Re: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5

From: Murilo Moreira de Oliveira <murilo.moreira_at_gmail.com>
Date: Fri, 18 Jun 2010 15:59:59 -0300

2010/6/18 Amos Jeffries <squid3_at_treenet.co.nz>:
> Murilo Moreira de Oliveira wrote:
>>
>> Hi Amos.
>>
>> Stop what? I've understood stop doing only step 4, right? Any way, I
>
> Yes.
>
>> was following
>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
>> article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah,
>> authconfig, krb5-workstation and samba-common are installed!). To
>> finish, I've used another CentOS 5.4 machine and installed from
>> scratch authconfig, krb5-workstation and samba-common and guess,
>> /var/cache/samba/winbindd_privileged directory was created with 750
>> root:squid rights!
>>
>> I wonder, should I create wbpriv group, assign squid user to it and
>> make root:wbpriv the owner of /var/cache/samba/winbindd_privileged
>> directory in order to make my environment more secure? Any help with
>> this will be very appreciated.
>
> Well, if its done by the packaging for you then okay it should be workable,
> even if not nicely. I'd go with the package defaults first and see if it
> goes before changing anything there.

My squid always worked this way, nicely or not :). I've presented my
steps to help Edouard Zorrilla. Any way, I think I'll follow Joseph
Casale tips and upgrade CentOS to version 5.5 and reconfigure
authconfig, krb5-workstation and samba-common in order to make my
squid installation reflects the
http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
article.

>
> Amos
>
>>
>> 2010/6/16 Amos Jeffries <squid3_at_treenet.co.nz>
>>>
>>> Murilo Moreira de Oliveira wrote:
>>>>
>>>> Hello. Follow bellow the steps I've used to get NTLM authentication
>>>> working.
>>>>
>>>>  1.# yum -y install authconfig krb5-workstation samba-common
>>>>
>>>> 2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
>>>> --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
>>>> --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
>>>> --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
>>>> --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
>>>> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
>>>> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
>>>> --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
>>>> --disablecache --enablelocauthorize --updateall
>>>>
>>>> 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
>>>> This is the user that proxy will use to validate users credentials.
>>>>
>>>> 4.# chown root:squid /var/cache/samba/winbindd_privileged
>>>>
>>> Noooooooo! Ouch.
>>>
>>> This is a giant permissions hack to evade the strict security leash of
>>> cache_effective_group.
>>>
>>> The correct way to do this is to add the Squid proxy user to the system
>>> group which wbinfo normally lets access /var/cache/samba/winbindd_privileged
>>>
>>> ... and ensure cache_effective_group is MISSING from squid.conf.
>>>
>>> The result is that Squid acts like a proper low-privileged user account
>>> on the system. Same as any other user account with multiple groups.
>>>
>>> Amos
>>> --
>>> Please be using
>>>  Current Stable Squid 2.7.STABLE9 or 3.1.4
>
>
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.4
>
Received on Fri Jun 18 2010 - 19:00:07 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 19 2010 - 12:00:03 MDT