[squid-users] Samba3 ntlm_auth Helper and Trusted Domains

From: Wilshire, Andrew <[email protected]>
Date: Fri, 19 Sep 2003 15:32:53 +1200

Hi Everyone,

Here's just a few notes and a quick "how to" for enterprises looking towards
migrating a (sizeable) Microsoft proxy and ISA infrastructure to Squid. Our
requirements were to produce a Linux, Squid and Samba solution that
provided;

1. Transparent authentication of IE clients
2. ACL's based on membership of domain NT group
3. Support for traversing trusted domains (e.g. a resource domain model)

We have managed to achieve this in a test environment where;

-> The squid proxy is a member server in the Resource domain
-> Our test users reside in domains trusted by the Resource domain
-> Resource domain contains a domain local group RESOURCE\ProxyFullAccess
-> Group RESOURCE\ProxyFullAccess contains user accounts from the trusted
domains
-> The Samba3 supplied ntlm_auth helper is used by "auth_param ntlm ..."
-> The Squid supplied wbinfo_group.pl is used by "external_acl_type ... "
-> Squid proxy has an ACL to allow http_access for RESOURCE\ProxyFullAccess

We have used Samba 3.0.0rc2 and Squid-2.5-STABLE3 in our test environment.
Andrew Tridgell of the Samba team provided us with a patch to make Samba
domain local group aware WITHOUT having to be a DC for that domain. This
patch can be found at
http://samba.org/ftp/tridge/misc/samba3_local_groups.patch

A quick "How To" for your own transparently authenticated, trusted-domain
aware Squid proxy;

1. Download Samba-3.0.0rc2 and download the samba3_local_groups patch from
the URL above
2. Patch the Samba source and then ./configure --with-winbind
--with-winbind-auth-challenge, make and make install
3. Using the 'net join' command, join your resource domain, configure
smb.conf as appropriate
4. Start the nmbd daemon. Start the winbindd daemon (test using wbinfo - you
can also start winbindd with a "-i" for interactive mode)
5. Download Squid-2.5.STABLE3 and then ./configure --enable-auth=basic,ntlm
--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB
--enable-ntlm-auth-helpers=SMB,fakeauth --enable-ntlm-fail-open
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
then make and make install
6. Relevant squid.conf bits

auth_param ntlm program /opt/squid/lib/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d 3
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

external_acl_type ntgroup_helper %LOGIN /opt/squid/lib/wbinfo_group.pl
acl proxyfullaccess external ntgroup_helper RESOURCE\ProxyFullAccess

http_access allow proxyfullaccess
http_access deny all

7. Find the location of the winbindd_privileged pipe and chgrp squid (or
your cache_effective_group from squid.conf)
8. Kill any running samba daemons and start them (always) in this order -
nmbd, winbindd and then squid

And that's it! I hope this post helps someone else with a similar goal.

(Many thanks to Tridge from the Samba team!)

Andrew Wilshire
IBM / Air New Zealand
andrew.wilshire@airnz.co.nz

____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Air New Zealand immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com
_____________________________________________________________________
Received on Thu Sep 18 2003 - 21:33:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:57 MST