Integrating Additional Services authentication backends smbpasswd ldapsam Active Directory You've come a long way now. You have pretty much mastered Samba-3 for most uses it can be put to. Up until now, you have cast Samba-3 in the leading role and where authentication was required, you have used one or another of Samba's many authentication backends (from flat text files with smbpasswd to LDAP directory integration with ldapsam). Now you can design a solution for a new Abmas business. This business is running Windows Server 2003 and Active Directory, and these are to stay. It's time to master implementing Samba and Samba-supported services in a domain controlled by the latest Windows authentication technologies. Let's get started &smbmdash; this is leading edge. Introduction Abmas has continued its miraculous growth; indeed, nothing seems to be able to stop its diversification into multiple (and seemingly unrelated) fields. Its latest acquisition is Abmas Snack Foods, a big player in the snack-food business. With this acquisition comes new challenges for you and your team. Abmas Snack Foods is a well-developed business with a huge and heterogeneous network. They already have Windows, NetWare, and Proprietary UNIX, but as yet no Samba or Linux. The network is mature and well established, and there is no question of their chosen user authentication scheme being changed for now. You need to take a wise new approach. You have decided to set the ball rolling by introducing Samba-3 into the network gradually, taking over key services and easing the way to a full migration and, therefore, integration into Abmas's existing business later. Assignment Tasks web proxying web caching You've promised the skeptical Abmas Snack Foods management team that you can show them how Samba can ease itself and other Open Source technologies into their existing infrastructure and deliver sound business advantages. Cost cutting is high on their agenda (a major promise of the acquisition). You have chosen Web proxying and caching as your proving ground. bandwidth Microsoft ISA Abmas Snack Foods has several thousand users housed at their Head Office and multiple regional offices, plants, and warehouses. A high proportion of the business's work is done online, so Internet access for most of these users is essential. All Internet access, including all of their regional offices, is funneled through the head office and is the job of the (now your) networking team. The bandwidth requirements were horrific (comparable to a small ISP), and the team soon discovered proxying and caching. In fact, they became one of the earliest commercial users of Microsoft ISA. Active Directory authenticated proxy The team is not happy with ISA. Because it never lived up to its marketing promises, it under-performed and had reliability problems. You have pounced on the opportunity to show what Open Source can do. The one thing they do like, however, is ISA's integration with Active Directory. They like that their users, once logged on, are automatically authenticated against the proxy. If your alternative to ISA can operate completely seamlessly in their Active Directory Domain, it will be approved. This is a hands-on exercise. You build software applications so that you obtain the functionality Abmas needs. Dissection and Discussion The key requirements in this business example are straightforward. You are not required to do anything new, just to replicate an existing system, not lose any existing features, and improve performance. The key points are: Internet access for most employees Distributed system to accommodate load and geographical distribution of users Seamless and transparent interoperability with the existing Active Directory domain Technical Issues browsing Squid proxy proxy authentication Internet Explorer winbind NTLM NTLM authentication daemon authentication daemon Active Directory domain Active Directory Kerberos token Functionally, the user's Internet Explorer requests a browsing session with the Squid proxy, for which it offers its AD authentication token. Squid hands off the authentication request to the Samba-3 authentication helper application called ntlm_auth. This helper is a hook into winbind, the Samba-3 NTLM authentication daemon. Winbind enables UNIX services to authenticate against Microsoft Windows Domains, including Active Directory domains. As Active Directory authentication is a modified Kerberos authentication, winbind is assisted in this by local Kerberos 5 libraries configured to check passwords with the Active Directory server. Once the token has been checked, a browsing session is established. This process is entirely transparent and seamless to the user. Enabling this consists of: Preparing the necessary environment using pre-configured packages Setting up raw Kerberos authentication against the Active Directory domain Configuring, compiling, and then installing the supporting Samba-3 components Tying it all together Political Issues You are a stranger in a strange land and all eyes are upon you. Some would even like to see you fail. For you to gain the trust of your newly acquired IT people, it is essential that your solution does everything the old one did, but does it better in every way. Only then will the entrenched positions consider taking up your new way of doing things on a wider scale. Implementation Squid First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed. Red Hat Linux The following packages should be available on your Red Hat Linux system: krb5 Kerberos krb5-libs krb5-devel krb5-workstation krb5-server pam_krb5 SUSE Linux In the case of SUSE Linux, these packages are called: heimdal-lib heimdal-devel Heimdal heimdal pam_krb5 If the required packages are not present on your system, you must install them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated. MS Windows Server 2003 Kerberos MIT If the requirement is for inter-operation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating. Heimdal SUSE Enterprise Linux Server Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version. Removal of Pre-existing Conflicting RPMs Squid If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source. rpm samba squid Locating the packages to be un-installed can be achieved by running: &rootprompt; rpm -qa | grep -i samba &rootprompt; rpm -qa | grep -i squid The identified packages may be removed using: &rootprompt; rpm -e samba-common Kerberos Configuration Kerberos Active Directory server ADS KDC The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC). Strictly speaking, MIT Kerberos version 1.3.1 currently gives the best results, although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers. MIT Heimdal Kerberos /etc/krb5.conf DNS SRV records KDC DNS lookup Officially, neither MIT (1.3.1) nor Heimdal (0.6) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both MIT and Heimdal, KRB5 libraries default to checking for these records, so they automatically find the KDCs. In addition, krb5.conf only allows specifying a single KDC, even there if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. krb5.conf If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in . The final fully qualified path for this file should be /etc/krb5.conf. Kerberos realm case-sensitive KDC synchronization initial credentials Clock skew NTP DNS lookup reverse DNS NetBIOS name /etc/hosts mapping The following gotchas often catch people out. Kerberos is case sensitive. Your realm must be in UPPERCASE, or you will get an error: Cannot find KDC for requested realm while getting initial credentials. Kerberos is picky about time synchronization. The time according to your participating servers must be within 5 minutes or you get an error kinit(v5): Clock skew too great while getting initial credentials. Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 5 minutes). A better solution is to implement NTP throughout your server network. Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain attached), or it can alternately be the NetBIOS name followed by the realm. If all else fails, you can add a /etc/hosts entry mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm. kinit You are now ready to test your installation by issuing the command: &rootprompt; kinit [USERNAME@REALM] You are asked for your password, which you should enter. The following is a typical console sequence: &rootprompt; kinit ADMINISTRATOR@LONDON.ABMAS.BIZ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ: Make sure that your password is accepted by the Active Directory KDC. Kerberos Configuration &smbmdash; File: <filename>/etc/krb5.conf</filename> [libdefaults] default_realm = LONDON.ABMAS.BIZ [realms] LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz } klist The command: &rootprompt; klist -e shows the Kerberos tickets cached by the system: Samba Configuration Active Directory Samba must be configured to correctly use Active Directory. Samba-3 must be used, as this has the necessary components to interface with Active Directory. Red Hat Linux Samba Tea Red Hat Fedora Linux MIT KRB5 ntlm_auth Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site. The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and, therefore, are ready for use. SerNet RPMs The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary ntlm_auth tool, and are statically linked against suitably patched Heimdal 0.6 libraries. Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in . computer account Active Directory net ads join Kerberos ticket ticket Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. This is done with the net ads join -U [Administrator%Password] command, as follows: &rootprompt; net ads join -U administrator%vulcon smbd nmbd winbindd Active Directory Samba Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternately, start your Active Directory enabled Samba with the following commands: &rootprompt; smbd -D &rootprompt; nmbd -D &rootprompt; winbindd -B winbind Active Directory domain wbinfo enumerating Active Directory tree We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands: &rootprompt; wbinfo -t checking the trust secret via RPC calls succeeded This tests whether we are authenticating against Active Directory: &rootprompt; wbinfo -u LONDON+Administrator LONDON+Guest LONDON+SUPPORT_388945a0 LONDON+krbtgt LONDON+jht LONDON+xjht This enumerates all the users in your Active Directory tree: &rootprompt; wbinfo -g LONDON+Domain Computers LONDON+Domain Controllers LONDON+Schema Admins LONDON+Enterprise Admins LONDON+Domain Admins LONDON+Domain Users LONDON+Domain Guests LONDON+Group Policy Creator Owners LONDON+DnsUpdateProxy This enumerates all the groups in your Active Directory tree. Squid ntlm_auth Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command: &rootprompt; /usr/bin/ntlm_auth --username=jht password: XXXXXXXX You are asked for your password, which you should enter. You are rewarded with: &rootprompt; NT_STATUS_OK: Success (0x0) ntlm_auth authenticate winbind privileged pipe squid chgrp chmod failure The ntlm_auth helper, when run from a command line as the user root, authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. Squid is running with the permissions of user squid and group squid and is not able to do this unless we make a vital change. Squid cannot read from the winbind privilege pipe unless you change the permissions of its directory. This is the single biggest cause of failure in the whole process. Remember to issue the following command (for Red Hat Linux): &rootprompt; chgrp squid /var/cache/samba/winbindd_privileged &rootprompt; chmod 750 /var/cache/samba/winbindd_privileged For SUSE Linux 9, execute the following: &rootprompt; chgrp squid /var/lib/samba/winbindd_privileged &rootprompt; chmod 750 /var/lib/samba/winbindd_privileged NSS Configuration NSS winbind authentication For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. Edit your /etc/nsswitch.conf file so it has the parameters shown in . Samba Configuration &smbmdash; File: <filename>/etc/samba/smb.conf</filename> LONDON W2K3S LONDON.ABMAS.BIZ ads yes w2k3s.london.abmas.biz separate domain and username with '/', like DOMAIN/username / use UIDs from 10000 to 20000 for domain users 10000-20000 # use GIDs from 10000 to 20000 for domain groups 10000-20000 allow enumeration of winbind users and groups yes yes yes NSS Configuration File Extract &smbmdash; File: <filename>/etc/nsswitch.conf</filename> passwd: files winbind shadow: files group: files winbind Squid Configuration Squid Active Directory authentication Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. Configuration SUSE Linux Squid helper agent If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can, therefore, omit the steps that would build the Squid binary programs. nobody squid rpms /etc/passwd /etc/group Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default Red Hat squid rpms were installed, they will be). Set up a squid user in /etc/passwd and a squid group in /etc/group if these aren't there already. permissions chown You now need to change the permissions on Squid's var directory. Enter the following command: &rootprompt; chown -R squid /var/cache/squid logging Squid Squid must also have control over its logging. Enter the following commands: &rootprompt; chown -R chown squid:squid /var/log/squid &rootprompt; chmod 770 /var/log/squid Finally, Squid must be able to write to its disk cache! Enter the following commands: &rootprompt; chown -R chown squid:squid /var/cache/squid &rootprompt; chmod 770 /var/cache/squid /etc/squid/squid.conf The /etc/squid/squid.conf file must be edited to include the lines from and . cache directories You must create Squid's cache directories before it may be run. Enter the following command: &rootprompt; squid -z Finally, start Squid and enjoy transparent Active Directory authentication. Enter the following command: &rootprompt; squid Squid Configuration File Extract &smbmdash; <filename>/etc/squid.conf</filename> [ADMINISTRATIVE PARAMETERS Section] cache_effective_user squid cache_effective_group squid Squid Configuration File extract &smbmdash; File: <filename>/etc/squid.conf</filename> [AUTHENTICATION PARAMETERS Section] auth_param ntlm program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers Key Points Learned Web browsers services authentication protocols Web proxy access NTLMSSP Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. Questions and Answers ntlm_auth SambaXP conference Goettingen Italian The development of the ntlm_auth module was first discussed in many Open Source circles in 2002. At the SambaXP conference in Goettingen, Germany, Mr. Francesco Chemolli demonstrated the use of ntlm_auth during one of the late developer meetings that took place. Since that time, the adoption of ntlm_auth has spread considerably. The largest report from a site that uses Squid with ntlm_auth-based authentication support uses a dual processor server that has 2 GBytes of memory. It provides Web and FTP proxy services for 10,000 users. Approximately 2,000 of these users make heavy use of the proxy services. According to the source, who wishes to remain anonymous, the sustained transaction load on this server hovers around 140 hits/sec. The following comments were made with respect to questions regarding the performance of this installation:
[In our] EXTREMELY optimized environment ... [the] performance impact is almost [nothing]. The almost part is due to the brain damage of the ntlm-over-http protocol definition. Suffice to say that its worst-case scenario triples the number of hits needed to perform the same transactions versus basic or digest auth[entication].
You would be well advised to recognize the fact that all cache-intensive proxying solutions demand a lot of memory. Make certain that your Squid proxy server is equipped with sufficient memory to permit all proxy operations to run out of memory without invoking the overheads involved in the use of memory that has to be swapped to disk. What does Samba have to do with Web proxy serving? transparent inter-operability Windows clients network services authentication wrapper To provide transparent interoperability between Windows clients and the network services that are used from them, Samba has had to develop tools and facilities that deliver that. The benefit of Open Source software is that it can readily be reused. The current ntlm_auth module is basically a wrapper around authentication code from the core of the Samba project. plain-text authentication plain-text Web proxy FTP proxy NTLMSSP logon credentials Windows explorer Internet Information Server Apache Web server The ntlm_auth module supports basic plain-text authentication and NTLMSSP protocols. This module makes it possible for Web and FTP proxy requests to be authenticated without the user being interrupted via his/her Windows logon credentials. This facility is available with MS Windows explorer and is one of the key benefits claimed for Microsoft Internet Information Server. There are a few open source initiatives to provide support for these protocols in the Apache Web server also. wrapper The short answer is that by adding a wrapper around key authentication components of Samba, other projects (like Squid) can benefit from the labors expended in meeting user interoperability needs. What other services does Samba provide? winbindd Identity resolver daemon smbd file and print server Samba-3 is a file and print server. The core components that provide this functionality are smbd, nmbd, and the Identity resolver daemon, winbindd. SMB/CIFS smbclient Samba-3 is an SMB/CIFS client. The core component that provides this is called smbclient. modules utilities validation inter-operability authentication Samba-3 includes a number of helper tools, plug-in modules, utilities, and test/validation facilities. Samba-3 includes glue modules that help provide interoperability between MS Windows clients and UNIX/Linux servers and client. It includes Winbind agents that make it possible to authenticate UNIX/Linux access attempts as well as logins to an SMB/CIFS authentication server backend. Samba-3 includes name service switch (NSS) modules to permit Identity resolution via SMB/CIFS servers (Windows NT4/200x, Samba, and a host of other commercial server products). Does use of Samba (ntlm_auth) improve the performance of Squid? Not really. Samba's ntlm_auth module handles only authentication. It requires that Squid make an external call to ntlm_auth and, therefore, actually incurs a little more overhead. Compared with the benefit obtained, that overhead is well worth enduring. Since Squid is a proxy server, and proxy servers tend to require lots of memory, it is good advice to provide sufficient memory when using Squid. Just add a little more to accommodate ntlm_auth.