[squid-users] Dance of joy, and a plea for help

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Tue, 27 Nov 2001 17:43:56 +0100

I spent some time doing the dance of joy today.

The winbind-based NTLM authentication helper gave the first
signs of life, successfully (and unsuccessfully when appropriate)
authenticating clients against a Microsoft domain controller using
the domain membership API.

Eternal gratitude goes to the Samba Team, with special thanks to
Tim Potter, Simo Sorce, Andrew Bartlet, and Andrew Tridgell.

But now comes the hard part: testing and refining.

I'm issuing a call for the daring (and for the dissatisfied
with the current NTLMSSP helper) to throw their worst at the
helper, and to make it break in the most spectacular way possible.

Below you'll find setup instructions: the environment is
more complex than the current one. The advantages are quite
interesting however: the aim is for ROBUST performance (no more
connections dropped and helper-fail-open and last-ditch! yay!),
SECURE performance (/dev/urandom is used when available to have
maximal challenge entropy), HIGH performance (by maximal exploitation
of challenge caching capabilities).

  ===== SETUP-HOWTO =====
You'll need a samba-2.2 (I succeeded using version 2.2.2) set up
system-wide on the proxy server, and samba-HEAD from CVS, with
the same ./configure arguments as the 2.2. Build it, and
manually copy ONLY WINBINDD, you can overwrite 2.2's.

in smb.conf:
workgroup = YOURDOMAIN
winbind uid = 10000-20000 ; meaningless for us
winbind gid = 10000-20000 ; meaningless for us
winbind cache time = 300
template shell = /bin/false ; meaningless for us
winbind separator = /
security = domain ; maybe it's not needed
password server = *
wins server = ; your real WINS server's IP of course.
                      ; Dunno if it's needed, but it's likely

Fire up srvmgr on the domain controller, and add the name
of the proxy server.
Then on the proxy server, smbpasswd -j YOURDOMAIN,
then fire up winbindd.

do a wbinfo -t. It must answer "Secret is good".
If so, samba is set up (you do NOT need to fire up
smbd/nmbd to perform authentications.
It's unclear whether it's needed for workstation trust account
management). If the shared secret goes bad, use srvmgr to
remove the server from the domain, re-add it and re-smbpasswd.
You might need to remove the secrets.tdb file from the server
before re-smbpasswd'ing.

Now on the squid side:
retrieve the ntlm branch from devel.squid-cache.org
(instructions on http://devel.squid-cache.org/CVS.html).
./configure it with at least the options (but you'll surely
want to use more)
--enable-auth=ntlm --enable-ntlm-auth-helpers=winbind
Build and install.
The helper is named wb_ntlmauth, it doesn't require any
command-line parameters (it's all in smb.conf).

That's all folks! Please, join me in the dance of joy!

Received on Tue Nov 27 2001 - 09:32:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:04:33 MST