Web lists-archives.com

Re: [Samba] Question: Samba and YP-Yellow Pages relation.




Hai, 

Someone called me called?? 

I did a quick read here in this thread.. 
The upn part is done, so your almost there. 

You need to make sure your DNS is working as it should. 
To check on the proxy with 
dig a hostname.FQDN.
dig -x ip_the_server

Test this for the DC hostnames/ips also. 
If that all ok, you can try these settings in squid 

# For squid ( works for me as of squid 3.2 up to 3.5 ) 
# negotiate kerberos and ntlm authentication + ldap fallback. 
# Debugging. -d in the kerberos line, --diagnostics in ntlm)
auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
    --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/your.server.hostname.in.fqdn@YOUR_REALM \
    --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM

# adjust this to you needs, you might want to lower the childeren and startups. 
auth_param negotiate children 10 startup=2 idle=2
auth_param negotiate keep_alive on

# My advice, put everything on ssl, so dont use this one, but handy to have/know. 
# ! Do note the -h and -H parameters. 
# ! The user : SeparatedUser4bind2Ldap@xxxxxxxxxxxxxxxxxxx 
# !          : set disable pre kerberos auth and password does not expire, and can not change it. 
# !          : set as trusted and can not be delegated.
# Non-SSL
#auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
#    -b "ou=Company,dc=internal,dc=domain,dc=tld" \
#    -D SeparatedUser4bind2Ldap@xxxxxxxxxxxxxxxxxxx \
#    -W /etc/squid/private/your_userPassword_in_Here \
#    -f (sAMAccountName=%s) \
#    -h dc2.internal.domain.tld \
#    -h dc1.internal.domain.tld

# SSL enabled ( URI format -H )
auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \
    -b "ou=Company,dc=internal,dc=domain,dc=tld" \
    -D SeparatedUser4bind2Ldap@xxxxxxxxxxxxxxxxxxx \
    -W /etc/squid/private/your_userPassword_in_Here \
    -f sAMAccountName=%s \
    -H ldaps://dc2.internal.domain.tld \
    -H ldaps://dc1.internal.domain.tld

auth_param basic children 5 startup=1 idle=1
auth_param basic realm Internet Proxy Autorisation
auth_param basic credentialsttl 9 hours


In smb.conf 
Set these to no after you tested. 
> winbind enum users = no
> winbind enum groups = no


Good luck,

If you have questions just mail me or the list. 
Ps. Back Monday, and if you lucky, i'll responce in the weekend. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Suporte - KONTROL via samba
> Verzonden: vrijdag 6 april 2018 15:58
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
> 
> Hi Rowland,
> That looks GREAT!
> I will give it a try for sure and let you know.
> 
> I am trying to talk to the guys who "modified/patched" the 
> Samba 44 to get details. If I got it, I will send it to you.
> 
> Many Thanks!!!
> 
> Fabricio.
> 
> 
> -----Original Message-----
> From: samba <samba-bounces@xxxxxxxxxxxxxxx> On Behalf Of 
> Rowland Penny via samba
> Sent: Friday, April 6, 2018 5:15 AM
> To: samba@xxxxxxxxxxxxxxx
> Subject: Re: [Samba] Question: Samba and YP-Yellow Pages relation.
> 
> On Thu, 5 Apr 2018 18:57:03 -0300
> "Suporte - KONTROL" <suporte@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> 
> > Hi Rowland,
> > Actually I don't want to disable the Yellow Pages, that's a 
> situation 
> > I already have in the pFsense, cause YP was disabled by the pfsense 
> > developers.
> 
> Yellow pages is the old name for NIS and unless it is 
> installed it isn't used by Linux and I suspect the same goes 
> for freebsd.
> 
> >So my doubt is: Is there a way to make samba (latest
> > version) to work without the YP enabled? What about what 
> people made  
> >with that samba version 4.4.16 I mentioned? Not sure how they did  
> >that. The only thing I know is that it is working fine even without  
> >the YP.
> 
> I would love to know what they did, perhaps the relevant code 
> has been accepted into Samba.
> 
> > 
> > The Microsoft environment is mixed. I have Win2008R2 / 
> Win2012 R2 and 
> > Win2016. It is working today with all of them.
> >
> 
> Here is the good part, Unless you extend Windows by 
> installing 'IDMU', it has no knowledge of NIS and you cannot 
> install 'IDMU' on Win2016
>   
> > No problems, Here is the smb4.conf file:
> 
> and here is my version for 4.7.6, basically yours with 
> default lines remove and the deprecated 'idmap uid & gid' 
> lines replaced with their modern counterparts:
> 
> [global]
> workgroup = SAMDOM
> security = ads
> realm  = SAMDOM.EXAMPLE.COM
> 
> ## map ids outside of domain to tdb files.
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> ## map ids from the domain  the ranges may not overlap !
> idmap config SAMDOM : backend = rid
> idmap config SAMDOM : range = 10000-999999
> 
> template shell = /bin/bash
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> 
> log level = 3 passdb:5 winbind:3
> printcap name = /dev/null
> load printers = no
> printing = bsd
> local master = no
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> [homes]
> comment = Home Directories
> valid users = %s, %D%W%S
> browseable = no
> read only = no
> inherit acls = yes
> 
> With that smb.conf, I joined it to my domain with:
> 
> net ads join
> createupn=HTTP/testclient1.samdom.example.com@SAMDOM.EXAMPLE.C
> OM -k Using short domain name -- SAMDOM Joined 'TESTCLIENT1' 
> to dns domain 'samdom.example.com'
> 
> and if I examine the keytab created, I find this:
> 
> ktutil
> ktutil:  rkt /etc/krb5.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ---- 
> ---------------------------------------------------------------------
>    1    2 host/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>    2    2      host/TESTCLIENT1@xxxxxxxxxxxxxxxxxx
>    3    2 host/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>    4    2      host/TESTCLIENT1@xxxxxxxxxxxxxxxxxx
>    5    2 host/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>    6    2      host/TESTCLIENT1@xxxxxxxxxxxxxxxxxx
>    7    2 host/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>    8    2      host/TESTCLIENT1@xxxxxxxxxxxxxxxxxx
>    9    2 host/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>   10    2      host/TESTCLIENT1@xxxxxxxxxxxxxxxxxx
>   11    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
>   12    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
>   13    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
>   14    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
>   15    2          TESTCLIENT1$@SAMDOM.EXAMPLE.COM
>   16    2 HTTP/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>   17    2 HTTP/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>   18    2 HTTP/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>   19    2 HTTP/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
>   20    2 HTTP/testclient1.samdom.example.com@xxxxxxxxxxxxxxxxxx
> 
> So the required UPN is there, so all I can suggest is, give it a try.
> 
> I do not use Squid, but I know a man that does ;-)
> 
> So over to you Louis.
> 
> Rowland
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba