Re: [squid-users] Join Squid to Windows Domain Controller : Configuring Squid for NTLM with Winbind Authentication on CentOS 5

From: Murilo Moreira de Oliveira <murilo.moreira_at_gmail.com>
Date: Thu, 17 Jun 2010 22:56:54 -0300

Hi Amos.

Stop what? I've understood stop doing only step 4, right? Any way, I
was following http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmCentOS5
article and I didn't find wbpriv group on my CentOS 5.4 box (Yeah,
authconfig, krb5-workstation and samba-common are installed!). To
finish, I've used another CentOS 5.4 machine and installed from
scratch authconfig, krb5-workstation and samba-common and guess,
/var/cache/samba/winbindd_privileged directory was created with 750
root:squid rights!

I wonder, should I create wbpriv group, assign squid user to it and
make root:wbpriv the owner of /var/cache/samba/winbindd_privileged
directory in order to make my environment more secure? Any help with
this will be very appreciated.

2010/6/16 Amos Jeffries <squid3_at_treenet.co.nz>
>
> Murilo Moreira de Oliveira wrote:
>>
>> Hello. Follow bellow the steps I've used to get NTLM authentication working.
>>
>>  1.# yum -y install authconfig krb5-workstation samba-common
>>
>> 2.[root_at_proxyweb ~]# authconfig --enableshadow --enablemd5
>> --passalgo=md5 --krb5kdc=AD_SERVER.YOUR.FULL.DOMAIN
>> --krb5realm=YOUR.FULL.DOMAIN --smbservers=AD_SERVER.YOUR.FULL.DOMAIN
>> --smbworkgroup=YOUR_AD_GROUP --enablewinbind --enablewinbindauth
>> --smbsecurity=ads --smbrealm=YOUR.FULL.DOMAIN
>> --smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431"
>> --winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain
>> --disablewinbindoffline --winbindjoin=SOME_DOMAIN_ADMIN --disablewins
>> --disablecache --enablelocauthorize --updateall
>>
>> 3.# wbinfo --set-auth-user=YOUR_PROXY_USER%YOUR_PROXY_USER_PASSWORD
>> This is the user that proxy will use to validate users credentials.
>>
>> 4.# chown root:squid /var/cache/samba/winbindd_privileged
>>
>
> Noooooooo! Ouch.
>
> This is a giant permissions hack to evade the strict security leash of cache_effective_group.
>
> The correct way to do this is to add the Squid proxy user to the system group which wbinfo normally lets access /var/cache/samba/winbindd_privileged
>
> ... and ensure cache_effective_group is MISSING from squid.conf.
>
> The result is that Squid acts like a proper low-privileged user account on the system. Same as any other user account with multiple groups.
>
> Amos
> --
> Please be using
>  Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Fri Jun 18 2010 - 01:57:02 MDT

This archive was generated by hypermail 2.2.0 : Fri Jun 18 2010 - 12:00:03 MDT