Re: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Fri, 18 Jun 2010 23:33:49 +1200

Murilo Moreira de Oliveira wrote:
> Hi Amos.
>
> Stop what? I've understood stop doing only step 4, right? Any way, I

Yes.

> was following http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
> article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah,
> authconfig, krb5-workstation and samba-common are installed!). To
> finish, I've used another CentOS 5.4 machine and installed from
> scratch authconfig, krb5-workstation and samba-common and guess,
> /var/cache/samba/winbindd_privileged directory was created with 750
> root:squid rights!
>
> I wonder, should I create wbpriv group, assign squid user to it and
> make root:wbpriv the owner of /var/cache/samba/winbindd_privileged
> directory in order to make my environment more secure? Any help with
> this will be very appreciated.

Well, if its done by the packaging for you then okay it should be
workable, even if not nicely. I'd go with the package defaults first and
see if it goes before changing anything there.

Amos

>
> 2010/6/16 Amos Jeffries <squid3_at_treenet.co.nz>
>> Murilo Moreira de Oliveira wrote:
>>> Hello. Follow bellow the steps I've used to get NTLM authentication working.
>>>
>>> 1.# yum -y install authconfig krb5-workstation samba-common
>>>
>>> 2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
>>> --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
>>> --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
>>> --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
>>> --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
>>> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
>>> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
>>> --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
>>> --disablecache --enablelocauthorize --updateall
>>>
>>> 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
>>> This is the user that proxy will use to validate users credentials.
>>>
>>> 4.# chown root:squid /var/cache/samba/winbindd_privileged
>>>
>> Noooooooo! Ouch.
>>
>> This is a giant permissions hack to evade the strict security leash of cache_effective_group.
>>
>> The correct way to do this is to add the Squid proxy user to the system group which wbinfo normally lets access /var/cache/samba/winbindd_privileged
>>
>> ... and ensure cache_effective_group is MISSING from squid.conf.
>>
>> The result is that Squid acts like a proper low-privileged user account on the system. Same as any other user account with multiple groups.
>>
>> Amos
>> --
>> Please be using
>> Current Stable Squid 2.7.STABLE9 or 3.1.4

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Fri Jun 18 2010 - 11:33:58 MDT

This archive was generated by hypermail 2.2.0 : Sat Jun 19 2010 - 12:00:03 MDT