ef50261ea9
A proxy authentication modules against an SMB server. PR: 16100 Submitted by: Maxim Sobolev <sobomax@altavista.net>
180 lines
7.0 KiB
Plaintext
180 lines
7.0 KiB
Plaintext
SMB proxy authentication module
|
|
|
|
Current version: 0.05
|
|
Released on : 28 September 1999
|
|
Author : Richard Huveneers
|
|
License : GNU GPL
|
|
|
|
smb_auth is a proxy authentication module. With smb_auth you can
|
|
authenticate proxy users against an SMB server like Windows NT or Samba.
|
|
|
|
Download
|
|
|
|
The current version is smb_auth-0.05.tar.gz.
|
|
|
|
Highlights of new features:
|
|
|
|
* Easier debugging (finally!)
|
|
* More flexibility
|
|
* Improved documentation
|
|
|
|
Requirements
|
|
|
|
* Squid 2.0 or above, or another proxy server with the same
|
|
authentication module interface.
|
|
Squid 1.1 with Arjan de Vet's patch works fine too.
|
|
* smb_auth needs Samba to talk SMB. If you don't have Samba installed on
|
|
your proxy server, download and install Samba now. You don't need to
|
|
start the Samba daemons, smb_auth only uses the Samba client
|
|
utilities.
|
|
|
|
Note to Samba 2.0 users: The -E option of smbclient does not work
|
|
properly in Samba 2.0.3 and earlier, which breaks smb_auth. This has
|
|
been fixed in Samba 2.0.4, so make sure you are using Samba 2.0.4 or
|
|
later (the command "smbclient -h" shows the version number). If you
|
|
prefer not to upgrade to Samba 2.0.4, you can apply this patch which
|
|
fixes the bug.
|
|
|
|
Installation
|
|
|
|
* Check the Makefile. Make sure that SAMBAPREFIX and INSTALLBIN are set
|
|
correctly before running make.
|
|
* Run "make", then "make install". This will install smb_auth and
|
|
smb_auth.sh in the INSTALLBIN directory.
|
|
|
|
Primary domain controller setup
|
|
|
|
To get proxy access control by user and group, smb_auth reads the file
|
|
\netlogon\proxyauth on one of the domain controllers using the supplied
|
|
credentials. If reading this file returns "allow" then access will be
|
|
allowed, otherwise denied.
|
|
|
|
* Create a file named "proxyauth" on the NETLOGON share of the primary
|
|
domain controller. In case you have one or more backup domain
|
|
controllers, I'm assuming you are replicating this share to the backup
|
|
domain controllers. If you prefer, you can change the location of this
|
|
file by using the -S option of smb_auth (see below).
|
|
* Put just the one word "allow" in this file.
|
|
* Assign "Read" access to the "proxyauth" file to all users or group
|
|
which you want to allow access to the proxy.
|
|
* If you want to allow access from multiple domains to your proxy,
|
|
repeat the above steps for the other domains.
|
|
|
|
Configure Squid
|
|
|
|
You need to configure Squid for proxy authentication. If you have problems
|
|
doing this, have a look at the FAQ. While reading the FAQ, replace
|
|
ncsa_auth with smb_auth. Please pay attention to the REQUIRED keyword in
|
|
the proxy_auth acl. As an example, here are the relevant lines of my own
|
|
squid.conf file:
|
|
|
|
authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE
|
|
acl domainusers proxy_auth REQUIRED
|
|
http_access allow domainusers
|
|
|
|
smb_auth has several options. Most people will call smb_auth like this:
|
|
|
|
smb_auth -W domainname
|
|
|
|
where domainname is the name of your domain. By default, smb_auth tries to
|
|
find a domain controller by broadcasting on the primary network interface.
|
|
If you want to broadcast on another interface (for instance, if you have
|
|
two ethernet interfaces installed), use:
|
|
|
|
smb_auth -W domainname -B <broadcast IP address>
|
|
|
|
If you really want to specify the IP address of a domain controller
|
|
yourself, use:
|
|
|
|
smb_auth -W domainname -U <IP address>
|
|
|
|
This might even work with a WINS server (untested, feedback appreciated).
|
|
If you have several domains from which you want to allow access to your
|
|
proxy, just add them:
|
|
|
|
smb_auth -W domain1 -W domain2 -W domain3 ...
|
|
|
|
in this case all users (except those of domain1) have to specify their
|
|
username as domainname\username when authenticating. If your users are
|
|
lazy, you can abbreviate the domainnames like this:
|
|
|
|
smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 ..
|
|
|
|
then users of domain2 can authenticate with d2\username instead of
|
|
domain2\username. You can also specify different broadcast addresses etc.
|
|
per domain. Note that you don't need an abbreviation for the first domain
|
|
since omitting a domainname implies authenticating against the first
|
|
domain.
|
|
|
|
If you want to authenticate users of domain1 against a domain controller of
|
|
domain2 (you must have a trust relationship between domain1 and domain2)
|
|
then you can use the -P option. This is called pass-through authentication
|
|
and is useful to manage access from multiple domains to the proxy server
|
|
centrally (using a single proxyauth file):
|
|
|
|
smb_auth -W domain1 -P domain2 -W domain2 ..
|
|
|
|
If you want to change the location of the proxyauth file (for instance
|
|
because your NETLOGON share is located on a FAT filesystem) then you can
|
|
use the -S option to specify a different share (make sure you are
|
|
replicating this share to the backup domain controllers):
|
|
|
|
smb_auth -W domain -S share
|
|
|
|
You can also change the name of the proxyauth file and store it in a
|
|
sub-directory of the share by appending the full pathname of the proxyauth
|
|
file to the sharename. You may use both forward slashes and backslashes to
|
|
separate directories and you may (not required) prepend a (back)slash to
|
|
the sharename:
|
|
|
|
smb_auth -W domain -S /share/path/to/proxyauth
|
|
|
|
Troubleshooting
|
|
|
|
You can run smb_auth on the command-line using the same options as in your
|
|
squid.conf. To debug authentication you can additionally use the -d option
|
|
which will print debug information after each step, so you can determine
|
|
which step is failing.
|
|
Do not use the -d option in your squid.conf, this corrupts the
|
|
communication between Squid and smb_auth.
|
|
|
|
You need to feed one username and password (separated by a space character)
|
|
to smb_auth's standard input. After authenticating this username and
|
|
password, smb_auth will continue accepting such username/password
|
|
combinations until you close it's standard input by pressing Ctrl-D.
|
|
|
|
Here's the output of a succesful authentication, so you know how the output
|
|
should look like:
|
|
|
|
# smb_auth -W MEDIA@VANTAGE -d
|
|
richard xxxxxxxx
|
|
Domain name: MEDIA@VANTAGE
|
|
Pass-through authentication: no
|
|
Query address options:
|
|
Domain controller IP address: 192.168.1.2
|
|
Domain controller NETBIOS name: VEGA
|
|
Contents of //VEGA/NETLOGON/proxyauth: allow
|
|
OK
|
|
|
|
Still having problems?
|
|
|
|
Please e-mail me if you have problems compiling, installing or configuring
|
|
smb_auth. Suggestions are welcome too.
|
|
If somebody could comment on NT licensing issues of smb_auth, that would be
|
|
more than welcome.
|
|
|
|
TODO
|
|
|
|
These are the items currently on my todo list. If you need another feature
|
|
currently not available, just let me know. I will add it to this list and
|
|
who knows, it might even get implemented.
|
|
|
|
* research if smbclient does encrypted passwords on demand or needs
|
|
smb.conf option or something else.
|
|
* research if Samba 2.0 is able to retrieve NT group membership directly
|
|
* re-code the shell script in C. I used a shell script mainly to speedup
|
|
development.
|
|
* add a netbios name cache. This feature needs the previous one and will
|
|
speed up smb_auth considerably.
|
|
* research if linking smb_auth with the Samba code is worth the trouble.
|