<indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm>
826	<indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm>
827	<indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm>
828	<indexterm><primary>NTLMSSP</primary></indexterm>
829	<indexterm><primary>logon credentials</primary></indexterm>
830	<indexterm><primary>Windows explorer</primary></indexterm>
831	<indexterm><primary>Internet Information Server</primary></indexterm>
832	<indexterm><primary>Apache Web server</primary></indexterm>
833	The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP
834	protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
835	the user being interrupted via his or her Windows logon credentials. This facility is available with
836	MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
837	There are a few open source initiatives to provide support for these protocols in the Apache Web server
838	also.
839	</para>
840
841	<para>
842	<indexterm><primary>wrapper</primary></indexterm>
843	The short answer is that by adding a wrapper around key authentication components of Samba, other
844	projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
845	</para>
846
847	</answer>
848	</qandaentry>
849
850	<qandaentry>
851	<question>
852
853	<para>
854	What other services does Samba provide?
855	</para>
856
857	</question>
858	<answer>
859
860	<para>
861	<indexterm><primary>winbindd</primary></indexterm>
862	<indexterm><primary>Identity resolver</primary></indexterm>
863	<indexterm><primary>daemon</primary></indexterm>
864	<indexterm><primary>smbd</primary></indexterm>
865	<indexterm><primary>file and print server</primary></indexterm>
866	Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
867	<command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>.
868	</para>
869
870	<para>
871	<indexterm><primary>SMB/CIFS</primary></indexterm>
872	<indexterm><primary>smbclient</primary></indexterm>
873	Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
874	</para>
875
876	<para>
877	<indexterm><primary>modules</primary></indexterm>
878	<indexterm><primary>utilities</primary></indexterm>
879	<indexterm><primary>validation</primary></indexterm>
880	<indexterm><primary>inter-operability</primary></indexterm>
881	<indexterm><primary>authentication</primary></indexterm>
882	Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
883	Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
884	servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
885	as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
886	to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
887	server products).
888	</para>
889
890	</answer>
891	</qandaentry>
892
893	<qandaentry>
894	<question>
895
896	<para>
897	Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid?
898	</para>
899
900	</question>
901	<answer>
902
903	<para>
904	Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
905	Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a
906	little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
907	Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
908	sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
909	</para>
910
911	</answer>
912	</qandaentry>
913	</qandaset>
914
915	</sect1>
916
917	</chapter>
918

Note: See TracBrowser for help on using the repository browser.

Download in other formats: