Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: vendor/3.5.0/docs/htmldocs/Samba3-ByExample/DomApps.html

Visit:

Last change on this file was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 41.2 KB

Line
1	<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 12. Integrating Additional Services</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="RefSection.html" title="Part III. Reference Section"><link rel="prev" href="kerberos.html" title="Chapter 11. Active Directory, Kerberos, and Security"><link rel="next" href="HA.html" title="Chapter 13. Performance, Reliability, and Availability"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 12. Integrating Additional Services</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><th width="60%" align="center">Part III. Reference Section</th><td width="20%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="DomApps"></a>Chapter 12. Integrating Additional Services</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="DomApps.html#id2616020">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2616051">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2616160">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#id2616193">Technical Issues</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2616349">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2616373">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="DomApps.html#ch10-one">Removal of Pre-Existing Conflicting RPMs</a></span></dt><dt><span class="sect2"><a href="DomApps.html#id2618225">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="DomApps.html#id2618286">Questions and Answers</a></span></dt></dl></div><p>
2	<a class="indexterm" name="id2615971"></a>
3	<a class="indexterm" name="id2615977"></a>
4	<a class="indexterm" name="id2615984"></a>
5	<a class="indexterm" name="id2615991"></a>
6	<a class="indexterm" name="id2615998"></a>
7	You've come a long way now. You have pretty much mastered Samba-3 for
8	most uses it can be put to. Up until now, you have cast Samba-3 in the leading
9	role, and where authentication was required, you have used one or another of
10	Samba's many authentication backends (from flat text files with smbpasswd
11	to LDAP directory integration with ldapsam). Now you can design a
12	solution for a new Abmas business. This business is running Windows Server
13	2003 and Active Directory, and these are to stay. It's time to master
14	implementing Samba and Samba-supported services in a domain controlled by
15	the latest Windows authentication technologies. Let's get started this is
16	leading edge.
17	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2616020"></a>Introduction</h2></div></div></div><p>
18	Abmas has continued its miraculous growth; indeed, nothing seems to be able
19	to stop its diversification into multiple (and seemingly unrelated) fields.
20	Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
21	business.
22	</p><p>
23	With this acquisition comes new challenges for you and your team. Abmas Snack
24	Foods is a well-developed business with a huge and heterogeneous network. It
25	already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux.
26	The network is mature and well-established, and there is no question of its chosen
27	user authentication scheme being changed for now. You need to take a wise new
28	approach.
29	</p><p>
30	You have decided to set the ball rolling by introducing Samba-3 into the network
31	gradually, taking over key services and easing the way to a full migration and,
32	therefore, integration into Abmas's existing business later.
33	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2616051"></a>Assignment Tasks</h3></div></div></div><p>
34	<a class="indexterm" name="id2616059"></a>
35	<a class="indexterm" name="id2616068"></a>
36	You've promised the skeptical Abmas Snack Foods management team
37	that you can show them how Samba can ease itself and other Open Source
38	technologies into their existing infrastructure and deliver sound business
39	advantages. Cost cutting is high on their agenda (a major promise of the
40	acquisition). You have chosen Web proxying and caching as your proving ground.
41	</p><p>
42	<a class="indexterm" name="id2616086"></a>
43	<a class="indexterm" name="id2616093"></a>
44	Abmas Snack Foods has several thousand users housed at its head office
45	and multiple regional offices, plants, and warehouses. A high proportion of
46	the business's work is done online, so Internet access for most of these
47	users is essential. All Internet access, including for all regional offices,
48	is funneled through the head office and is the job of the (now your) networking
49	team. The bandwidth requirements were horrific (comparable to a small ISP), and
50	the team soon discovered proxying and caching. In fact, they became one of
51	the earliest commercial users of Microsoft ISA.
52	</p><p>
53	<a class="indexterm" name="id2616114"></a>
54	<a class="indexterm" name="id2616121"></a>
55	<a class="indexterm" name="id2616128"></a>
56	The team is not happy with ISA. Because it never lived up to its marketing promises,
57	it underperformed and had reliability problems. You have pounced on the opportunity
58	to show what Open Source can do. The one thing they do like, however, is ISA's
59	integration with Active Directory. They like that their users, once logged on,
60	are automatically authenticated against the proxy. If your alternative to ISA
61	can operate completely seamlessly in their Active Directory domain, it will be
62	approved.
63	</p><p>
64	This is a hands-on exercise. You build software applications so
65	that you obtain the functionality Abmas needs.
66	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2616160"></a>Dissection and Discussion</h2></div></div></div><p>
67	The key requirements in this business example are straightforward. You are not required
68	to do anything new, just to replicate an existing system, not lose any existing features,
69	and improve performance. The key points are:
70	</p><div class="itemizedlist"><ul type="disc"><li><p>
71	Internet access for most employees
72	</p></li><li><p>
73	Distributed system to accommodate load and geographical distribution of users
74	</p></li><li><p>
75	Seamless and transparent interoperability with the existing Active Directory domain
76	</p></li></ul></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2616193"></a>Technical Issues</h3></div></div></div><p>
77	<a class="indexterm" name="id2616201"></a>
78	<a class="indexterm" name="id2616208"></a>
79	<a class="indexterm" name="id2616215"></a>
80	<a class="indexterm" name="id2616221"></a>
81	<a class="indexterm" name="id2616228"></a>
82	<a class="indexterm" name="id2616235"></a>
83	<a class="indexterm" name="id2616242"></a>
84	<a class="indexterm" name="id2616249"></a>
85	<a class="indexterm" name="id2616256"></a>
86	<a class="indexterm" name="id2616263"></a>
87	<a class="indexterm" name="id2616270"></a>
88	<a class="indexterm" name="id2616277"></a>
89	<a class="indexterm" name="id2616286"></a><a class="indexterm" name="id2616292"></a>
90	Functionally, the user's Internet Explorer requests a browsing session with the
91	Squid proxy, for which it offers its AD authentication token. Squid hands off
92	the authentication request to the Samba-3 authentication helper application
93	called <code class="literal">ntlm_auth</code>. This helper is a hook into winbind, the
94	Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
95	against Microsoft Windows domains, including Active Directory domains. As Active
96	Directory authentication is a modified Kerberos authentication, winbind is assisted
97	in this by local Kerberos 5 libraries configured to check passwords with the Active
98	Directory server. Once the token has been checked, a browsing session is established.
99	This process is entirely transparent and seamless to the user.
100	</p><p>
101	Enabling this consists of:
102	</p><div class="itemizedlist"><ul type="disc"><li><p>
103	Preparing the necessary environment using preconfigured packages
104	</p></li><li><p>
105	Setting up raw Kerberos authentication against the Active Directory domain
106	</p></li><li><p>
107	Configuring, compiling, and then installing the supporting Samba-3 components
108	</p></li><li><p>
109	Tying it all together
110	</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2616349"></a>Political Issues</h3></div></div></div><p>
111	You are a stranger in a strange land, and all eyes are upon you. Some would even like to see
112	you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
113	solution does everything the old one did, but does it better in every way. Only then
114	will the entrenched positions consider taking up your new way of doing things on a
115	wider scale.
116	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2616373"></a>Implementation</h2></div></div></div><p>
117	<a class="indexterm" name="id2616381"></a>
118	First, your system needs to be prepared and in a known good state to proceed. This consists
119	of making sure that everything the system depends on is present and that everything that could
120	interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
121	packages and updating them if necessary. If conflicting packages of these programs are installed,
122	they must be removed.
123	</p><p>
124	<a class="indexterm" name="id2616398"></a>
125	The following packages should be available on your Red Hat Linux system:
126	</p><div class="itemizedlist"><ul type="disc"><li><p>
127	<a class="indexterm" name="id2616413"></a>
128	<a class="indexterm" name="id2616420"></a>
129	krb5-libs
130	</p></li><li><p>
131	krb5-devel
132	</p></li><li><p>
133	krb5-workstation
134	</p></li><li><p>
135	krb5-server
136	</p></li><li><p>
137	pam_krb5
138	</p></li></ul></div><p>
139	<a class="indexterm" name="id2616450"></a>
140	In the case of SUSE Linux, these packages are called:
141	</p><div class="itemizedlist"><ul type="disc"><li><p>
142	heimdal-lib
143	</p></li><li><p>
144	heimdal-devel
145	</p></li><li><p>
146	<a class="indexterm" name="id2616475"></a>
147	heimdal
148	</p></li><li><p>
149	pam_krb5
150	</p></li></ul></div><p>
151	If the required packages are not present on your system, you must install
152	them from the vendor's installation media. Follow the administrative guide
153	for your Linux system to ensure that the packages are correctly updated.
154	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
155	<a class="indexterm" name="id2616500"></a>
156	<a class="indexterm" name="id2616507"></a>
157	<a class="indexterm" name="id2616514"></a>
158	If the requirement is for interoperation with MS Windows Server 2003, it
159	will be necessary to ensure that you are using MIT Kerberos version 1.3.1
160	or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
161	updating.
162	</p><p>
163	<a class="indexterm" name="id2616528"></a>
164	<a class="indexterm" name="id2616534"></a>
165	Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
166	Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
167	</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="ch10-one"></a>Removal of Pre-Existing Conflicting RPMs</h3></div></div></div><p>
168	<a class="indexterm" name="id2616557"></a>
169	If Samba and/or Squid RPMs are installed, they should be updated. You can
170	build both from source.
171	</p><p>
172	<a class="indexterm" name="id2616569"></a>
173	<a class="indexterm" name="id2616576"></a>
174	<a class="indexterm" name="id2616582"></a>
175	Locating the packages to be un-installed can be achieved by running:
176	</p><pre class="screen">
177	<code class="prompt">root# </code> rpm -qa \| grep -i samba
178	<code class="prompt">root# </code> rpm -qa \| grep -i squid
179	</pre><p>
180	The identified packages may be removed using:
181	</p><pre class="screen">
182	<code class="prompt">root# </code> rpm -e samba-common
183	</pre><p>
184	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2616622"></a>Kerberos Configuration</h3></div></div></div><p>
185	<a class="indexterm" name="id2616630"></a>
186	<a class="indexterm" name="id2616637"></a>
187	<a class="indexterm" name="id2616647"></a>
188	<a class="indexterm" name="id2616653"></a>
189	The systems Kerberos installation must be configured to communicate with
190	your primary Active Directory server (ADS KDC).
191	</p><p>
192	Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results,
193	although the current default Red Hat MIT version 1.2.7 gives acceptable results
194	unless you are using Windows 2003 servers.
195	</p><p>
196	<a class="indexterm" name="id2616672"></a>
197	<a class="indexterm" name="id2616679"></a>
198	<a class="indexterm" name="id2616686"></a>
199	<a class="indexterm" name="id2616692"></a>
200	<a class="indexterm" name="id2616699"></a>
201	<a class="indexterm" name="id2616708"></a>
202	<a class="indexterm" name="id2616715"></a>
203	Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <code class="filename">/etc/krb5.conf</code>
204	file in order to work correctly. All ADS domains automatically create SRV records in the
205	DNS zone <code class="constant">Kerberos.REALM.NAME</code> for each KDC in the realm. Since both
206	MIT and Heimdal, KRB5 libraries default to checking for these records, so they
207	automatically find the KDCs. In addition, <code class="filename">krb5.conf</code> allows
208	specifying only a single KDC, even if there is more than one. Using the DNS lookup
209	allows the KRB5 libraries to use whichever KDCs are available.
210	</p><div class="procedure"><a name="id2616749"></a><p class="title"><b>Procedure 12.1. Kerberos Configuration Steps</b></p><ol type="1"><li><p>
211	<a class="indexterm" name="id2616760"></a>
212	If you find the need to manually configure the <code class="filename">krb5.conf</code>, you should edit it
213	to have the contents shown in <a class="link" href="DomApps.html#ch10-krb5conf" title="Example 12.1. Kerberos Configuration File: /etc/krb5.conf">“Kerberos Configuration File: /etc/krb5.conf”</a>. The final fully qualified path for this file
214	should be <code class="filename">/etc/krb5.conf</code>.
215	</p></li><li><p>
216	<a class="indexterm" name="id2616795"></a>
217	<a class="indexterm" name="id2616802"></a>
218	<a class="indexterm" name="id2616809"></a>
219	<a class="indexterm" name="id2616816"></a>
220	<a class="indexterm" name="id2616822"></a>
221	<a class="indexterm" name="id2616829"></a>
222	<a class="indexterm" name="id2616836"></a>
223	<a class="indexterm" name="id2616843"></a>
224	<a class="indexterm" name="id2616850"></a>
225	<a class="indexterm" name="id2616859"></a>
226	<a class="indexterm" name="id2616866"></a>
227	<a class="indexterm" name="id2616873"></a>
228	<a class="indexterm" name="id2616880"></a>
229	The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
230	be in UPPERCASE, or you will get an error: “<span class="quote">Cannot find KDC for requested realm while getting
231	initial credentials</span>”. Kerberos is picky about time synchronization. The time
232	according to your participating servers must be within 5 minutes or you get an error:
233	“<span class="quote">kinit(v5): Clock skew too great while getting initial credentials</span>”.
234	Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
235	5 minutes). A better solution is to implement NTP throughout your server network.
236	Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
237	Also, the name that this reverse lookup maps to must either be the NetBIOS name of
238	the KDC (i.e., the hostname with no domain attached) or the
239	NetBIOS name followed by the realm. If all else fails, you can add a
240	<code class="filename">/etc/hosts</code> entry mapping the IP address of your KDC to its
241	NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
242	when you try to join the realm.
243	</p></li><li><p>
244	<a class="indexterm" name="id2616924"></a>
245	You are now ready to test your installation by issuing the command:
246	</p><pre class="screen">
247	<code class="prompt">root# </code> kinit [USERNAME@REALM]
248	</pre><p>
249	You are asked for your password, which you should enter. The following
250	is a typical console sequence:
251	</p><pre class="screen">
252	<code class="prompt">root# </code> kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
253	Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
254	</pre><p>
255	Make sure that your password is accepted by the Active Directory KDC.
256	</p></li></ol></div><div class="example"><a name="ch10-krb5conf"></a><p class="title"><b>Example 12.1. Kerberos Configuration File: <code class="filename">/etc/krb5.conf</code></b></p><div class="example-contents"><pre class="screen">
257	[libdefaults]
258	default_realm = LONDON.ABMAS.BIZ
259
260	[realms]
261	LONDON.ABMAS.BIZ = {
262	kdc = w2k3s.london.abmas.biz
263	}
264	</pre></div></div><br class="example-break"><p><a class="indexterm" name="id2616989"></a>
265	The command
266	</p><pre class="screen">
267	<code class="prompt">root# </code> klist -e
268	</pre><p>
269	shows the Kerberos tickets cached by the system.
270	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2617012"></a>Samba Configuration</h4></div></div></div><p>
271	<a class="indexterm" name="id2617020"></a>
272	Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it
273	has the necessary components to interface with Active Directory.
274	</p><div class="procedure"><a name="id2617030"></a><p class="title"><b>Procedure 12.2. Securing Samba-3 With ADS Support Steps</b></p><ol type="1"><li><p>
275	<a class="indexterm" name="id2617042"></a>
276	<a class="indexterm" name="id2617049"></a>
277	<a class="indexterm" name="id2617056"></a>
278	<a class="indexterm" name="id2617063"></a>
279	<a class="indexterm" name="id2617070"></a>
280	Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
281	<a class="ulink" href="http://ftp.samba.org" target="_top">FTP site.</a> The official Samba Team
282	RPMs for Red Hat Fedora Linux contain the <code class="literal">ntlm_auth</code> tool
283	needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
284	</p><p>
285	<a class="indexterm" name="id2617096"></a>
286	<a class="indexterm" name="id2617103"></a>
287	The necessary, validated RPM packages for SUSE Linux may be obtained from
288	the <a class="ulink" href="ftp://ftp.sernet.de/pub/samba" target="_top">SerNet</a> FTP site that
289	is located in Germany. All SerNet RPMs are validated, have the necessary
290	<code class="literal">ntlm_auth</code> tool, and are statically linked
291	against suitably patched Heimdal 0.6 libraries.
292	</p></li><li><p>
293	Using your favorite editor, change the <code class="filename">/etc/samba/smb.conf</code>
294	file so it has contents similar to the example shown in <a class="link" href="DomApps.html#ch10-smbconf" title="Example 12.2. Samba Configuration File: /etc/samba/smb.conf">“Samba Configuration File: /etc/samba/smb.conf”</a>.
295	</p></li><li><p>
296	<a class="indexterm" name="id2617154"></a>
297	<a class="indexterm" name="id2617161"></a>
298	<a class="indexterm" name="id2617168"></a>i
299	<a class="indexterm" name="id2617179"></a>
300	<a class="indexterm" name="id2617186"></a>
301	Next you need to create a computer account in the Active Directory.
302	This sets up the trust relationship needed for other clients to
303	authenticate to the Samba server with an Active Directory Kerberos ticket.
304	This is done with the “<span class="quote">net ads join -U [Administrator%Password]</span>”
305	command, as follows:
306	</p><pre class="screen">
307	<code class="prompt">root# </code> net ads join -U administrator%vulcon
308	</pre><p>
309	</p></li><li><p>
310	<a class="indexterm" name="id2617220"></a>
311	<a class="indexterm" name="id2617227"></a>
312	<a class="indexterm" name="id2617234"></a>
313	<a class="indexterm" name="id2617240"></a>
314	<a class="indexterm" name="id2617247"></a>
315	Your new Samba binaries must be started in the standard manner as is applicable
316	to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
317	</p><pre class="screen">
318	<code class="prompt">root# </code> smbd -D
319	<code class="prompt">root# </code> nmbd -D
320	<code class="prompt">root# </code> winbindd -D
321	</pre><p>
322	</p></li><li><p>
323	<a class="indexterm" name="id2617288"></a>
324	<a class="indexterm" name="id2617295"></a>
325	<a class="indexterm" name="id2617304"></a>
326	<a class="indexterm" name="id2617311"></a>
327	<a class="indexterm" name="id2617318"></a>
328	We now need to test that Samba is communicating with the Active
329	Directory domain; most specifically, we want to see whether winbind
330	is enumerating users and groups. Issue the following commands:
331	</p><pre class="screen">
332	<code class="prompt">root# </code> wbinfo -t
333	checking the trust secret via RPC calls succeeded
334	</pre><p>
335	This tests whether we are authenticating against Active Directory:
336	</p><pre class="screen">
337	<code class="prompt">root# </code> wbinfo -u
338	LONDON+Administrator
339	LONDON+Guest
340	LONDON+SUPPORT_388945a0
341	LONDON+krbtgt
342	LONDON+jht
343	LONDON+xjht
344	</pre><p>
345	This enumerates all the users in your Active Directory tree:
346	</p><pre class="screen">
347	<code class="prompt">root# </code> wbinfo -g
348	LONDON+Domain Computers
349	LONDON+Domain Controllers
350	LONDON+Schema Admins
351	LONDON+Enterprise Admins
352	LONDON+Domain Admins
353	LONDON+Domain Users
354	LONDON+Domain Guests
355	LONDON+Group Policy Creator Owners
356	LONDON+DnsUpdateProxy
357	</pre><p>
358	This enumerates all the groups in your Active Directory tree.
359	</p></li><li><p>
360	<a class="indexterm" name="id2617382"></a>
361	<a class="indexterm" name="id2617389"></a>
362	Squid uses the <code class="literal">ntlm_auth</code> helper build with Samba-3.
363	You may test <code class="literal">ntlm_auth</code> with the command:
364	</p><pre class="screen">
365	<code class="prompt">root# </code> /usr/bin/ntlm_auth --username=jht
366	password: XXXXXXXX
367	</pre><p>
368	You are asked for your password, which you should enter. You are rewarded with:
369	</p><pre class="screen">
370	<code class="prompt">root# </code> NT_STATUS_OK: Success (0x0)
371	</pre><p>
372	</p></li><li><p>
373	<a class="indexterm" name="id2617441"></a>
374	<a class="indexterm" name="id2617448"></a>
375	<a class="indexterm" name="id2617455"></a>
376	<a class="indexterm" name="id2617462"></a>
377	<a class="indexterm" name="id2617468"></a>
378	<a class="indexterm" name="id2617475"></a>
379	<a class="indexterm" name="id2617482"></a>
380	<a class="indexterm" name="id2617489"></a>
381	The <code class="literal">ntlm_auth</code> helper, when run from a command line as the user
382	“<span class="quote">root</span>”, authenticates against your Active Directory domain (with
383	the aid of winbind). It manages this by reading from the winbind privileged pipe.
384	Squid is running with the permissions of user “<span class="quote">squid</span>” and group
385	“<span class="quote">squid</span>” and is not able to do this unless we make a vital change.
386	Squid cannot read from the winbind privilege pipe unless you change the
387	permissions of its directory. This is the single biggest cause of failure in the
388	whole process. Remember to issue the following command (for Red Hat Linux):
389	</p><pre class="screen">
390	<code class="prompt">root# </code> chgrp squid /var/cache/samba/winbindd_privileged
391	<code class="prompt">root# </code> chmod 750 /var/cache/samba/winbindd_privileged
392	</pre><p>
393	For SUSE Linux 9, execute the following:
394	</p><pre class="screen">
395	<code class="prompt">root# </code> chgrp squid /var/lib/samba/winbindd_privileged
396	<code class="prompt">root# </code> chmod 750 /var/lib/samba/winbindd_privileged
397	</pre><p>
398	</p></li></ol></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2617564"></a>NSS Configuration</h4></div></div></div><p>
399	<a class="indexterm" name="id2617572"></a>
400	<a class="indexterm" name="id2617578"></a>
401	<a class="indexterm" name="id2617585"></a>
402	For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
403	</p><p>
404	Edit your <code class="filename">/etc/nsswitch.conf</code> file so it has the parameters shown
405	in <a class="link" href="DomApps.html#ch10-etcnsscfg" title="Example 12.3. NSS Configuration File Extract File: /etc/nsswitch.conf">“NSS Configuration File Extract File: /etc/nsswitch.conf”</a>.
406	</p><div class="example"><a name="ch10-smbconf"></a><p class="title"><b>Example 12.2. Samba Configuration File: <code class="filename">/etc/samba/smb.conf</code></b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2617643"></a><em class="parameter"><code>workgroup = LONDON</code></em></td></tr><tr><td><a class="indexterm" name="id2617655"></a><em class="parameter"><code>netbios name = W2K3S</code></em></td></tr><tr><td><a class="indexterm" name="id2617667"></a><em class="parameter"><code>realm = LONDON.ABMAS.BIZ</code></em></td></tr><tr><td><a class="indexterm" name="id2617679"></a><em class="parameter"><code>security = ads</code></em></td></tr><tr><td><a class="indexterm" name="id2617690"></a><em class="parameter"><code>encrypt passwords = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2617702"></a><em class="parameter"><code>password server = w2k3s.london.abmas.biz</code></em></td></tr><tr><td># separate domain and username with '/', like DOMAIN/username</td></tr><tr><td><a class="indexterm" name="id2617719"></a><em class="parameter"><code>winbind separator = /</code></em></td></tr><tr><td># use UIDs from 10000 to 20000 for domain users</td></tr><tr><td><a class="indexterm" name="id2617735"></a><em class="parameter"><code>idmap uid = 10000-20000</code></em></td></tr><tr><td># use GIDs from 10000 to 20000 for domain groups</td></tr><tr><td><a class="indexterm" name="id2617750"></a><em class="parameter"><code>idmap gid = 10000-20000</code></em></td></tr><tr><td># allow enumeration of winbind users and groups</td></tr><tr><td><a class="indexterm" name="id2617766"></a><em class="parameter"><code>winbind enum users = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2617778"></a><em class="parameter"><code>winbind enum groups = yes</code></em></td></tr><tr><td><a class="indexterm" name="id2617790"></a><em class="parameter"><code>winbind user default domain = yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch10-etcnsscfg"></a><p class="title"><b>Example 12.3. NSS Configuration File Extract File: <code class="filename">/etc/nsswitch.conf</code></b></p><div class="example-contents"><pre class="screen">
407	passwd: files winbind
408	shadow: files
409	group: files winbind
410	</pre></div></div><br class="example-break"></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2617829"></a>Squid Configuration</h4></div></div></div><p>
411	<a class="indexterm" name="id2617837"></a>
412	<a class="indexterm" name="id2617844"></a>
413	Squid must be configured correctly to interact with the Samba-3
414	components that handle Active Directory authentication.
415	</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2617859"></a>Configuration</h3></div></div></div></div><div class="procedure"><a name="id2617864"></a><p class="title"><b>Procedure 12.3. Squid Configuration Steps</b></p><ol type="1"><li><p>
416	<a class="indexterm" name="id2617876"></a>
417	<a class="indexterm" name="id2617882"></a>
418	<a class="indexterm" name="id2617890"></a>
419	If your Linux distribution is SUSE Linux 9, the version of Squid
420	supplied is already enabled to use the winbind helper agent. You
421	can therefore omit the steps that would build the Squid binary
422	programs.
423	</p></li><li><p>
424	<a class="indexterm" name="id2617908"></a>
425	<a class="indexterm" name="id2617914"></a>
426	<a class="indexterm" name="id2617921"></a>
427	<a class="indexterm" name="id2617928"></a>
428	<a class="indexterm" name="id2617935"></a>
429	Squid, by default, runs as the user <code class="constant">nobody</code>. You need to
430	add a system user <code class="constant">squid</code> and a system group
431	<code class="constant">squid</code> if they are not set up already (if the default
432	Red Hat squid rpms were installed, they will be). Set up a
433	<code class="constant">squid</code> user in <code class="filename">/etc/passwd</code>
434	and a <code class="constant">squid</code> group in <code class="filename">/etc/group</code> if these aren't there already.
435	</p></li><li><p>
436	<a class="indexterm" name="id2617982"></a>
437	<a class="indexterm" name="id2617989"></a>
438	You now need to change the permissions on Squid's <code class="constant">var</code>
439	directory. Enter the following command:
440	</p><pre class="screen">
441	<code class="prompt">root# </code> chown -R squid /var/cache/squid
442	</pre><p>
443	</p></li><li><p>
444	<a class="indexterm" name="id2618020"></a>
445	<a class="indexterm" name="id2618027"></a>
446	Squid must also have control over its logging. Enter the following commands:
447	</p><pre class="screen">
448	<code class="prompt">root# </code> chown -R chown squid:squid /var/log/squid
449	<code class="prompt">root# </code> chmod 770 /var/log/squid
450	</pre><p>
451	</p></li><li><p>
452	Finally, Squid must be able to write to its disk cache!
453	Enter the following commands:
454	</p><pre class="screen">
455	<code class="prompt">root# </code> chown -R chown squid:squid /var/cache/squid
456	<code class="prompt">root# </code> chmod 770 /var/cache/squid
457	</pre><p>
458	</p></li><li><p>
459	<a class="indexterm" name="id2618087"></a>
460	The <code class="filename">/etc/squid/squid.conf</code> file must be edited to include the lines from
461	<a class="link" href="DomApps.html#etcsquidcfg" title="Example 12.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]">“Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section]”</a> and <a class="link" href="DomApps.html#etcsquid2" title="Example 12.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]">“Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section]”</a>.
462	</p></li><li><p>
463	<a class="indexterm" name="id2618121"></a>
464	You must create Squid's cache directories before it may be run. Enter the following command:
465	</p><pre class="screen">
466	<code class="prompt">root# </code> squid -z
467	</pre><p>
468	</p></li><li><p>
469	Finally, start Squid and enjoy transparent Active Directory authentication.
470	Enter the following command:
471	</p><pre class="screen">
472	<code class="prompt">root# </code> squid
473	</pre><p>
474	</p></li></ol></div><div class="example"><a name="etcsquidcfg"></a><p class="title"><b>Example 12.4. Squid Configuration File Extract <code class="filename">/etc/squid.conf</code> [ADMINISTRATIVE PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen">
475	cache_effective_user squid
476	cache_effective_group squid
477	</pre></div></div><br class="example-break"><div class="example"><a name="etcsquid2"></a><p class="title"><b>Example 12.5. Squid Configuration File extract File: <code class="filename">/etc/squid.conf</code> [AUTHENTICATION PARAMETERS Section]</b></p><div class="example-contents"><pre class="screen">
478	auth_param ntlm program /usr/bin/ntlm_auth \
479	--helper-protocol=squid-2.5-ntlmssp
480	auth_param ntlm children 5
481	auth_param ntlm max_challenge_reuses 0
482	auth_param ntlm max_challenge_lifetime 2 minutes
483	auth_param basic program /usr/bin/ntlm_auth \
484	--helper-protocol=squid-2.5-basic
485	auth_param basic children 5
486	auth_param basic realm Squid proxy-caching web server
487	auth_param basic credentialsttl 2 hours
488	acl AuthorizedUsers proxy_auth REQUIRED
489	http_access allow all AuthorizedUsers
490	</pre></div></div><br class="example-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2618225"></a>Key Points Learned</h3></div></div></div><p>
491	<a class="indexterm" name="id2618233"></a>
492	<a class="indexterm" name="id2618240"></a>
493	<a class="indexterm" name="id2618247"></a>
494	<a class="indexterm" name="id2618254"></a>
495	<a class="indexterm" name="id2618266"></a>
496	Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
497	Windows clients use, even when accessing traditional services such as Web browsers. Depending
498	on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
499	the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
500	the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
501	of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
502	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2618286"></a>Questions and Answers</h2></div></div></div><p>
503	<a class="indexterm" name="id2618294"></a>
504	<a class="indexterm" name="id2618301"></a>
505	<a class="indexterm" name="id2618308"></a>
506	<a class="indexterm" name="id2618314"></a>
507	The development of the <code class="literal">ntlm_auth</code> module was first discussed in many Open Source circles
508	in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
509	<code class="literal">ntlm_auth</code> during one of the late developer meetings that took place. Since that time, the
510	adoption of <code class="literal">ntlm_auth</code> has spread considerably.
511	</p><p>
512	The largest report from a site that uses Squid with <code class="literal">ntlm_auth</code>-based authentication
513	support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
514	users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
515	wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
516	comments were made with respect to questions regarding the performance of this installation:
517	</p><div class="blockquote"><blockquote class="blockquote"><p>
518	[In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The “<span class="quote">almost</span>”
519	part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
520	scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
521	</p></blockquote></div><p>
522	You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
523	Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
524	out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
525	</p><div class="qandaset"><dl><dt> <a href="DomApps.html#id2618392">
526	What does Samba have to do with Web proxy serving?
527	</a></dt><dt> <a href="DomApps.html#id2618558">
528	What other services does Samba provide?
529	</a></dt><dt> <a href="DomApps.html#id2618701">
530	Does use of Samba (ntlm_auth) improve the performance of Squid?
531	</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2618392"></a><a name="id2618394"></a></td><td align="left" valign="top"><p>
532	What does Samba have to do with Web proxy serving?
533	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
534	<a class="indexterm" name="id2618406"></a>
535	<a class="indexterm" name="id2618413"></a>
536	<a class="indexterm" name="id2618420"></a>
537	<a class="indexterm" name="id2618429"></a>
538	<a class="indexterm" name="id2618436"></a>
539	To provide transparent interoperability between Windows clients and the network services
540	that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
541	of Open Source software is that it can readily be reused. The current <code class="literal">ntlm_auth</code>
542	module is basically a wrapper around authentication code from the core of the Samba project.
543	</p><p>
544	<a class="indexterm" name="id2618458"></a>
545	<a class="indexterm" name="id2618465"></a>
546	<a class="indexterm" name="id2618474"></a>
547	<a class="indexterm" name="id2618483"></a>
548	<a class="indexterm" name="id2618492"></a>
549	<a class="indexterm" name="id2618499"></a>
550	<a class="indexterm" name="id2618506"></a>
551	<a class="indexterm" name="id2618513"></a>
552	<a class="indexterm" name="id2618520"></a>
553	The <code class="literal">ntlm_auth</code> module supports basic plain-text authentication and NTLMSSP
554	protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
555	the user being interrupted via his or her Windows logon credentials. This facility is available with
556	MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
557	There are a few open source initiatives to provide support for these protocols in the Apache Web server
558	also.
559	</p><p>
560	<a class="indexterm" name="id2618544"></a>
561	The short answer is that by adding a wrapper around key authentication components of Samba, other
562	projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
563	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2618558"></a><a name="id2618560"></a></td><td align="left" valign="top"><p>
564	What other services does Samba provide?
565	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
566	<a class="indexterm" name="id2618572"></a>
567	<a class="indexterm" name="id2618579"></a>
568	<a class="indexterm" name="id2618586"></a>
569	<a class="indexterm" name="id2618592"></a>
570	<a class="indexterm" name="id2618599"></a>
571	Samba-3 is a file and print server. The core components that provide this functionality are <code class="literal">smbd</code>,
572	<code class="literal">nmbd</code>, and the identity resolver daemon, <code class="literal">winbindd</code>.
573	</p><p>
574	<a class="indexterm" name="id2618630"></a>
575	<a class="indexterm" name="id2618636"></a>
576	Samba-3 is an SMB/CIFS client. The core component that provides this is called <code class="literal">smbclient</code>.
577	</p><p>
578	<a class="indexterm" name="id2618654"></a>
579	<a class="indexterm" name="id2618661"></a>
580	<a class="indexterm" name="id2618668"></a>
581	<a class="indexterm" name="id2618674"></a>
582	<a class="indexterm" name="id2618681"></a>
583	Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
584	Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
585	servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
586	as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
587	to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
588	server products).
589	</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2618701"></a><a name="id2618703"></a></td><td align="left" valign="top"><p>
590	Does use of Samba (<code class="literal">ntlm_auth</code>) improve the performance of Squid?
591	</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
592	Not really. Samba's <code class="literal">ntlm_auth</code> module handles only authentication. It requires that
593	Squid make an external call to <code class="literal">ntlm_auth</code> and therefore actually incurs a
594	little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
595	Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
596	sufficient memory when using Squid. Just add a little more to accommodate <code class="literal">ntlm_auth</code>.
597	</p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="kerberos.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="RefSection.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="HA.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 11. Active Directory, Kerberos, and Security </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 13. Performance, Reliability, and Availability</td></tr></table></div></body></html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: