--- FAQ.orig Thu Jun 13 16:33:04 2002 +++ FAQ.sgml Fri Nov 17 14:03:18 2006 @@ -12906,6 +12906,267 @@ Each authentication program must select its own scheme for persistent storage of passwords and usernames. +How do I use the Winbind authenticators? + +

+Winbind is a recent addition to Samba providing some impressive +capabilities for NT based user accounts. From Squid's perspective winbind provides a robust and efficient +engine for both basic and NTLM challenge/response authentication +against an NT domain controller. +

+Samba 2.2.4 or greater is required. Samba 2.2.4, 2.2.5, and 3.0a17 +are known to work with the Squid 2.5 winbind authenticators. +

+The winbind authenticators have been used successfully +under Linux, FreeBSD and Solaris. +

+ +Configure Samba +

+Build/Install Samba +

+Samba must be built with configure options: + + --with-winbind + --with-winbind-auth-challenge + +

+Optionally, if building Samba 2.2.5, apply the smbpasswd.diff patch +in /path/to/patchfile. See below to +determine if the patch is worthwhile. +

+(Do we need to tell people how to apply a patch?) +(should we make a diff for 2.2.4?) +

+Test Samba's winbindd + + +Edit smb.conf for winbindd functionality. The following entries in +the [global] section of smbd.conf may be used as a template. + +workgroup = mydomain +password server = myPDC +security = domain +winbind uid = 10000-20000 +winbind gid = 10000-20000 +winbind use default domain = yes + + + + +Join the NT domain as outlined in the winbindd man page for your +version of samba. + + + +Test winbindd functionality. + + +Start nmbd (required to insure proper operation). + + + + Start winbindd. + + + + Test basic winbindd functionality "wbinfo -t": + +# wbinfo -t +Secret is good + + + + +Test winbindd user authentication: + +# wbinfo -a mydomain\\myuser%mypasswd +plaintext password authentication succeeded +error code was NT_STATUS_OK (0x0) +challenge/response password authentication succeeded +error code was NT_STATUS_OK (0x0) + + + + + + + +SMBD and Machine Trust Accounts

+ +Samba 2.2.x +

+Samba's smbd daemon, while not strictly required by winbindd may be needed +to manage the machine's trust account. +

+Well behaved domain members change the account password on a regular +basis. Windows and Samba servers default to changing this password +every seven days. +

+The Samba component responsible for managing the trust account password +is smbd. Smbd needs to receive requests to trigger the password change. +If the machine will be used for file and print services, then just +running smbd to serve routine requests should keep everything happy. +

+However, in cases where Squid's winbind helpers are the only reason +Samba components are running, smbd may sit idle. Indeed, there may be +no other reason to run smbd at all. +

+There are two sample options to change the trust account password in +/path/to/trustpwstuff. Either may be scheduled daily via a cron job to +change the trust password. +

+UglySolution.pl is a sample perl script that will load smbd, connect to +a Samba share using smbclient, and generate enough dummy activity to +trigger smbd's machine trust account password change. +

+smbpasswd.diff is a patch to Samba 2.2.5's smbpasswd utility to allow +changing the machine account password at will. It is a minimal patch +simply exposing a command line interface to an existing Samba function. +

+Once patched, the smbpasswd syntax to change the password is: + + smbpasswd -t DOMAIN -r PDC + +

+ +Samba 3.x +

+Things are much easier under the 3.x versions of Samba. Smbd is no +longer required to manage the machine's trust account, and there is no +need to patch any utilities. +

+The Samba team has incorporated functionality to change the machine +trust account password in the new "net" command. A simple daily cron +job scheduling "net rpc changetrustpw" is all that is needed. +

+

+ + +Configure Squid +

+ +Build/Install Squid +

+Squid must be built with the configure options: + + --enable-auth="ntlm,basic" + --enable-basic-auth-helpers="winbind" + --enable-ntlm-auth-helpers="winbind" + + +Test Squid without auth +

+Before going further, test basic Squid functionality. Make sure squid +is functioning without requiring authorization. +

+ +Test the helpers +

+Testing the winbind ntlm helper is not really possible from the command +line, but the winbind basic authenticator can be tested like any other +basic helper: + + # /usr/local/squid/libexec/wb_auth -d + /wb_auth[65180](wb_basic_auth.c:136): basic winbindd auth helper ... + mydomain\myuser mypasswd + /wb_auth[65180](wb_basic_auth.c:107): Got 'mydomain\myuser mypasswd' from squid (length: 24). + /wb_auth[65180](wb_basic_auth.c:54): winbindd result: 0 + /wb_auth[65180](wb_basic_auth.c:57): sending 'OK' to squid + OK + +The helper should return "OK" if given a valid username/password. +

+ + +Edit squid.conf +

+ + + +Setup the authenticators. +

+Add the following to enable both the winbind basic and ntlm +authenticators. IE will use ntlm and everything else basic: + + auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth + auth_param ntlm children 5 + auth_param ntlm max_challenge_reuses 0 + auth_param ntlm max_challenge_lifetime 2 minutes + + auth_param basic program /usr/local/squid/libexec/wb_auth + auth_param basic children 5 + auth_param basic realm Squid proxy-caching web server + auth_param basic credentialsttl 2 hours + + + + +Add acl entries to require authentication: + + acl AuthorizedUsers proxy_auth REQUIRED + .. + http_access allow all AuthorizedUsers + + + +

+ +Test Squid with auth +

+ + + +Internet Explorer: +

+Test browsing through squid with IE. If logged into the domain, +a password prompt should NOT pop up. +

+Confirm the traffic really is being authorized by tailing access.log. +The domain\username should be present. +

+ + + +Netscape, mozilla, opera...: +

+Test with a non-IE browser. A standard password dialog should appear. +

+Entering the domain should not be required if the user is in the +default domain and "winbind use default domain = yes" is set in +smb.conf. Otherwise, the username must be entered in "domain\username" format. + + +

+

+If no usernames appear in acces.log and/or no password dialogs appear +in either browser, then the acl/http_access portions of squid.conf are +not correct. +

+

+References +

+ +

+ +

+ +

+ +

+ +

+ +

+ +

+ + + Terms and Definitions