ef50261ea9
A proxy authentication modules against an SMB server. PR: 16100 Submitted by: Maxim Sobolev <sobomax@altavista.net> |
||
---|---|---|
.. | ||
patch-aa | ||
README |
SMB proxy authentication module Current version: 0.05 Released on : 28 September 1999 Author : Richard Huveneers License : GNU GPL smb_auth is a proxy authentication module. With smb_auth you can authenticate proxy users against an SMB server like Windows NT or Samba. Download The current version is smb_auth-0.05.tar.gz. Highlights of new features: * Easier debugging (finally!) * More flexibility * Improved documentation Requirements * Squid 2.0 or above, or another proxy server with the same authentication module interface. Squid 1.1 with Arjan de Vet's patch works fine too. * smb_auth needs Samba to talk SMB. If you don't have Samba installed on your proxy server, download and install Samba now. You don't need to start the Samba daemons, smb_auth only uses the Samba client utilities. Note to Samba 2.0 users: The -E option of smbclient does not work properly in Samba 2.0.3 and earlier, which breaks smb_auth. This has been fixed in Samba 2.0.4, so make sure you are using Samba 2.0.4 or later (the command "smbclient -h" shows the version number). If you prefer not to upgrade to Samba 2.0.4, you can apply this patch which fixes the bug. Installation * Check the Makefile. Make sure that SAMBAPREFIX and INSTALLBIN are set correctly before running make. * Run "make", then "make install". This will install smb_auth and smb_auth.sh in the INSTALLBIN directory. Primary domain controller setup To get proxy access control by user and group, smb_auth reads the file \netlogon\proxyauth on one of the domain controllers using the supplied credentials. If reading this file returns "allow" then access will be allowed, otherwise denied. * Create a file named "proxyauth" on the NETLOGON share of the primary domain controller. In case you have one or more backup domain controllers, I'm assuming you are replicating this share to the backup domain controllers. If you prefer, you can change the location of this file by using the -S option of smb_auth (see below). * Put just the one word "allow" in this file. * Assign "Read" access to the "proxyauth" file to all users or group which you want to allow access to the proxy. * If you want to allow access from multiple domains to your proxy, repeat the above steps for the other domains. Configure Squid You need to configure Squid for proxy authentication. If you have problems doing this, have a look at the FAQ. While reading the FAQ, replace ncsa_auth with smb_auth. Please pay attention to the REQUIRED keyword in the proxy_auth acl. As an example, here are the relevant lines of my own squid.conf file: authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE acl domainusers proxy_auth REQUIRED http_access allow domainusers smb_auth has several options. Most people will call smb_auth like this: smb_auth -W domainname where domainname is the name of your domain. By default, smb_auth tries to find a domain controller by broadcasting on the primary network interface. If you want to broadcast on another interface (for instance, if you have two ethernet interfaces installed), use: smb_auth -W domainname -B <broadcast IP address> If you really want to specify the IP address of a domain controller yourself, use: smb_auth -W domainname -U <IP address> This might even work with a WINS server (untested, feedback appreciated). If you have several domains from which you want to allow access to your proxy, just add them: smb_auth -W domain1 -W domain2 -W domain3 ... in this case all users (except those of domain1) have to specify their username as domainname\username when authenticating. If your users are lazy, you can abbreviate the domainnames like this: smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 .. then users of domain2 can authenticate with d2\username instead of domain2\username. You can also specify different broadcast addresses etc. per domain. Note that you don't need an abbreviation for the first domain since omitting a domainname implies authenticating against the first domain. If you want to authenticate users of domain1 against a domain controller of domain2 (you must have a trust relationship between domain1 and domain2) then you can use the -P option. This is called pass-through authentication and is useful to manage access from multiple domains to the proxy server centrally (using a single proxyauth file): smb_auth -W domain1 -P domain2 -W domain2 .. If you want to change the location of the proxyauth file (for instance because your NETLOGON share is located on a FAT filesystem) then you can use the -S option to specify a different share (make sure you are replicating this share to the backup domain controllers): smb_auth -W domain -S share You can also change the name of the proxyauth file and store it in a sub-directory of the share by appending the full pathname of the proxyauth file to the sharename. You may use both forward slashes and backslashes to separate directories and you may (not required) prepend a (back)slash to the sharename: smb_auth -W domain -S /share/path/to/proxyauth Troubleshooting You can run smb_auth on the command-line using the same options as in your squid.conf. To debug authentication you can additionally use the -d option which will print debug information after each step, so you can determine which step is failing. Do not use the -d option in your squid.conf, this corrupts the communication between Squid and smb_auth. You need to feed one username and password (separated by a space character) to smb_auth's standard input. After authenticating this username and password, smb_auth will continue accepting such username/password combinations until you close it's standard input by pressing Ctrl-D. Here's the output of a succesful authentication, so you know how the output should look like: # smb_auth -W MEDIA@VANTAGE -d richard xxxxxxxx Domain name: MEDIA@VANTAGE Pass-through authentication: no Query address options: Domain controller IP address: 192.168.1.2 Domain controller NETBIOS name: VEGA Contents of //VEGA/NETLOGON/proxyauth: allow OK Still having problems? Please e-mail me if you have problems compiling, installing or configuring smb_auth. Suggestions are welcome too. If somebody could comment on NT licensing issues of smb_auth, that would be more than welcome. TODO These are the items currently on my todo list. If you need another feature currently not available, just let me know. I will add it to this list and who knows, it might even get implemented. * research if smbclient does encrypted passwords on demand or needs smb.conf option or something else. * research if Samba 2.0 is able to retrieve NT group membership directly * re-code the shell script in C. I used a shell script mainly to speedup development. * add a netbios name cache. This feature needs the previous one and will speed up smb_auth considerably. * research if linking smb_auth with the Samba code is worth the trouble.