Winbind is a recent addition to Samba providing some impressive capabilities for NT based user accounts. From Squid's perspective winbind provides a robust and efficient engine for both basic and NTLM challenge/response authentication against an NT domain controller. Samba 2.2.4 or greater is needed. Samba 2.2.4, 2.2.5, and 3.0a17 are known to work with the Squid 2.5 winbind authenticators. The winbind authenticators have been used successfully under Linux, FreeBSD and Solaris (others?). =============== Configure Samba =============== Build/Install Samba ------------------- Samba must be built with configure options: --with-winbind --with-winbind-auth-challenge Optionally, if building Samba 2.2.5, apply the smbpasswd.diff patch in /path/to/patch/file. See "SMBD and Machine Trust Accounts" below to determine if the patch is worthwhile. (Do we need to tell people how to apply a patch?) (should we make a diff for 2.2.4?) Test Samba/winbindd ------------------- 1: Edit smb.conf for winbindd functionality. The following entries in the [global] section of smbd.conf may be used as a template: workgroup = mydomain password server = myPDC security = domain winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes 2: Join the NT domain as outlined in the winbindd man page for your version of samba. 3: Test winbindd functionality. a) Start nmbd (required to insure proper operation). b) Start winbindd. c) Test basic winbindd functionality "wbinfo -t": # wbinfo -t Secret is good d) Test winbindd user authentication: # wbinfo -a mydomain\\myuser%mypasswd plaintext password authentication succeeded error code was NT_STATUS_OK (0x0) challenge/response password authentication succeeded error code was NT_STATUS_OK (0x0) Note both plaintext and challenge/response should return "succeeded." If there is no "challenge/response" status returned then Samba was not built with "--with-winbind-auth-challenge." 4: SMBD and Machine Trust Accounts. ----------- Samba 2.2.x ----------- The smbd daemon, while not strictly required by winbindd may be needed to manage the machine's trust account. Well behaved domain members change the account password on a regular basis. Windows and Samba servers default to changing this trust account password every seven days. The Samba component responsible for managing the trust account password is smbd. Smbd needs to receive requests to trigger the password change. If the machine will be used for file and print services, then just running smbd to serve routine requests should keep everything happy. However, in cases where Squid's winbind helpers are the only reason Samba components are running, smbd may sit idle. Indeed, there may be no other reason to run smbd at all. There are two sample options to change the trust account password in /path/to/trustpwstuff. Either may be scheduled daily via a cron job to change the trust password. UglySolution.pl is a sample perl script that will load smbd, connect to a Samba share using smbclient, and generate enough dummy activity to trigger smbd's machine trust account password change. smbpasswd.diff is a patch to Samba 2.2.5's smbpasswd utility to allow changing the machine account password at will. It is a minimal patch simply exposing a command line interface to an existing Samba function. Once patched, the smbpasswd syntax to change the password is: smbpasswd -t DOMAIN -r PDC --------- Samba 3.x --------- Things are much easier under the 3.x versions of Samba. Smbd is no longer required to manage the machine's trust account, and there is no need to patch any utilities. The Samba team has incorporated functionality to change the machine trust account password in the new "net" command. A simple daily cron job scheduling "net rpc changetrustpw" is all that is needed. ================ Configure Squid ================ Build/Install Squid ------------------- Squid must be built with the configure options: --enable-auth="ntlm,basic" --enable-basic-auth-helpers="winbind" --enable-ntlm-auth-helpers="winbind" Test Squid without auth ----------------------- Before going further, test basic Squid functionality. Make sure squid is functioning without requiring authorization. Test the helpers ---------------- Testing the winbind ntlm helper is not really possible from the command line, but the winbind basic authenticator can be tested like any other basic helper: # /usr/local/squid/libexec/wb_auth -d /wb_auth[65180](wb_basic_auth.c:136): basic winbindd auth helper ... mydomain\myuser mypasswd /wb_auth[65180](wb_basic_auth.c:107): Got 'mydomain\myuser mypasswd' from squid (length: 24). /wb_auth[65180](wb_basic_auth.c:54): winbindd result: 0 /wb_auth[65180](wb_basic_auth.c:57): sending 'OK' to squid OK The helper should return "OK" if given a valid username/password. Edit squid.conf --------------- 1: Setup the authenticators. Add the following to enable both the winbind basic and ntlm authenticators. IE will use ntlm and everything else basic: auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/squid/libexec/wb_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours 2: Add acl entries to require authentication: acl AuthorizedUsers proxy_auth REQUIRED .. http_access allow all AuthorizedUsers Test Squid with auth -------------------- 1: Internet Explorer: Test browsing through squid with IE. If logged into the domain, a password prompt should NOT pop up. To confirm the traffic really is being authorized, tail access.log. The domain\username should be present in the log. 2: Netscape, mozilla, opera...: Test with a non-IE browser. A standard password dialog should appear. Entering the domain should not be required if the user is in the default domain and "winbind use default domain = yes" is set in smb.conf. Otherwise, the username must be entered in "domain\username" format. If no usernames appear in acces.log and/or no password dialogs appear in either browser, then the acl/http_access portions of squid.conf are not correct. References ---------- Samba Winbind overview: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#WINBIND winbindd man page: http://www.samba.org/samba/docs/man/winbindd.8.html wbinfo man page: http://www.samba.org/samba/docs/man/wbinfo.1.html nmbd man page: http://us1.samba.org/samba/docs/man/nmbd.8.html smbd man page: http://www.samba.org/samba/docs/man/smbd.8.html smb.conf man page: http://us1.samba.org/samba/docs/man/smb.conf.5.html Joining a Domain in Samba 2.2.x: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html#AEN1134 smbclient man page: http://www.samba.org/samba/docs/man/smbclient.1.html