12.3. Implementation First, your system needs to be prepared and in a known good state to proceed. This consists of making sure that everything the system depends on is present and that everything that could interfere or conflict with the system is removed. You will be configuring the Squid and Samba-3 packages and updating them if necessary. If conflicting packages of these programs are installed, they must be removed. The following packages should be available on your Red Hat Linux system: krb5-libs krb5-devel krb5-workstation krb5-server pam_krb5
In the case of SUSE Linux, these packages are called: heimdal-lib heimdal-devel heimdal pam_krb5
If the required packages are not present on your system, you must install them from the vendor's installation media. Follow the administrative guide for your Linux system to ensure that the packages are correctly updated. Note  | If the requirement is for interoperation with MS Windows Server 2003, it will be necessary to ensure that you are using MIT Kerberos version 1.3.1 or later. Red Hat Linux 9 ships with MIT Kerberos 1.2.7 and thus requires updating. |
Heimdal 0.6 or later is required in the case of SUSE Linux. SUSE Enterprise Linux Server 8 ships with Heimdal 0.4. SUSE 9 ships with the necessary version.
12.3.1. Removal of Pre-Existing Conflicting RPMs If Samba and/or Squid RPMs are installed, they should be updated. You can build both from source. Locating the packages to be un-installed can be achieved by running: root# rpm -qa | grep -i samba root# rpm -qa | grep -i squid
The identified packages may be removed using: root# rpm -e samba-common
12.3.2. Kerberos Configuration The systems Kerberos installation must be configured to communicate with your primary Active Directory server (ADS KDC). Strictly speaking, MIT Kerberos version 1.3.4 currently gives the best results, although the current default Red Hat MIT version 1.2.7 gives acceptable results unless you are using Windows 2003 servers. Officially, neither MIT (1.3.4) nor Heimdal (0.63) Kerberos needs an /etc/krb5.conf file in order to work correctly. All ADS domains automatically create SRV records in the DNS zone Kerberos.REALM.NAME for each KDC in the realm. Since both MIT and Heimdal, KRB5 libraries default to checking for these records, so they automatically find the KDCs. In addition, krb5.conf allows specifying only a single KDC, even if there is more than one. Using the DNS lookup allows the KRB5 libraries to use whichever KDCs are available. KERBEROS CONFIGURATION STEPS 1. | If you find the need to manually configure the krb5.conf, you should edit it to have the contents shown in Example 12.3.1. The final fully qualified path for this file should be /etc/krb5.conf.
| 2. | The following gotchas often catch people out. Kerberos is case sensitive. Your realm must be in UPPERCASE, or you will get an error: "Cannot find KDC for requested realm while getting initial credentials". Kerberos is picky about time synchronization. The time according to your participating servers must be within 5 minutes or you get an error: "kinit(v5): Clock skew too great while getting initial credentials". Clock skew limits are, in fact, configurable in the Kerberos protocols (the default is 5 minutes). A better solution is to implement NTP throughout your server network. Kerberos needs to be able to do a reverse DNS lookup on the IP address of your KDC. Also, the name that this reverse lookup maps to must either be the NetBIOS name of the KDC (i.e., the hostname with no domain attached) or the NetBIOS name followed by the realm. If all else fails, you can add a /etc/hosts enTRy mapping the IP address of your KDC to its NetBIOS name. If Kerberos cannot do this reverse lookup, you will get a local error when you try to join the realm.
| 3. | You are now ready to test your installation by issuing the command:
root# kinit [USERNAME@REALM]
You are asked for your password, which you should enter. The following is a typical console sequence:
root# kinit ADMINISTRATOR@LONDON.ABMAS.BIZ Password for ADMINISTRATOR@LONDON.ABMAS.BIZ:
Make sure that your password is accepted by the Active Directory KDC.
Example 12.3.1. Kerberos Configuration File: /etc/krb5.conf [libdefaults] default_realm = LONDON.ABMAS.BIZ [realms] LONDON.ABMAS.BIZ = { kdc = w2k3s.london.abmas.biz }
The command
root# klist -e
|
shows the Kerberos tickets cached by the system. 12.3.2.1 Samba Configuration Samba must be configured to correctly use Active Directory. Samba-3 must be used, since it has the necessary components to interface with Active Directory. SECURING SAMBA-3 WITH ADS SUPPORT STEPS 1. | Download the latest stable Samba-3 for Red Hat Linux from the official Samba Team FTP site.[1] The official Samba Team RPMs for Red Hat Fedora Linux contain the ntlm_auth tool needed, and are linked against MIT KRB5 version 1.3.1 and therefore are ready for use. The necessary, validated RPM packages for SUSE Linux may be obtained from the SerNet[2] FTP site that is located in Germany. All SerNet RPMs are validated, have the necessary ntlm_auth tool, and are statically linked against suitably patched Heimdal 0.6 libraries.
[1] <http://ftp.samba.org>
[2] <ftp://ftp.sernet.de/pub/samba>
| 2. | Using your favorite editor, change the /etc/samba/smb.conf file so it has contents similar to the example shown in Example 12.3.2.
| 3. | i Next you need to create a computer account in the Active Directory. This sets up the trust relationship needed for other clients to authenticate to the Samba server with an Active Directory Kerberos ticket. This is done with the "net ads join -U [Administrator%Password]" command, as follows:
root# net ads join -U administrator%vulcon
| 4. | Your new Samba binaries must be started in the standard manner as is applicable to the platform you are running on. Alternatively, start your Active Directory-enabled Samba with the following commands:
root# smbd -D root# nmbd -D root# winbindd -B
| 5. | We now need to test that Samba is communicating with the Active Directory domain; most specifically, we want to see whether winbind is enumerating users and groups. Issue the following commands:
root# wbinfo -t checking the trust secret via RPC calls succeeded
This tests whether we are authenticating against Active Directory:
root# wbinfo -u LONDON+Administrator LONDON+Guest LONDON+SUPPORT_388945a0 LONDON+krbtgt LONDON+jht LONDON+xjht
This enumerates all the users in your Active Directory tree:
root# wbinfo -g LONDON+Domain Computers LONDON+Domain Controllers LONDON+Schema Admins LONDON+Enterprise Admins LONDON+Domain Admins LONDON+Domain Users LONDON+Domain Guests LONDON+Group Policy Creator Owners LONDON+DnsUpdateProxy
This enumerates all the groups in your Active Directory tree.
| 6. | Squid uses the ntlm_auth helper build with Samba-3. You may test ntlm_auth with the command:
root# /usr/bin/ntlm_auth --username=jht password: XXXXXXXX
You are asked for your password, which you should enter. You are rewarded with:
root# NT_STATUS_OK: Success (0x0)
| 7. | The ntlm_auth helper, when run from a command line as the user "root", authenticates against your Active Directory domain (with the aid of winbind). It manages this by reading from the winbind privileged pipe. Squid is running with the permissions of user "squid" and group "squid" and is not able to do this unless we make a vital change. Squid cannot read from the winbind privilege pipe unless you change the permissions of its directory. This is the single biggest cause of failure in the whole process. Remember to issue the following command (for Red Hat Linux):
root# chgrp squid /var/cache/samba/winbindd_privileged root# chmod 750 /var/cache/samba/winbindd_privileged
For SUSE Linux 9, execute the following:
root# chgrp squid /var/lib/samba/winbindd_privileged root# chmod 750 /var/lib/samba/winbindd_privileged
|
12.3.2.2 NSS Configuration For Squid to benefit from Samba-3, NSS must be updated to allow winbind as a valid route to user authentication. Edit your /etc/nsswitch.conf file so it has the parameters shown in Example 12.3.3. Example 12.3.2. Samba Configuration File: /etc/samba/smb.conf [global] workgroup = LONDON netbios name = W2K3S realm = LONDON.ABMAS. BIZ security = ads encrypt passwords = yes password server = w2k3s.london.abmas.biz # separate domain and username with ' /', like DOMAIN/username winbind separator = / # use UIDs from 10000 to 20000 for domain users idmap uid = 10000 20000 \# use GIDs from 10000 to 20000 for domain groups idmap gid = 10000 20000 # allow enumeration of winbind users and groups winbind enum users = yes winbind enum groups = yes winbind user default domain = yes
Example 12.3.3. NSS Configuration File Extract File: /etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind
12.3.2.3 Squid Configuration Squid must be configured correctly to interact with the Samba-3 components that handle Active Directory authentication. 12.3.3. Configuration SQUID CONFIGURATION STEPS 1. | If your Linux distribution is SUSE Linux 9, the version of Squid supplied is already enabled to use the winbind helper agent. You can therefore omit the steps that would build the Squid binary programs.
| 2. | Squid, by default, runs as the user nobody. You need to add a system user squid and a system group squid if they are not set up already (if the default Red Hat squid rpms were installed, they will be). Set up a squid user in /etc/passwd and a squid group in /etc/group if these aren't there already.
| 3. | You now need to change the permissions on Squid's var directory. Enter the following command:
root# chown -R squid /var/cache/squid
| 4. | Squid must also have control over its logging. Enter the following commands:
root# chown -R chown squid:squid /var/log/squid root# chmod 770 /var/log/squid
| 5. | Finally, Squid must be able to write to its disk cache! Enter the following commands:
root# chown -R chown squid:squid /var/cache/squid root# chmod 770 /var/cache/squid
| 6. | The /etc/squid/squid.conf file must be edited to include the lines from Example 12.3.4 and Example 12.3.5.
| 7. | You must create Squid's cache directories before it may be run. Enter the following command:
root# squid -z
| 8. | Finally, start Squid and enjoy transparent Active Directory authentication. Enter the following command:
root# squid
Example 12.3.4. Squid Configuration File Extract /etc/squid.conf [ADMINISTRATIVE PARAMETERS Section] cache_effective_user squid cache_effective_group squid
Example 12.3.5. Squid Configuration File extract File: /etc/squid.conf [AUTHENTICATION PARAMETERS Section] auth_param ntlm program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth \ --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers
|
12.3.4. Key Points Learned Microsoft Windows networking protocols permeate the spectrum of technologies that Microsoft Windows clients use, even when accessing traditional services such as Web browsers. Depending on whom you discuss this with, this is either good or bad. No matter how you might evaluate this, the use of NTLMSSP as the authentication protocol for Web proxy access has some advantages over the cookie-based authentication regime used by all competing browsers. It is Samba's implementation of NTLMSSP that makes it attractive to implement the solution that has been demonstrated in this chapter. |
