| blob | b585ee58ef80b97b7bc2559a30f875106b0c760f |
1 <?xml version="1.0" encoding="iso-8859-1"?>
2 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
5 <!-- entities files to use -->
6 <!ENTITY % global_entities SYSTEM '../entities/global.entities'>
7 %global_entities;
9 ]>
11 <chapter id="DomApps">
12 <title>Integrating Additional Services</title>
14 <para><indexterm>
15 <primary>authentication</primary>
16 </indexterm><indexterm>
17 <primary>backends</primary>
18 </indexterm><indexterm>
19 <primary>smbpasswd</primary>
20 </indexterm><indexterm>
21 <primary>ldapsam</primary>
22 </indexterm><indexterm>
23 <primary>Active Directory</primary>
24 </indexterm>
25 You've come a long way now. You have pretty much mastered Samba-3 for
26 most uses it can be put to. Up until now, you have cast Samba-3 in the leading
27 role and where authentication was required, you have used one or another of
28 Samba's many authentication backends (from flat text files with smbpasswd
29 to LDAP directory integration with ldapsam). Now you can design a
30 solution for a new Abmas business. This business is running Windows Server
31 2003 and Active Directory, and these are to stay. It's time to master
32 implementing Samba and Samba-supported services in a domain controlled by
33 the latest Windows authentication technologies. Let's get started &smbmdash; this is
34 leading edge.
35 </para>
37 <sect1>
38 <title>Introduction</title>
40 <para>
41 Abmas has continued its miraculous growth; indeed, nothing seems to be able
42 to stop its diversification into multiple (and seemingly unrelated) fields.
43 Its latest acquisition is Abmas Snack Foods, a big player in the snack-food
44 business.
45 </para>
47 <para>
48 With this acquisition comes new challenges for you and your team. Abmas Snack
49 Foods is a well-developed business with a huge and heterogeneous network. They
50 already have Windows, Netware, and Proprietary UNIX, but as yet no Samba or Linux.
51 The network is mature and well established, and there is no question of their chosen
52 user authentication scheme being changed for now. You need to take a wise new
53 approach.
54 </para>
56 <para>
57 You have decided to set the ball rolling by introducing Samba-3 into the network
58 gradually, taking over key services and easing the way to a full migration and,
59 therefore, integration into Abmas's existing business later.
60 </para>
62 <sect2>
63 <title>Assignment Tasks</title>
65 <para><indexterm>
66 <primary>web</primary>
67 <secondary>proxying</secondary>
68 </indexterm><indexterm>
69 <primary>web</primary>
70 <secondary>caching</secondary>
71 </indexterm>
72 You've promised the skeptical Abmas Snack Foods management team
73 that you can show them how Samba can ease itself and other Open Source
74 technologies into their existing infrastructure and deliver sound business
75 advantages. Cost cutting is high on their agenda (a major promise of the
76 acquisition). You have chosen Web proxying and caching as your proving ground.
77 </para>
79 <para><indexterm>
80 <primary>bandwidth</primary>
81 </indexterm><indexterm>
82 <primary>Microsoft ISA</primary>
83 </indexterm>
84 Abmas Snack Foods has several thousand users housed at their Head Office
85 and multiple regional offices, plants, and warehouses. A high proportion of
86 the business's work is done online, so Internet access for most of these
87 users is essential. All Internet access, including all of their regional offices,
88 is funneled through the head office and is the job of the (now your) networking
89 team. The bandwidth requirements were horrific (comparable to a small ISP), and
90 the team soon discovered proxying and caching. In fact, they became one of
91 the earliest commercial users of Microsoft ISA.
92 </para>
94 <para><indexterm>
95 <primary>Active Directory</primary>
96 </indexterm><indexterm>
97 <primary>authenticated</primary>
98 </indexterm><indexterm>
99 <primary>proxy</primary>
100 </indexterm>
101 The team is not happy with ISA. Because it never lived up to its marketing promises,
102 it under-performed and had reliability problems. You have pounced on the opportunity
103 to show what Open Source can do. The one thing they do like, however, is ISA's
104 integration with Active Directory. They like that their users, once logged on,
105 are automatically authenticated against the proxy. If your alternative to ISA
106 can operate completely seamlessly in their Active Directory Domain, it will be
107 approved.
108 </para>
110 <para>
111 This is a hands-on exercise. You build software applications so
112 that you obtain the functionality Abmas needs.
113 </para>
115 </sect2>
116 </sect1>
118 <sect1>
119 <title>Dissection and Discussion</title>
121 <para>
122 The key requirements in this business example are straightforward. You are not required
123 to do anything new, just to replicate an existing system, not lose any existing features,
124 and improve performance. The key points are:
125 </para>
127 <itemizedlist>
128 <listitem><para>
129 Internet access for most employees
130 </para></listitem>
131 <listitem><para>
132 Distributed system to accommodate load and geographical distribution of users
133 </para></listitem>
134 <listitem><para>
135 Seamless and transparent interoperability with the existing Active Directory domain
136 </para></listitem>
137 </itemizedlist>
140 <sect2>
141 <title>Technical Issues</title>
143 <para><indexterm>
144 <primary>browsing</primary>
145 </indexterm><indexterm>
146 <primary>Squid</primary>
147 </indexterm><indexterm>
148 <primary>Squid proxy</primary>
149 </indexterm><indexterm>
150 <primary>proxy</primary>
151 </indexterm><indexterm>
152 <primary>authentication</primary>
153 </indexterm><indexterm>
154 <primary>Internet Explorer</primary>
155 </indexterm><indexterm>
156 <primary>winbind</primary>
157 </indexterm><indexterm>
158 <primary>NTLM</primary>
159 </indexterm><indexterm>
160 <primary>NTLM authentication daemon</primary>
161 </indexterm><indexterm>
162 <primary>authentication</primary>
163 </indexterm><indexterm>
164 <primary>daemon</primary>
165 </indexterm><indexterm>
166 <primary>Active Directory</primary>
167 </indexterm><indexterm>
168 <primary>domain</primary>
169 <secondary>Active Directory</secondary>
170 </indexterm><indexterm>
171 <primary>Kerberos</primary>
172 </indexterm><indexterm>
173 <primary>token</primary>
174 </indexterm>
175 Functionally, the user's Internet Explorer requests a browsing session with the
176 Squid proxy, for which it offers its AD authentication token. Squid hands off
177 the authentication request to the Samba-3 authentication helper application
178 called <command>ntlm_auth</command>. This helper is a hook into winbind, the
179 Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate
180 against Microsoft Windows Domains, including Active Directory domains. As Active
181 Directory authentication is a modified Kerberos authentication, winbind is assisted
182 in this by local Kerberos 5 libraries configured to check passwords with the Active
183 Directory server. Once the token has been checked, a browsing session is established.
184 This process is entirely transparent and seamless to the user.
185 </para>
187 <para>
188 Enabling this consists of:
189 </para>
191 <itemizedlist>
192 <listitem><para>
193 Preparing the necessary environment using preconfigured packages
194 </para></listitem>
196 <listitem><para>
197 Setting up raw Kerberos authentication against the Active Directory domain
198 </para></listitem>
200 <listitem><para>
201 Configuring, compiling, and then installing the supporting Samba-3 components
202 </para></listitem>
204 <listitem><para>
205 Tying it all together
206 </para></listitem>
207 </itemizedlist>
209 </sect2>
212 <sect2>
213 <title>Political Issues</title>
215 <para>
216 You are a stranger in a strange land and all eyes are upon you. Some would even like to see
217 you fail. For you to gain the trust of your newly acquired IT people, it is essential that your
218 solution does everything the old one did, but does it better in every way. Only then
219 will the entrenched positions consider taking up your new way of doing things on a
220 wider scale.
221 </para>
223 </sect2>
225 </sect1>
227 <sect1>
228 <title>Implementation</title>
230 <para><indexterm>
231 <primary>Squid</primary>
232 </indexterm>
233 First, your system needs to be prepared and in a known good state to proceed. This consists
234 of making sure that everything the system depends on is present and that everything that could
235 interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3
236 packages and updating them if necessary. If conflicting packages of these programs are installed,
237 they must be removed.
238 </para>
240 <para><indexterm>
241 <primary>Red Hat Linux</primary>
242 </indexterm>
243 The following packages should be available on your Red Hat Linux system:
244 </para>
246 <itemizedlist>
247 <listitem><para><indexterm>
248 <primary>krb5</primary>
249 </indexterm><indexterm>
250 <primary>Kerberos</primary>
251 </indexterm>
252 krb5-libs
253 </para></listitem>
255 <listitem><para>
256 krb5-devel
257 </para></listitem>
259 <listitem><para>
260 krb5-workstation
261 </para></listitem>
263 <listitem><para>
264 krb5-server
265 </para></listitem>
267 <listitem><para>
268 pam_krb5
269 </para></listitem>
270 </itemizedlist>
272 <para><indexterm>
273 <primary>SUSE Linux</primary>
274 </indexterm>
275 In the case of SUSE Linux, these packages are called:
276 </para>
278 <itemizedlist>
279 <listitem><para>
280 heimdal-lib
281 </para></listitem>
283 <listitem><para>
284 heimdal-devel
285 </para></listitem>
287 <listitem><para><indexterm>
288 <primary>Heimdal</primary>
289 </indexterm>
290 heimdal
291 </para></listitem>
293 <listitem><para>
294 pam_krb5
295 </para></listitem>
296 </itemizedlist>
298 <para>
299 If the required packages are not present on your system, you must install
300 them from the vendor's installation media. Follow the administrative guide
301 for your Linux system to ensure that the packages are correctly updated.
302 </para>
304 <note><para><indexterm>
305 <primary>MS Windows Server 2003</primary>
306 </indexterm><indexterm>
307 <primary>Kerberos</primary>
308 </indexterm><indexterm>
309 <primary>MIT</primary>
310 </indexterm>
311 If the requirement is for interoperation with MS Windows Server 2003, it
312 will be necessary to ensure that you are using MIT Kerberos version 1.3.1
313 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires
314 updating.
315 </para>
317 <para><indexterm>
318 <primary>Heimdal</primary>
319 </indexterm><indexterm>
320 <primary>SUSE Enterprise Linux Server</primary>
321 </indexterm>
322 Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise
323 Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
324 </para></note>
326 <sect2 id="ch10-one">
327 <title>Removal of Pre-existing Conflicting RPMs</title>
329 <para><indexterm>
330 <primary>Squid</primary>
331 </indexterm>
332 If Samba and/or Squid rpms are installed, they should be updated. You can
333 build both from source.
334 </para>
336 <para><indexterm>
337 <primary>rpm</primary>
338 </indexterm><indexterm>
339 <primary>samba</primary>
340 </indexterm><indexterm>
341 <primary>squid</primary>
342 </indexterm>
343 Locating the packages to be uninstalled can be achieved by running:
344 <screen>
345 &rootprompt; rpm -qa | grep -i samba
346 &rootprompt; rpm -qa | grep -i squid
347 </screen>
348 The identified packages may be removed using:
349 <screen>
350 &rootprompt; rpm -e samba-common
351 </screen>
352 </para>
354 <sect2>
355 <title>Kerberos Configuration</title>
357 <para><indexterm>
358 <primary>Kerberos</primary>
359 </indexterm><indexterm>
360 <primary>Active Directory</primary>
361 <secondary>server</secondary>
362 </indexterm><indexterm>
363 <primary>ADS</primary>
364 </indexterm><indexterm>
365 <primary>KDC</primary>
366 </indexterm>
367 The systems Kerberos installation must be configured to communicate with
368 your primary Active Directory server (ADS KDC).
369 </para>
371 <para>
372 Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results,
373 although the current default Red Hat MIT version 1.2.7 gives acceptable results
374 unless you are using Windows 2003 servers.
375 </para>
377 <para><indexterm>
378 <primary>MIT</primary>
379 </indexterm><indexterm>
380 <primary>Heimdal</primary>
381 </indexterm><indexterm>
382 <primary>Kerberos</primary>
383 </indexterm><indexterm>
384 <primary>/etc/krb5.conf</primary>
385 </indexterm><indexterm>
386 <primary>DNS</primary>
387 <secondary>SRV records</secondary>
388 </indexterm><indexterm>
389 <primary>KDC</primary>
390 </indexterm><indexterm>
391 <primary>DNS</primary>
392 <secondary>lookup</secondary>
393 </indexterm>
394 Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an <filename>/etc/krb5.conf</filename>
395 file in order to work correctly. All ADS domains automatically create SRV records in the
396 DNS zone <constant>Kerberos.REALM.NAME</constant> for each KDC in the realm. Since both
397 MIT and Heimdal, KRB5 libraries default to checking for these records, so they
398 automatically find the KDCs. In addition, <filename>krb5.conf</filename> only allows
399 specifying a single KDC, even there if there is more than one. Using the DNS lookup
400 allows the KRB5 libraries to use whichever KDCs are available.
401 </para>
403 <procedure>
404 <step><para><indexterm>
405 <primary>krb5.conf</primary>
406 </indexterm>
407 If you find the need to manually configure the <filename>krb5.conf</filename>, you should edit it
408 to have the contents shown in <link linkend="ch10-krb5conf"/>. The final fully qualified path for this file
409 should be <filename>/etc/krb5.conf</filename>.
410 </para></step>
412 <step><para><indexterm>
413 <primary>Kerberos</primary>
414 </indexterm><indexterm>
415 <primary>realm</primary>
416 </indexterm><indexterm>
417 <primary>case-sensitive</primary>
418 </indexterm><indexterm>
419 <primary>KDC</primary>
420 </indexterm><indexterm>
421 <primary>synchronization</primary>
422 </indexterm><indexterm>
423 <primary>initial credentials</primary>
424 </indexterm><indexterm>
425 <primary>Clock skew</primary>
426 </indexterm><indexterm>
427 <primary>NTP</primary>
428 </indexterm><indexterm>
429 <primary>DNS</primary>
430 <secondary>lookup</secondary>
431 </indexterm><indexterm>
432 <primary>reverse DNS</primary>
433 </indexterm><indexterm>
434 <primary>NetBIOS name </primary>
435 </indexterm><indexterm>
436 <primary>/etc/hosts</primary>
437 </indexterm><indexterm>
438 <primary>mapping</primary>
439 </indexterm>
440 The following gotchas often catch people out. Kerberos is case sensitive. Your realm must
441 be in UPPERCASE, or you will get an error: <quote>Cannot find KDC for requested realm while getting
442 initial credentials</quote>. Kerberos is picky about time synchronization. The time
443 according to your participating servers must be within 5 minutes or you get an error
444 <quote>kinit(v5): Clock skew too great while getting initial credentials</quote>.
445 Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is
446 5 minutes). A better solution is to implement NTP throughout your server network.
447 Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC.
448 Also, the name that this reverse lookup maps to must either be the NetBIOS name of
449 the KDC (i.e., the hostname with no domain attached), or it can alternately be the
450 NetBIOS name followed by the realm. If all else fails, you can add a
451 <filename>/etc/hosts</filename> entry mapping the IP address of your KDC to its
452 NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error
453 when you try to join the realm.
454 </para></step>
456 <step><para><indexterm>
457 <primary>kinit</primary>
458 </indexterm>
459 You are now ready to test your installation by issuing the command:
460 <screen>
461 &rootprompt; kinit [USERNAME@REALM]
462 </screen>
463 You are asked for your password, which you should enter. The following
464 is a typical console sequence:
465 <screen>
466 &rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ
467 Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
468 </screen>
469 Make sure that your password is accepted by the Active Directory KDC.
470 </para></step>
471 </procedure>
473 <example id="ch10-krb5conf">
474 <title>Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename></title>
475 <screen>
476 [libdefaults]
477 default_realm = LONDON.ABMAS.BIZ
479 [realms]
480 LONDON.ABMAS.BIZ = {
481 kdc = w2k3s.london.abmas.biz
482 }
483 </screen>
484 </example>
486 <para><indexterm>
487 <primary>klist</primary>
488 </indexterm>
489 The command:
490 <screen>
491 &rootprompt; klist -e
492 </screen>
493 shows the Kerberos tickets cached by the system:
494 </para>
496 <sect3>
497 <title>Samba Configuration</title>
499 <para><indexterm>
500 <primary>Active Directory</primary>
501 </indexterm>
502 Samba must be configured to correctly use Active Directory. Samba-3 must be used, as
503 this has the necessary components to interface with Active Directory.
504 </para>
506 <procedure>
507 <step><para><indexterm>
508 <primary>Red Hat Linux</primary>
509 </indexterm><indexterm>
510 <primary>Samba Tea</primary>
511 </indexterm><indexterm>
512 <primary>Red Hat Fedora Linux</primary>
513 </indexterm><indexterm>
514 <primary>MIT KRB5</primary>
515 </indexterm><indexterm>
516 <primary>ntlm_auth</primary>
517 </indexterm>
518 Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team
519 <ulink url="http://ftp.samba.org">FTP site.</ulink> The official Samba Team
520 RPMs for Red Hat Fedora Linux contain the <command>ntlm_auth</command> tool
521 needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use.
522 </para>
524 <para><indexterm>
525 <primary>SerNet</primary>
526 </indexterm><indexterm>
527 <primary>RPMs</primary>
528 </indexterm>
529 The necessary, validated RPM packages for SUSE Linux may be obtained from
530 the <ulink url="ftp://ftp.sernet.de/pub/samba">SerNet</ulink> FTP site that
531 is located in Germany. All SerNet RPMs are validated, have the necessary
532 <command>ntlm_auth</command> tool, and are statically linked
533 against suitably patched Heimdal 0.6 libraries.
534 </para></step>
536 <step><para>
537 Using your favorite editor, change the <filename>/etc/samba/smb.conf</filename>
538 file so it has contents similar to the example shown in <link linkend="ch10-smbconf"/>.
539 </para></step>
541 <step><para><indexterm>
542 <primary>computer account</primary>
543 </indexterm><indexterm>
544 <primary>Active Directory</primary>
545 </indexterm><indexterm>
546 <primary>net</primary>
547 <secondary>ads</secondary>
548 <tertiary>join</tertiary>
549 </indexterm><indexterm>
550 <primary>Kerberos ticket</primary>
551 </indexterm><indexterm>
552 <primary>ticket</primary>
553 </indexterm>
554 Next you need to create a computer account in the Active Directory.
555 This sets up the trust relationship needed for other clients to
556 authenticate to the Samba server with an Active Directory Kerberos ticket.
557 This is done with the <quote>net ads join -U [Administrator%Password]</quote>
558 command, as follows:
559 <screen>
560 &rootprompt; net ads join -U administrator%vulcon
561 </screen>
562 </para></step>
564 <step><para><indexterm>
565 <primary>smbd</primary>
566 </indexterm><indexterm>
567 <primary>nmbd</primary>
568 </indexterm><indexterm>
569 <primary>winbindd</primary>
570 </indexterm><indexterm>
571 <primary>Active Directory</primary>
572 </indexterm><indexterm>
573 <primary>Samba</primary>
574 </indexterm>
575 Your new Samba binaries must be started in the standard manner as is applicable
576 to the platform you are running on. Alternately, start your Active Directory
577 enabled Samba with the following commands:
578 <screen>
579 &rootprompt; smbd -D
580 &rootprompt; nmbd -D
581 &rootprompt; winbindd -B
582 </screen>
583 </para></step>
585 <step><para><indexterm>
586 <primary>winbind</primary>
587 </indexterm><indexterm>
588 <primary>Active Directory</primary>
589 <secondary>domain</secondary>
590 </indexterm><indexterm>
591 <primary>wbinfo</primary>
592 </indexterm><indexterm>
593 <primary>enumerating</primary>
594 </indexterm><indexterm>
595 <primary>Active Directory</primary>
596 <secondary>tree</secondary>
597 </indexterm>
598 We now need to test that Samba is communicating with the Active
599 Directory domain; most specifically, we want to see whether winbind
600 is enumerating users and groups. Issue the following commands:
601 <screen>
602 &rootprompt; wbinfo -t
603 checking the trust secret via RPC calls succeeded
604 </screen>
605 This tests whether we are authenticating against Active Directory:
606 <screen>
607 &rootprompt; wbinfo -u
608 LONDON+Administrator
609 LONDON+Guest
610 LONDON+SUPPORT_388945a0
611 LONDON+krbtgt
612 LONDON+jht
613 LONDON+xjht
614 </screen>
615 This enumerates all the users in your Active Directory tree:
616 <screen>
617 &rootprompt; wbinfo -g
618 LONDON+Domain Computers
619 LONDON+Domain Controllers
620 LONDON+Schema Admins
621 LONDON+Enterprise Admins
622 LONDON+Domain Admins
623 LONDON+Domain Users
624 LONDON+Domain Guests
625 LONDON+Group Policy Creator Owners
626 LONDON+DnsUpdateProxy
627 </screen>
628 This enumerates all the groups in your Active Directory tree.
629 </para></step>
631 <step><para><indexterm>
632 <primary>Squid</primary>
633 </indexterm><indexterm>
634 <primary>ntlm_auth</primary>
635 </indexterm>
636 Squid uses the <command>ntlm_auth</command> helper build with Samba-3.
637 You may test <command>ntlm_auth</command> with the command:
638 <screen>
639 &rootprompt; /usr/bin/ntlm_auth --username=jht
640 password: XXXXXXXX
641 </screen>
642 You are asked for your password, which you should enter. You are rewarded with:
643 <screen>
644 &rootprompt; NT_STATUS_OK: Success (0x0)
645 </screen>
646 </para></step>
648 <step><para><indexterm>
649 <primary>ntlm_auth</primary>
650 </indexterm><indexterm>
651 <primary>authenticate</primary>
652 </indexterm><indexterm>
653 <primary>winbind</primary>
654 </indexterm><indexterm>
655 <primary>privileged pipe</primary>
656 </indexterm><indexterm>
657 <primary>squid</primary>
658 </indexterm><indexterm>
659 <primary>chgrp</primary>
660 </indexterm><indexterm>
661 <primary>chmod</primary>
662 </indexterm><indexterm>
663 <primary>failure</primary>
664 </indexterm>
665 The <command>ntlm_auth</command> helper, when run from a command line as the user
666 <quote>root</quote>, authenticates against your Active Directory domain (with
667 the aid of winbind). It manages this by reading from the winbind privileged pipe.
668 Squid is running with the permissions of user <quote>squid</quote> and group
669 <quote>squid</quote> and is not able to do this unless we make a vital change.
670 Squid cannot read from the winbind privilege pipe unless you change the
671 permissions of its directory. This is the single biggest cause of failure in the
672 whole process. Remember to issue the following command (for Red Hat Linux):
673 <screen>
674 &rootprompt; chgrp squid /var/cache/samba/winbindd_privileged
675 &rootprompt; chmod 750 /var/cache/samba/winbindd_privileged
676 </screen>
677 For SUSE Linux 9, execute the following:
678 <screen>
679 &rootprompt; chgrp squid /var/lib/samba/winbindd_privileged
680 &rootprompt; chmod 750 /var/lib/samba/winbindd_privileged
681 </screen>
682 </para></step>
684 </procedure>
685 </sect3>
687 <sect3>
688 <title>NSS Configuration</title>
690 <para><indexterm>
691 <primary>NSS</primary>
692 </indexterm><indexterm>
693 <primary>winbind</primary>
694 </indexterm><indexterm>
695 <primary>authentication</primary>
696 </indexterm>
697 For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication.
698 </para>
700 <procedure>
701 <step><para>
702 Edit your <filename>/etc/nsswitch.conf</filename> file so it has the parameters shown
703 in <link linkend="ch10-etcnsscfg"/>.
704 </para></step>
705 </procedure>
707 <smbconfexample id="ch10-smbconf">
708 <title>Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename></title>
709 <smbconfsection>[global]</smbconfsection>
710 <smbconfoption><name>workgroup</name><value>LONDON</value></smbconfoption>
711 <smbconfoption><name>netbios name</name><value>W2K3S</value></smbconfoption>
712 <smbconfoption><name>realm</name><value>LONDON.ABMAS.BIZ</value></smbconfoption>
713 <smbconfoption><name>security</name><value>ads</value></smbconfoption>
714 <smbconfoption><name>encrypt passwords</name><value>yes</value></smbconfoption>
715 <smbconfoption><name>password server</name><value>w2k3s.london.abmas.biz</value></smbconfoption>
717 <smbconfcomment>separate domain and username with '/', like DOMAIN/username</smbconfcomment>
718 <smbconfoption><name>winbind separator</name><value>/</value></smbconfoption>
720 <smbconfcomment>use UIDs from 10000 to 20000 for domain users</smbconfcomment>
721 <smbconfoption><name>idmap uid</name><value>10000-20000</value></smbconfoption>
722 # use GIDs from 10000 to 20000 for domain groups
723 <smbconfoption><name>idmap gid</name><value>10000-20000</value></smbconfoption>
725 <smbconfcomment>allow enumeration of winbind users and groups</smbconfcomment>
726 <smbconfoption><name>winbind enum users</name><value>yes</value></smbconfoption>
727 <smbconfoption><name>winbind enum groups</name><value>yes</value></smbconfoption>
728 <smbconfoption><name>winbind user default domain</name><value>yes</value></smbconfoption>
729 </smbconfexample>
731 <example id="ch10-etcnsscfg">
732 <title>NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename></title>
733 <screen>
734 passwd: files winbind
735 shadow: files
736 group: files winbind
737 </screen>
738 </example>
740 </sect3>
742 <sect3>
743 <title>Squid Configuration</title>
745 <para><indexterm>
746 <primary>Squid</primary>
747 </indexterm><indexterm>
748 <primary>Active Directory</primary>
749 <secondary>authentication</secondary>
750 </indexterm>
751 Squid must be configured correctly to interact with the Samba-3
752 components that handle Active Directory authentication.
753 </para>
755 </sect3>
757 </sect2>
759 <sect2>
760 <title>Configuration</title></sect2>
762 <procedure>
763 <step><para><indexterm>
764 <primary>SUSE Linux</primary>
765 </indexterm><indexterm>
766 <primary>Squid</primary>
767 </indexterm><indexterm>
768 <primary>helper agent</primary>
769 </indexterm>
770 If your Linux distribution is SUSE Linux 9, the version of Squid
771 supplied is already enabled to use the winbind helper agent. You
772 can, therefore, omit the steps that would build the Squid binary
773 programs.
774 </para></step>
776 <step><para><indexterm>
777 <primary>nobody</primary>
778 </indexterm><indexterm>
779 <primary>squid</primary>
780 </indexterm><indexterm>
781 <primary>rpms</primary>
782 </indexterm><indexterm>
783 <primary>/etc/passwd</primary>
784 </indexterm><indexterm>
785 <primary>/etc/group</primary>
786 </indexterm>
787 Squid, by default, runs as the user <constant>nobody</constant>. You need to
788 add a system user <constant>squid</constant> and a system group
789 <constant>squid</constant> if they are not set up already (if the default
790 Red Hat squid rpms were installed, they will be). Set up a
791 <constant>squid</constant> user in <filename>/etc/passwd</filename>
792 and a <constant>squid</constant> group in <filename>/etc/group</filename> if these aren't there already.
793 </para></step>
795 <step><para><indexterm>
796 <primary>permissions</primary>
797 </indexterm><indexterm>
798 <primary>chown</primary>
799 </indexterm>
800 You now need to change the permissions on Squid's <constant>var</constant>
801 directory. Enter the following command:
802 <screen>
803 &rootprompt; chown -R squid /var/cache/squid
804 </screen>
805 </para></step>
807 <step><para><indexterm>
808 <primary>logging</primary>
809 </indexterm><indexterm>
810 <primary>Squid</primary>
811 </indexterm>
812 Squid must also have control over its logging. Enter the following commands:
813 <screen>
814 &rootprompt; chown -R chown squid:squid /var/log/squid
815 &rootprompt; chmod 770 /var/log/squid
816 </screen>
817 </para></step>
819 <step><para>
820 Finally, Squid must be able to write to its disk cache!
821 Enter the following commands:
822 <screen>
823 &rootprompt; chown -R chown squid:squid /var/cache/squid
824 &rootprompt; chmod 770 /var/cache/squid
825 </screen>
826 </para></step>
828 <step><para><indexterm>
829 <primary>/etc/squid/squid.conf</primary>
830 </indexterm>
831 The <filename>/etc/squid/squid.conf</filename> file must be edited to include the lines from
832 <link linkend="etcsquidcfg"/> and <link linkend="etcsquid2"/>.
833 </para></step>
835 <step><para><indexterm>
836 <primary>cache directories</primary>
837 </indexterm>
838 You must create Squid's cache directories before it may be run. Enter the following command:
839 <screen>
840 &rootprompt; squid -z
841 </screen>
842 </para></step>
844 <step><para>
845 Finally, start Squid and enjoy transparent Active Directory authentication.
846 Enter the following command:
847 <screen>
848 &rootprompt; squid
849 </screen>
850 </para></step>
851 </procedure>
853 <example id="etcsquidcfg">
854 <title>Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section]</title>
855 <screen>
856 cache_effective_user squid
857 cache_effective_group squid
858 </screen>
859 </example>
861 <example id="etcsquid2">
862 <title>Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section]</title>
863 <screen>
864 auth_param ntlm program /usr/bin/ntlm_auth \
865 --helper-protocol=squid-2.5-ntlmssp
866 auth_param ntlm children 5
867 auth_param ntlm max_challenge_reuses 0
868 auth_param ntlm max_challenge_lifetime 2 minutes
869 auth_param basic program /usr/bin/ntlm_auth \
870 --helper-protocol=squid-2.5-basic
871 auth_param basic children 5
872 auth_param basic realm Squid proxy-caching web server
873 auth_param basic credentialsttl 2 hours
874 acl AuthorizedUsers proxy_auth REQUIRED
875 http_access allow all AuthorizedUsers
876 </screen>
877 </example>
879 </sect2>
881 <sect2>
882 <title>Key Points Learned</title>
884 <para><indexterm>
885 <primary>Web browsers</primary>
886 </indexterm><indexterm>
887 <primary>services</primary>
888 </indexterm><indexterm>
889 <primary>authentication protocols</primary>
890 </indexterm><indexterm>
891 <primary>Web</primary>
892 <secondary>proxy</secondary>
893 <tertiary>access</tertiary>
894 </indexterm><indexterm>
895 <primary>NTLMSSP</primary>
896 </indexterm>
897 Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft
898 Windows clients use, even when accessing traditional services such as Web browsers. Depending
899 on whom you discuss this with, this is either good or bad. No matter how you might evaluate this,
900 the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over
901 the cookie-based authentication regime used by all competing browsers. It is Samba's implementation
902 of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter.
903 </para>
905 </sect2>
907 </sect1>
909 <sect1>
910 <title>Questions and Answers</title>
912 <para><indexterm>
913 <primary>ntlm_auth</primary>
914 </indexterm><indexterm>
915 <primary>SambaXP conference</primary>
916 </indexterm><indexterm>
917 <primary>Goettingen</primary>
918 </indexterm><indexterm>
919 <primary>Italian</primary>
920 </indexterm>
921 The development of the <command>ntlm_auth</command> module was first discussed in many Open Source circles
922 in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of
923 <command>ntlm_auth</command> during one of the late developer meetings that took place. Since that time, the
924 adoption of <command>ntlm_auth</command> has spread considerably.
925 </para>
927 <para>
928 The largest report from a site that uses Squid with <command>ntlm_auth</command>-based authentication
929 support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000
930 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who
931 wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following
932 comments were made with respect to questions regarding the performance of this installation:
933 </para>
935 <blockquote><para>
936 [In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The <quote>almost</quote>
937 part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case
938 scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
939 </para></blockquote>
941 <para>
942 You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory.
943 Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run
944 out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk.
945 </para>
947 <qandaset defaultlabel="chap10bqa" type="number">
948 <qandaentry>
949 <question>
951 <para>
952 What does Samba have to do with Web proxy serving?
953 </para>
955 </question>
956 <answer>
958 <para><indexterm>
959 <secondary>transparent inter-operability</secondary>
960 </indexterm><indexterm>
961 <primary>Windows clients</primary>
962 </indexterm><indexterm>
963 <primary>network</primary>
964 <secondary>services</secondary>
965 </indexterm><indexterm>
966 <primary>authentication</primary>
967 </indexterm><indexterm>
968 <primary>wrapper</primary>
969 </indexterm>
970 To provide transparent interoperability between Windows clients and the network services
971 that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit
972 of Open Source software is that it can readily be reused. The current <command>ntlm_auth</command>
973 module is basically a wrapper around authentication code from the core of the Samba project.
974 </para>
976 <para><indexterm>
977 <primary>plain-text</primary>
978 </indexterm><indexterm>
979 <primary>authentication</primary>
980 <secondary>plain-text</secondary>
981 </indexterm><indexterm>
982 <primary>Web</primary>
983 <secondary>proxy</secondary>
984 </indexterm><indexterm>
985 <primary>FTP</primary>
986 <secondary>proxy</secondary>
987 </indexterm><indexterm>
988 <primary>NTLMSSP</primary>
989 </indexterm><indexterm>
990 <primary>logon credentials</primary>
991 </indexterm><indexterm>
992 <primary>Windows explorer</primary>
993 </indexterm><indexterm>
994 <primary>Internet Information Server</primary>
995 </indexterm><indexterm>
996 <primary>Apache Web server</primary>
997 </indexterm>
998 The <command>ntlm_auth</command> module supports basic plain-text authentication and NTLMSSP
999 protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without
1000 the user being interrupted via his/her Windows logon credentials. This facility is available with
1001 MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server.
1002 There are a few open source initiatives to provide support for these protocols in the Apache Web server
1003 also.
1004 </para>
1006 <para><indexterm>
1007 <primary>wrapper</primary>
1008 </indexterm>
1009 The short answer is that by adding a wrapper around key authentication components of Samba, other
1010 projects (like Squid) can benefit from the labors expended in meeting user interoperability needs.
1011 </para>
1013 </answer>
1014 </qandaentry>
1016 <qandaentry>
1017 <question>
1019 <para>
1020 What other services does Samba provide?
1021 </para>
1023 </question>
1024 <answer>
1026 <para><indexterm>
1027 <primary>winbindd</primary>
1028 </indexterm><indexterm>
1029 <primary>Identity resolver</primary>
1030 </indexterm><indexterm>
1031 <primary>daemon</primary>
1032 </indexterm><indexterm>
1033 <primary>smbd</primary>
1034 </indexterm><indexterm>
1035 <primary>file and print server</primary>
1036 </indexterm>
1037 Samba-3 is a file and print server. The core components that provide this functionality are <command>smbd</command>,
1038 <command>nmbd</command>, and the Identity resolver daemon, <command>winbindd</command>.
1039 </para>
1041 <para><indexterm>
1042 <primary>SMB/CIFS</primary>
1043 </indexterm><indexterm>
1044 <primary>smbclient</primary>
1045 </indexterm>
1046 Samba-3 is an SMB/CIFS client. The core component that provides this is called <command>smbclient</command>.
1047 </para>
1049 <para><indexterm>
1050 <primary>modules</primary>
1051 </indexterm><indexterm>
1052 <primary>utilities</primary>
1053 </indexterm><indexterm>
1054 <primary>validation</primary>
1055 </indexterm><indexterm>
1056 <primary>inter-operability</primary>
1057 </indexterm><indexterm>
1058 <primary>authentication</primary>
1059 </indexterm>
1060 Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities.
1061 Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux
1062 servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts
1063 as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switcher modules
1064 to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial
1065 server products).
1066 </para>
1068 </answer>
1069 </qandaentry>
1071 <qandaentry>
1072 <question>
1074 <para>
1075 Does use of Samba (<command>ntlm_auth</command>) improve the performance of Squid?
1076 </para>
1078 </question>
1079 <answer>
1081 <para>
1082 Not really. Samba's <command>ntlm_auth</command> module handles only authentication. It requires that
1083 Squid make an external call to <command>ntlm_auth</command> and, therefore, actually incurs a
1084 little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since
1085 Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide
1086 sufficient memory when using Squid. Just add a little more to accommodate <command>ntlm_auth</command>.
1087 </para>
1089 </answer>
1090 </qandaentry>
1091 </qandaset>
1093 </sect1>
1095 </chapter>