scripting: Make samba.provision.descriptor.get_wellknown_sds() return ldb.Dn objects
[Samba.git] / docs-xml / Samba3-ByExample / SBE-DomainAppsSupport.xml
blobc9ccd433d7b1a4e7789472c673062ae598065b6c
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
4 <chapter id="DomApps">
5 <title>Integrating Additional Services</title>
7         <para>
8         <indexterm><primary>authentication</primary></indexterm>
9         <indexterm><primary>backends</primary></indexterm>
10         <indexterm><primary>smbpasswd</primary></indexterm>
11         <indexterm><primary>ldapsam</primary></indexterm>
12         <indexterm><primary>Active Directory</primary></indexterm>
13         You've come a long way now. You have pretty much mastered Samba-3 for 
14         most uses it can be put to. Up until now, you have cast Samba-3 in the leading 
15         role, and where authentication was required, you have used one or another of 
16         Samba's many authentication backends (from flat text files with smbpasswd 
17         to LDAP directory integration with ldapsam). Now you can design a 
18         solution for a new Abmas business. This business is running Windows Server 
19         2003 and Active Directory, and these are to stay. It's time to master 
20         implementing Samba and Samba-supported services in a domain controlled by 
21         the latest Windows authentication technologies. Let's get started &smbmdash; this is 
22         leading edge.
23         </para>
25 <sect1>
26         <title>Introduction</title>
28         <para>
29         Abmas has continued its miraculous growth; indeed, nothing seems to be able 
30         to stop its diversification into multiple (and seemingly unrelated) fields. 
31         Its latest acquisition is Abmas Snack Foods, a big player in the snack-food 
32         business.
33         </para>
35         <para>
36         With this acquisition comes new challenges for you and your team. Abmas Snack 
37         Foods is a well-developed business with a huge and heterogeneous network. It 
38         already has Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. 
39         The network is mature and well-established, and there is no question of its chosen 
40         user authentication scheme being changed for now. You need to take a wise new 
41         approach.
42         </para>
44         <para>
45         You have decided to set the ball rolling by introducing Samba-3 into the network 
46         gradually, taking over key services and easing the way to a full migration and, 
47         therefore, integration into Abmas's existing business later.
48         </para>
50         <sect2>
51         <title>Assignment Tasks</title>
53                 <para>
54                 <indexterm><primary>web</primary><secondary>proxying</secondary></indexterm>
55                 <indexterm><primary>web</primary><secondary>caching</secondary></indexterm>
56                 You've promised the skeptical Abmas Snack Foods management team 
57                 that you can show them how Samba can ease itself and other Open Source 
58                 technologies into their existing infrastructure and deliver sound business 
59                 advantages. Cost cutting is high on their agenda (a major promise of the 
60                 acquisition). You have chosen Web proxying and caching as your proving ground.
61                 </para>
63                 <para>
64                 <indexterm><primary>bandwidth</primary></indexterm>
65                 <indexterm><primary>Microsoft ISA</primary></indexterm>
66                 Abmas Snack Foods has several thousand users housed at its head office 
67                 and multiple regional offices, plants, and warehouses. A high proportion of 
68                 the business's work is done online, so Internet access for most of these 
69                 users is essential. All Internet access, including for all regional offices, 
70                 is funneled through the head office and is the job of the (now your) networking 
71                 team. The bandwidth requirements were horrific (comparable to a small ISP), and 
72                 the team soon discovered proxying and caching. In fact, they became one of 
73                 the earliest commercial users of Microsoft ISA.
74                 </para>
76                 <para>
77                 <indexterm><primary>Active Directory</primary></indexterm>
78                 <indexterm><primary>authenticated</primary></indexterm>
79                 <indexterm><primary>proxy</primary></indexterm>
80                 The team is not happy with ISA. Because it never lived up to its marketing promises, 
81                 it underperformed and had reliability problems. You have pounced on the opportunity 
82                 to show what Open Source can do. The one thing they do like, however, is ISA's 
83                 integration with Active Directory. They like that their users, once logged on, 
84                 are automatically authenticated against the proxy. If your alternative to ISA 
85                 can operate completely seamlessly in their Active Directory domain, it will be
86                 approved.
87                 </para>
89                 <para>
90                 This is a hands-on exercise. You build software applications so
91                 that you obtain the functionality Abmas needs.
92                 </para>
94         </sect2>
95 </sect1>
97 <sect1>
98 <title>Dissection and Discussion</title>
100         <para>
101         The key requirements in this business example are straightforward. You are not required 
102         to do anything new, just to replicate an existing system, not lose any existing features, 
103         and improve performance. The key points are:
104         </para>
106         <itemizedlist>
107                 <listitem><para>
108                 Internet access for most employees
109                 </para></listitem>
110                 <listitem><para>
111                 Distributed system to accommodate load and geographical distribution of users
112                 </para></listitem>
113                 <listitem><para>
114                 Seamless and transparent interoperability with the existing Active Directory domain
115                 </para></listitem>
116         </itemizedlist>
119         <sect2>
120                 <title>Technical Issues</title>
122                 <para>
123                 <indexterm><primary>browsing</primary></indexterm>
124                 <indexterm><primary>Squid proxy</primary></indexterm>
125                 <indexterm><primary>proxy</primary></indexterm>
126                 <indexterm><primary>authentication</primary></indexterm>
127                 <indexterm><primary>Internet Explorer</primary></indexterm>
128                 <indexterm><primary>winbind</primary></indexterm>
129                 <indexterm><primary>NTLM</primary></indexterm>
130                 <indexterm><primary>NTLM authentication daemon</primary></indexterm>
131                 <indexterm><primary>authentication</primary></indexterm>
132                 <indexterm><primary>daemon</primary></indexterm>
133                 <indexterm><primary>Active Directory</primary></indexterm>
134                 <indexterm><primary>domain</primary><secondary>Active Directory</secondary></indexterm>
135                 <indexterm><primary>Kerberos</primary></indexterm><indexterm><primary>token</primary></indexterm>
136                 Functionally, the user's Internet Explorer requests a browsing session with the 
137                 Squid proxy, for which it offers its AD authentication token. Squid hands off 
138                 the authentication request to the Samba-3 authentication helper application
139                 called <command>ntlm_auth</command>. This helper is a hook into winbind, the 
140                 Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate 
141                 against Microsoft Windows domains, including Active Directory domains. As Active 
142                 Directory authentication is a modified Kerberos authentication, winbind is assisted 
143                 in this by local Kerberos 5 libraries configured to check passwords with the Active 
144                 Directory server. Once the token has been checked, a browsing session is established. 
145                 This process is entirely transparent and seamless to the user.
146                 </para>
148                 <para>
149                 Enabling this consists of:
150                 </para>
152                 <itemizedlist>
153                         <listitem><para>
154                         Preparing the necessary environment using preconfigured packages
155                         </para></listitem>
157                         <listitem><para>
158                         Setting up raw Kerberos authentication against the Active Directory domain
159                         </para></listitem>
161                         <listitem><para>
162                         Configuring, compiling, and then installing the supporting Samba-3 components
163                         </para></listitem>
165                         <listitem><para>
166                         Tying it all together
167                         </para></listitem>
168                 </itemizedlist>
170         </sect2>
173         <sect2>
174                 <title>Political Issues</title>
176                 <para>
177                 You are a stranger in a strange land, and all eyes are upon you. Some would even like to see 
178                 you fail. For you to gain the trust of your newly acquired IT people, it is essential that your 
179                 solution does everything the old one did, but does it better in every way. Only then 
180                 will the entrenched positions consider taking up your new way of doing things on a 
181                 wider scale.
182                 </para>
184         </sect2>
186 </sect1>
188 <sect1>
189         <title>Implementation</title>
191         <para>
192         <indexterm><primary>Squid</primary></indexterm>
193         First, your system needs to be prepared and in a known good state to proceed. This consists 
194         of making sure that everything the system depends on is present and that everything that could 
195         interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 
196         packages and updating them if necessary. If conflicting packages of these programs are installed, 
197         they must be removed.
198         </para>
200         <para>
201         <indexterm><primary>Red Hat Linux</primary></indexterm>
202         The following packages should be available on your Red Hat Linux system:
203         </para>
205         <itemizedlist>
206                 <listitem><para>
207                 <indexterm><primary>krb5</primary></indexterm>
208                 <indexterm><primary>Kerberos</primary></indexterm>
209                 krb5-libs
210                 </para></listitem>
212                 <listitem><para>
213                 krb5-devel
214                 </para></listitem>
216                 <listitem><para>
217                 krb5-workstation
218                 </para></listitem>
220                 <listitem><para>
221                 krb5-server
222                 </para></listitem>
224                 <listitem><para>
225                 pam_krb5
226                 </para></listitem>
227         </itemizedlist>
229         <para>
230         <indexterm><primary>SUSE Linux</primary></indexterm>
231         In the case of SUSE Linux, these packages are called:
232         </para>
234         <itemizedlist>
235                 <listitem><para>
236                 heimdal-lib
237                 </para></listitem>
239                 <listitem><para>
240                 heimdal-devel
241                 </para></listitem>
243                 <listitem><para>
244                 <indexterm><primary>Heimdal</primary></indexterm>
245                 heimdal
246                 </para></listitem>
248                 <listitem><para>
249                 pam_krb5
250                 </para></listitem>
251         </itemizedlist>
253         <para>
254         If the required packages are not present on your system, you must install
255         them from the vendor's installation media. Follow the administrative guide
256         for your Linux system to ensure that the packages are correctly updated.
257         </para>
259         <note><para>
260         <indexterm><primary>MS Windows Server 2003</primary></indexterm>
261         <indexterm><primary>Kerberos</primary></indexterm>
262         <indexterm><primary>MIT</primary></indexterm>
263         If the requirement is for interoperation with MS Windows Server 2003, it
264         will be necessary to ensure that you are using MIT Kerberos version 1.3.1
265         or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
266         updating.
267         </para>
269         <para>
270         <indexterm><primary>Heimdal</primary></indexterm>
271         <indexterm><primary>SUSE Enterprise Linux Server</primary></indexterm>
272         Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
273         Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
274         </para></note>
276         <sect2 id="ch10-one">
277         <title>Removal of Pre-Existing Conflicting RPMs</title>
279         <para>
280         <indexterm><primary>Squid</primary></indexterm>
281         If Samba and/or Squid RPMs are installed, they should be updated. You can 
282         build both from source.
283         </para>
285         <para>
286         <indexterm><primary>rpm</primary></indexterm>
287         <indexterm><primary>samba</primary></indexterm>
288         <indexterm><primary>squid</primary></indexterm>
289         Locating the packages to be un-installed can be achieved by running:
290 <screen>
291 &rootprompt; rpm -qa | grep -i samba
292 &rootprompt; rpm -qa | grep -i squid
293 </screen>
294         The identified packages may be removed using:
295 <screen>
296 &rootprompt; rpm -e samba-common
297 </screen>
298         </para>
300         <sect2>
301         <title>Kerberos Configuration</title>
303         <para>
304         <indexterm><primary>Kerberos</primary></indexterm>
305         <indexterm><primary>Active Directory</primary><secondary>server</secondary></indexterm>
306         <indexterm><primary>ADS</primary></indexterm>
307         <indexterm><primary>KDC</primary></indexterm>
308         The systems Kerberos installation must be configured to communicate with 
309         your primary Active Directory server (ADS KDC).
310         </para>
312         <para>
313         Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, 
314         although the current default Red Hat MIT version 1.2.7 gives acceptable results 
315         unless you are using Windows 2003 servers.
316         </para>
318         <para>
319         <indexterm><primary>MIT</primary></indexterm>
320         <indexterm><primary>Heimdal</primary></indexterm>
321         <indexterm><primary>Kerberos</primary></indexterm>
322         <indexterm><primary>/etc/krb5.conf</primary></indexterm>
323         <indexterm><primary>DNS</primary><secondary>SRV records</secondary></indexterm>
324         <indexterm><primary>KDC</primary></indexterm>
325         <indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
326         Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an <filename>/etc/krb5.conf</filename> 
327         file in order to work correctly. All ADS domains automatically create SRV records in the 
328         DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both 
329         MIT and Heimdal, KRB5 libraries default to checking for these records, so they 
330         automatically find the KDCs. In addition, <filename>krb5.conf</filename> allows 
331         specifying only a single KDC, even if there is more than one. Using the DNS lookup 
332         allows the KRB5 libraries to use whichever KDCs are available.
333         </para>
335         <procedure>
336         <title>Kerberos Configuration Steps</title>
338                 <step><para>
339                 <indexterm><primary>krb5.conf</primary></indexterm>
340                 If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
341                 to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file 
342                 should be <filename>/etc/krb5.conf</filename>.
343                 </para></step>
345                 <step><para>
346                 <indexterm><primary>Kerberos</primary></indexterm>
347                 <indexterm><primary>realm</primary></indexterm>
348                 <indexterm><primary>case-sensitive</primary></indexterm>
349                 <indexterm><primary>KDC</primary></indexterm>
350                 <indexterm><primary>synchronization</primary></indexterm>
351                 <indexterm><primary>initial credentials</primary></indexterm>
352                 <indexterm><primary>Clock skew</primary></indexterm>
353                 <indexterm><primary>NTP</primary></indexterm>
354                 <indexterm><primary>DNS</primary><secondary>lookup</secondary></indexterm>
355                 <indexterm><primary>reverse DNS</primary></indexterm>
356                 <indexterm><primary>NetBIOS name </primary></indexterm>
357                 <indexterm><primary>/etc/hosts</primary></indexterm>
358                 <indexterm><primary>mapping</primary></indexterm>
359                 The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
360                 be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
361                 initial credentials</quote>.  Kerberos is picky about time synchronization. The time
362                 according to your participating servers must be within 5 minutes or you get an error:
363                 <quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
364                 Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
365                 5 minutes). A better solution is to implement NTP throughout your server network.
366                 Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
367                 Also, the name that this reverse lookup maps to must either be the NetBIOS name of
368                 the KDC (i.e., the hostname with no domain attached) or the
369                 NetBIOS name followed by the realm. If all else fails, you can add a
370                 <filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
371                 NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
372                 when you try to join the realm.
373                 </para></step>
375                 <step><para>
376                 <indexterm><primary>kinit</primary></indexterm>
377                 You are now ready to test your installation by issuing the command:
378 <screen>
379 &rootprompt; kinit [USERNAME@REALM]
380 </screen> 
381                 You are asked for your password, which you should enter. The following
382                 is a typical console sequence:
383 <screen>
384 &rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
385 Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: 
386 </screen>
387                 Make sure that your password is accepted by the Active Directory KDC.
388                 </para></step>
389         </procedure>
391 <example id="ch10-krb5conf">
392 <title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title>
393 <screen>
394 [libdefaults]
395         default_realm = LONDON.ABMAS.BIZ
397 [realms] 
398         LONDON.ABMAS.BIZ = {
399         kdc = w2k3s.london.abmas.biz
400         }
401 </screen>
402 </example>
404         <para><indexterm>
405             <primary>klist</primary>
406           </indexterm>
407         The command
408 <screen>
409 &rootprompt; klist -e 
410 </screen>
411         shows the Kerberos tickets cached by the system.
412         </para>
414         <sect3>
415         <title>Samba Configuration</title>
417         <para>
418         <indexterm><primary>Active Directory</primary></indexterm>
419         Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it 
420         has the necessary components to interface with Active Directory.
421         </para>
423         <procedure>
424         <title>Securing Samba-3 With ADS Support Steps</title>
426                 <step><para>
427                 <indexterm><primary>Red Hat Linux</primary></indexterm>
428                 <indexterm><primary>Samba Tea</primary></indexterm>
429                 <indexterm><primary>Red Hat Fedora Linux</primary></indexterm>
430                 <indexterm><primary>MIT KRB5</primary></indexterm>
431                 <indexterm><primary>ntlm_auth</primary></indexterm>
432                 Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
433                 <ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
434                 RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
435                 needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use.
436                 </para>
438                 <para>
439                 <indexterm><primary>SerNet</primary></indexterm>
440                 <indexterm><primary>RPMs</primary></indexterm>
441                 The necessary, validated RPM packages for SUSE Linux may be obtained from
442                 the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
443                 is located in Germany. All SerNet RPMs are validated, have the necessary
444                 <command>ntlm_auth</command> tool, and are statically linked 
445                 against suitably patched Heimdal 0.6 libraries.
446                 </para></step>
448                 <step><para>
449                 Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename>
450                 file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
451                 </para></step>
453                 <step><para>
454                 <indexterm><primary>computer account</primary></indexterm>
455                 <indexterm><primary>Active Directory</primary></indexterm>
456                 <indexterm><primary>net</primary><secondary>ads</secondary><tertiary>join</tertiary></indexterm>i
457                 <indexterm><primary>Kerberos ticket</primary></indexterm>
458                 <indexterm><primary>ticket</primary></indexterm>
459                 Next you need to create a computer account in the Active Directory. 
460                 This sets up the trust relationship needed for other clients to 
461                 authenticate to the Samba server with an Active Directory Kerberos ticket. 
462                 This is done with the <quote>net ads join -U [Administrator%Password]</quote>
463                 command, as follows:
464 <screen>
465 &rootprompt; net ads join -U administrator%vulcon
466 </screen>
467                 </para></step>
469                 <step><para>
470                 <indexterm><primary>smbd</primary></indexterm>
471                 <indexterm><primary>nmbd</primary></indexterm>
472                 <indexterm><primary>winbindd</primary></indexterm>
473                 <indexterm><primary>Active Directory</primary></indexterm>
474                 <indexterm><primary>Samba</primary></indexterm>
475                 Your new Samba binaries must be started in the standard manner as is applicable
476                 to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
477 <screen>
478 &rootprompt; smbd -D
479 &rootprompt; nmbd -D
480 &rootprompt; winbindd -D
481 </screen>
482                 </para></step>
484                 <step><para>
485                 <indexterm><primary>winbind</primary></indexterm>
486                 <indexterm><primary>Active Directory</primary><secondary>domain</secondary></indexterm>
487                 <indexterm><primary>wbinfo</primary></indexterm>
488                 <indexterm><primary>enumerating</primary></indexterm>
489                 <indexterm><primary>Active Directory</primary><secondary>tree</secondary></indexterm>
490                 We now need to test that Samba is communicating with the Active 
491                 Directory domain; most specifically, we want to see whether winbind 
492                 is enumerating users and groups. Issue the following commands:
493 <screen>
494 &rootprompt; wbinfo -t
495 checking the trust secret via RPC calls succeeded
496 </screen>
497                 This tests whether we are authenticating against Active Directory:
498 <screen>
499 &rootprompt; wbinfo -u
500 LONDON+Administrator
501 LONDON+Guest
502 LONDON+SUPPORT_388945a0
503 LONDON+krbtgt
504 LONDON+jht
505 LONDON+xjht
506 </screen>
507                 This enumerates all the users in your Active Directory tree:
508 <screen>
509 &rootprompt; wbinfo -g
510 LONDON+Domain Computers
511 LONDON+Domain Controllers
512 LONDON+Schema Admins
513 LONDON+Enterprise Admins
514 LONDON+Domain Admins
515 LONDON+Domain Users
516 LONDON+Domain Guests
517 LONDON+Group Policy Creator Owners
518 LONDON+DnsUpdateProxy
519 </screen>
520                 This enumerates all the groups in your Active Directory tree.
521                 </para></step>
523                 <step><para>
524                 <indexterm><primary>Squid</primary></indexterm>
525                 <indexterm><primary>ntlm_auth</primary></indexterm>
526                 Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
527                 You may test <command>ntlm_auth</command> with the command:
528 <screen>
529 &rootprompt; /usr/bin/ntlm_auth --username=jht
530 password: XXXXXXXX
531 </screen>
532                 You are asked for your password, which you should enter. You are rewarded with:
533 <screen>
534 &rootprompt; NT_STATUS_OK: Success (0x0)
535 </screen>
536                 </para></step>
538                 <step><para>
539                 <indexterm><primary>ntlm_auth</primary></indexterm>
540                 <indexterm><primary>authenticate</primary></indexterm>
541                 <indexterm><primary>winbind</primary></indexterm>
542                 <indexterm><primary>privileged pipe</primary></indexterm>
543                 <indexterm><primary>squid</primary></indexterm>
544                 <indexterm><primary>chgrp</primary></indexterm>
545                 <indexterm><primary>chmod</primary></indexterm>
546                 <indexterm><primary>failure</primary></indexterm>
547                 The <command>ntlm_auth</command> helper, when run from a command line as the user 
548                 <quote>root</quote>, authenticates against your Active Directory domain (with 
549                 the aid of winbind). It manages this by reading from the winbind privileged pipe. 
550                 Squid is running with the permissions of user <quote>squid</quote> and group 
551                 <quote>squid</quote> and is not able to do this unless we make a vital change. 
552                 Squid cannot read from the winbind privilege pipe unless you change the 
553                 permissions of its directory. This is the single biggest cause of failure in the 
554                 whole process. Remember to issue the following command (for Red Hat Linux):
555 <screen>
556 &rootprompt; chgrp squid /var/cache/samba/winbindd_privileged
557 &rootprompt; chmod 750 /var/cache/samba/winbindd_privileged
558 </screen>
559                 For SUSE Linux 9, execute the following:
560 <screen>
561 &rootprompt; chgrp squid /var/lib/samba/winbindd_privileged
562 &rootprompt; chmod 750 /var/lib/samba/winbindd_privileged
563 </screen>
564                 </para></step>
566         </procedure>
567         </sect3>
569         <sect3>
570         <title>NSS Configuration</title>
572         <para>
573         <indexterm><primary>NSS</primary></indexterm>
574         <indexterm><primary>winbind</primary></indexterm>
575         <indexterm><primary>authentication</primary></indexterm>
576         For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
577         </para>
579         <para>
580         Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown
581         in <link linkend="ch10-etcnsscfg"/>.
582         </para>
584 <example id="ch10-smbconf">
585 <title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title>
586 <smbconfblock>
587 <smbconfsection name="[global]"/>
588 <smbconfoption name="workgroup">LONDON</smbconfoption>
589 <smbconfoption name="netbios name">W2K3S</smbconfoption>
590 <smbconfoption name="realm">LONDON.ABMAS.BIZ</smbconfoption>
591 <smbconfoption name="security">ads</smbconfoption>
592 <smbconfoption name="encrypt passwords">yes</smbconfoption>
593 <smbconfoption name="password server">w2k3s.london.abmas.biz</smbconfoption>
595 <smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment>
596 <smbconfoption name="winbind separator">/</smbconfoption>
598 <smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment>
599 <smbconfoption name="idmap uid">10000-20000</smbconfoption>
600 <smbconfcomment>use GIDs from 10000 to 20000 for domain groups</smbconfcomment>
601 <smbconfoption name="idmap gid">10000-20000</smbconfoption>
603 <smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment>
604 <smbconfoption name="winbind enum users">yes</smbconfoption>
605 <smbconfoption name="winbind enum groups">yes</smbconfoption>
606 <smbconfoption name="winbind user default domain">yes</smbconfoption>
607 </smbconfblock>
608 </example>
610 <example id="ch10-etcnsscfg">
611 <title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
612 <screen>
613 passwd: files winbind
614 shadow: files
615 group: files winbind
616 </screen>
617 </example>
619         </sect3>
621         <sect3>
622         <title>Squid Configuration</title>
624         <para>
625         <indexterm><primary>Squid</primary></indexterm>
626         <indexterm><primary>Active Directory</primary><secondary>authentication</secondary></indexterm>
627         Squid must be configured correctly to interact with the Samba-3 
628         components that handle Active Directory authentication.
629         </para>
631         </sect3>
633         </sect2>
635         <sect2>
636         <title>Configuration</title></sect2>
638         <procedure>
639         <title>Squid Configuration Steps</title>
641                 <step><para>
642                 <indexterm><primary>SUSE Linux</primary></indexterm>
643                 <indexterm><primary>Squid</primary> </indexterm>
644                 <indexterm><primary>helper agent</primary></indexterm>
645                 If your Linux distribution is SUSE Linux 9, the version of Squid 
646                 supplied is already enabled to use the winbind helper agent. You
647                 can therefore omit the steps that would build the Squid binary
648                 programs.
649                 </para></step>
651                 <step><para>
652                 <indexterm><primary>nobody</primary></indexterm>
653                 <indexterm><primary>squid</primary></indexterm>
654                 <indexterm><primary>rpms</primary></indexterm>
655                 <indexterm><primary>/etc/passwd</primary></indexterm>
656                 <indexterm><primary>/etc/group</primary></indexterm>
657                 Squid, by default, runs as the user <constant>nobody</constant>. You need to 
658                 add a system user <constant>squid</constant> and a system group 
659                 <constant>squid</constant> if they are not set up already (if the default 
660                 Red Hat squid rpms were installed, they will be).  Set up a 
661                 <constant>squid</constant> user in <filename>/etc/passwd</filename> 
662                 and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
663                 </para></step>
665                 <step><para>
666                 <indexterm><primary>permissions</primary></indexterm>
667                 <indexterm><primary>chown</primary></indexterm>
668                 You now need to change the permissions on Squid's <constant>var</constant>
669                 directory.  Enter the following command:
670 <screen>
671 &rootprompt; chown -R squid /var/cache/squid
672 </screen>
673                 </para></step>
675                 <step><para>
676                 <indexterm><primary>logging</primary></indexterm>
677                 <indexterm><primary>Squid</primary></indexterm>
678                 Squid must also have control over its logging. Enter the following commands:
679 <screen>
680 &rootprompt; chown -R chown squid:squid /var/log/squid
681 &rootprompt; chmod 770 /var/log/squid
682 </screen>
683                 </para></step>
685                 <step><para>
686                 Finally, Squid must be able to write to its disk cache!
687                 Enter the following commands:
688 <screen>
689 &rootprompt; chown -R chown squid:squid /var/cache/squid
690 &rootprompt; chmod 770 /var/cache/squid
691 </screen>
692                 </para></step>
694                 <step><para>
695                 <indexterm><primary>/etc/squid/squid.conf</primary></indexterm>
696                 The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from 
697                 <link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
698                 </para></step>
700                 <step><para>
701                 <indexterm><primary>cache directories</primary></indexterm>
702                 You must create Squid's cache directories before it may be run.  Enter the following command: 
703 <screen>
704 &rootprompt; squid -z
705 </screen>
706                 </para></step>
708                 <step><para>
709                 Finally, start Squid and enjoy transparent Active Directory authentication.
710                 Enter the following command:
711 <screen>
712 &rootprompt; squid
713 </screen>
714                 </para></step>
715         </procedure>
717 <example id="etcsquidcfg">
718 <title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title>
719 <screen>
720         cache_effective_user squid
721         cache_effective_group squid
722 </screen>
723 </example>
725 <example id="etcsquid2">
726 <title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title>
727 <screen>
728         auth_param ntlm program /usr/bin/ntlm_auth \
729                                 --helper-protocol=squid-2.5-ntlmssp
730         auth_param ntlm children 5
731         auth_param ntlm max_challenge_reuses 0
732         auth_param ntlm max_challenge_lifetime 2 minutes
733         auth_param basic program /usr/bin/ntlm_auth \
734                                 --helper-protocol=squid-2.5-basic
735         auth_param basic children 5
736         auth_param basic realm Squid proxy-caching web server
737         auth_param basic credentialsttl 2 hours
738         acl AuthorizedUsers proxy_auth REQUIRED
739         http_access allow all AuthorizedUsers
740 </screen>
741 </example>
743         </sect2>
745         <sect2>
746                 <title>Key Points Learned</title>
748                 <para>
749                 <indexterm><primary>Web browsers</primary></indexterm>
750                 <indexterm><primary>services</primary></indexterm>
751                 <indexterm><primary>authentication protocols</primary></indexterm>
752                 <indexterm><primary>Web</primary><secondary>proxy</secondary><tertiary>access</tertiary></indexterm>
753                 <indexterm><primary>NTLMSSP</primary></indexterm>
754                 Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
755                 Windows clients use, even when accessing traditional services such as Web browsers. Depending 
756                 on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
757                 the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
758                 the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
759                 of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
760                 </para>
762         </sect2>
764 </sect1>
766 <sect1>
767         <title>Questions and Answers</title>
769         <para>
770         <indexterm><primary>ntlm_auth</primary></indexterm>
771         <indexterm><primary>SambaXP conference</primary></indexterm>
772         <indexterm><primary>Goettingen</primary></indexterm>
773         <indexterm><primary>Italian</primary></indexterm>
774         The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
775         in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of 
776         <command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the 
777         adoption of <command>ntlm_auth</command> has spread considerably.
778         </para>
780         <para>
781         The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
782         support uses a dual processor server that has 2 GB of memory. It provides Web and FTP proxy services for 10,000
783         users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
784         wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
785         comments were made with respect to questions regarding the performance of this installation:
786         </para>
788         <blockquote><para>
789         [In our] EXTREMELY optimized environment . . . [the] performance impact is almost [nothing]. The <quote>almost</quote> 
790         part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case 
791         scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
792         </para></blockquote>
794         <para>
795         You would be well-advised to recognize that all cache-intensive proxying solutions demand a lot of memory.
796         Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run 
797         out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
798         </para>
800         <qandaset defaultlabel="chap10bqa" type="number">
801         <qandaentry>
802         <question>
804                 <para>
805                 What does Samba have to do with Web proxy serving?
806                 </para>
808         </question>
809         <answer>
811                 <para>
812                 <indexterm><secondary>transparent inter-operability</secondary></indexterm>
813                 <indexterm><primary>Windows clients</primary></indexterm>
814                 <indexterm><primary>network</primary><secondary>services</secondary></indexterm>
815                 <indexterm><primary>authentication</primary></indexterm>
816                 <indexterm><primary>wrapper</primary></indexterm>
817                 To provide transparent interoperability between Windows clients and the network services
818                 that are used from them, Samba had to develop tools and facilities that deliver that feature. The benefit
819                 of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
820                 module is basically a wrapper around authentication code from the core of the Samba project.
821                 </para>
823                 <para>
824                 <indexterm><primary>plain-text</primary></indexterm>
825                 <indexterm><primary>authentication</primary><secondary>plain-text</secondary></indexterm>
826                 <indexterm><primary>Web</primary><secondary>proxy</secondary></indexterm>
827                 <indexterm><primary>FTP</primary><secondary>proxy</secondary></indexterm>
828                 <indexterm><primary>NTLMSSP</primary></indexterm>
829                 <indexterm><primary>logon credentials</primary></indexterm>
830                 <indexterm><primary>Windows explorer</primary></indexterm>
831                 <indexterm><primary>Internet Information Server</primary></indexterm>
832                 <indexterm><primary>Apache Web server</primary></indexterm>
833                 The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP 
834                 protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
835                 the user being interrupted via his or her Windows logon credentials. This facility is available with
836                 MS Windows Explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
837                 There are a few open source initiatives to provide support for these protocols in the Apache Web server
838                 also.
839                 </para>
841                 <para>
842                 <indexterm><primary>wrapper</primary></indexterm>
843                 The short answer is that by adding a wrapper around key authentication components of Samba, other
844                 projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
845                 </para>
847         </answer>
848         </qandaentry>
850         <qandaentry>
851         <question>
853                 <para>
854                 What other services does Samba provide?
855                 </para>
857         </question>
858         <answer>
860                 <para>
861                 <indexterm><primary>winbindd</primary></indexterm>
862                 <indexterm><primary>Identity resolver</primary></indexterm>
863                 <indexterm><primary>daemon</primary></indexterm>
864                 <indexterm><primary>smbd</primary></indexterm>
865                 <indexterm><primary>file and print server</primary></indexterm>
866                 Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
867                 <command>nmbd</command>, and the identity resolver daemon, <command>winbindd</command>.
868                 </para>
870                 <para>
871                 <indexterm><primary>SMB/CIFS</primary></indexterm>
872                 <indexterm><primary>smbclient</primary></indexterm>
873                 Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
874                 </para>
876                 <para>
877                 <indexterm><primary>modules</primary></indexterm>
878                 <indexterm><primary>utilities</primary></indexterm>
879                 <indexterm><primary>validation</primary></indexterm>
880                 <indexterm><primary>inter-operability</primary></indexterm>
881                 <indexterm><primary>authentication</primary></indexterm>
882                 Samba-3 includes a number of helper tools, plug-in modules, utilities, and test and validation facilities.
883                 Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
884                 servers and clients. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
885                 as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules
886                 to permit identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
887                 server products).
888                 </para>
890         </answer>
891         </qandaentry>
893         <qandaentry>
894         <question>
896                 <para>
897                 Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid?
898                 </para>
900         </question>
901         <answer>
903                 <para>
904                 Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
905                 Squid make an external call to <command>ntlm_auth</command> and therefore actually incurs a
906                 little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
907                 Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
908                 sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
909                 </para>
911         </answer>
912         </qandaentry>
913         </qandaset>
915 </sect1>
917 </chapter>