Authenticate squid in Active Directory

classic Classic list List threaded Threaded
42 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Authenticate squid in Active Directory

Luca Dell'Oca
Hi all,
i'm have very little experienced on squid.

I would like to authenticate user and password of users in an Active
Directory based network (windows Server 2003) in order to assign
specific ACL to each of them. I do not nead to read group membership...

I founded on the internet this tutorial:

https://tiifp.org/quentin/squid.html

and i'm trying it on a 4.2 machine.

Kerberos configuration went smooth, without any problem. Them I
downloaded this patch:

https://www.tiifp.org/quentin/samba_winbind.patch

as stated in the howto for systems newer than 4.0 -current. I patched
samba makefile, but when I run make I got this error:

# env FLAVOR=winbind make install
"Makefile", line 107: Need an operator
Fatal errors encountered -- cannot continue

The lines generating this error are:

.if ${FLAVOR:L:Mwinbind}
post-extract:
        @cp ${FILESDIR}/krb5-config ${WRKDIR}/bin
        @chmod a+x ${WRKDIR}/bin/krb5-config
%%winbind%%
.endif

specifically the %%winbind%%.
I pasted right below the complete patched makefile.

Am I following the right procedure? Is there any other alternative? I
found out many tutorial about this but they are all for linux...

Thanks to all.

Ciao, Luca.




# $OpenBSD: Makefile,v 1.85 2007/07/02 21:56:57 mbalmer Exp $

COMMENT-main= "SMB and CIFS client and server for UNIX"
COMMENT-docs= "documentation and examples for samba"

DISTNAME= samba-3.0.25b
PKGNAME-main= ${DISTNAME}
FULLPKGNAME-docs= ${DISTNAME:S/-/-docs-/}
SHARED_LIBS= smbclient 1.0 \
                        msrpc 1.0

CATEGORIES= net

HOMEPAGE= http://www.samba.org/

MAINTAINER= Marc Balmer <[hidden email]>

# GPL
PERMIT_PACKAGE_CDROM= Yes
PERMIT_PACKAGE_FTP= Yes
PERMIT_DISTFILES_CDROM= Yes
PERMIT_DISTFILES_FTP= Yes

WANTLIB= c ncurses readline

MASTER_SITES= http://download.samba.org/samba/ftp/ \
                http://us2.samba.org/samba/ftp/ \
                http://us2.samba.org/samba/ftp/old-versions/

MODULES= converters/libiconv

LIB_DEPENDS= popt::devel/popt

MAKE_FLAGS= PASSWD_PROGRAM="/usr/bin/passwd" \
                LIBsmbclient_VERSION=${LIBsmbclient_VERSION} \
                LIBmsrpc_VERSION=${LIBmsrpc_VERSION}
FAKE_FLAGS= DESTDIR="${DESTDIR}" \
                LIBsmbclient_VERSION=${LIBsmbclient_VERSION} \
                LIBmsrpc_VERSION=${LIBmsrpc_VERSION}

CONFDIR=        ${SYSCONFDIR}/samba
SAMBA_LOGDIR=   /var/log
SUBST_VARS=     CONFDIR LOCALBASE SYSCONFDIR

SEPARATE_BUILD= concurrent
CONFIGURE_STYLE= gnu
CONFIGURE_ARGS= --localstatedir="/var" \
                --sbindir="${PREFIX}/libexec" \
                --with-configdir="${CONFDIR}" \
                --with-libdir="${PREFIX}/lib/samba" \
                --with-lockdir="/var/spool/samba" \
                --with-piddir="/var/run" \
                --with-logfilebase="${SAMBA_LOGDIR}" \
                --with-privatedir="${CONFDIR}" \
                --with-libsmbclient \
                --with-swatdir="${PREFIX}/share/swat" \
                --with-ssl \
                --with-sslinc="/usr/include/ssl" \
                --with-ssllib="/usr/lib" \
                --with-syslog \
                --with-utmp

CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include" \
                LDFLAGS="-L${LOCALBASE}/lib -Wl,--export-dynamic"

FLAVORS=        cups ldap winbind
FLAVOR?=

MULTI_PACKAGES= -main -docs

.if ${FLAVOR:L:Mcups}
CONFIGURE_ARGS+= --enable-cups
LIB_DEPENDS+= cups::print/cups
WANTLIB+= ssl crypto m pthread z
.else
CONFIGURE_ARGS+= --disable-cups
.endif

.if ${FLAVOR:L:Mldap}
CONFIGURE_ARGS+= --with-ldap --without-ads
LIB_DEPENDS+= ldap,lber::databases/openldap
BUILD_DEPENDS+= ::misc/libutf8
.else
CONFIGURE_ARGS+= --without-ldap --without-ads .endif

PKG_ARCH-docs= *
LIB_DEPENDS-docs=
WANTLIB-docs=
RUN_DEPENDS-docs=

NO_REGRESS= Yes

WRKDIST= ${WRKDIR}/${DISTNAME}/source

SAMBA_DOCS=${WRKSRC}/../README \
        ${WRKSRC}/../docs/THANKS \
        ${WRKSRC}/../docs/history \
        ${WRKSRC}/../docs/registry/*.reg

SAMPLE_CONFIG= ${PREFIX}/share/examples/samba/smb.conf.default

.if ${FLAVOR:L:Mwinbind}
post-extract:
        @cp ${FILESDIR}/krb5-config ${WRKDIR}/bin
        @chmod a+x ${WRKDIR}/bin/krb5-config
%%winbind%%
.endif

pre-configure:
        @perl -pi -e 's,!!SYSCONFDIR!!,${SYSCONFDIR},g;' \
                -e 's,!!LOCALBASE!!,${LOCALBASE},g' \
                ${WRKSRC}/../docs/manpages/swat.8

post-install:
        ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/pdf
        ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/samba/htmldocs
        ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/samba
        @cp -R ${WRKSRC}/../examples/* ${PREFIX}/share/examples/samba
        @chown -R ${SHAREOWN}:${SHAREGRP} ${PREFIX}/share/examples/samba
        ${INSTALL_DATA} ${FILESDIR}/README.OpenBSD
${PREFIX}/share/doc/samba
        @for i in ${SAMBA_DOCS}; do \
         ${INSTALL_DATA} $$i ${PREFIX}/share/doc/samba ; \
        done
        @for i in ${WRKSRC}/../docs/*.pdf ; do \
         ${INSTALL_DATA} $$i ${PREFIX}/share/doc/samba/pdf ; \
        done
        @for i in ${WRKSRC}/../docs/htmldocs/* ; do \
         if [ -f $$i ]; then \
          ${INSTALL_DATA} $$i ${PREFIX}/share/doc/samba/htmldocs ;\
         fi \
        done
        @sed -e 's:/usr/spool/samba:/var/spool/samba:g' \
         -e 's:/usr/local/samba/var/log:${SAMBA_LOGDIR}/smbd:g' \
         ${WRKSRC}/../examples/smb.conf.default > ${SAMPLE_CONFIG}
        ${INSTALL_SCRIPT} ${WRKSRC}/script/mksmbpasswd.sh \
         ${PREFIX}/bin/mksmbpasswd
        @chown ${BINOWN}:${BINGRP} ${PREFIX}/bin/smbpasswd
        @ln -s samba/libsmbclient.so.${LIBsmbclient_VERSION} \
         ${PREFIX}/lib/libsmbclient.so.${LIBsmbclient_VERSION}
        @ln -s samba/libmsrpc.so.${LIBmsrpc_VERSION} \
         ${PREFIX}/lib/libmsrpc.so.${LIBmsrpc_VERSION}
        @rmdir ${WRKINST}${SYSCONFDIR}/samba
        @rmdir ${WRKINST}/var/spool/samba

.include <bsd.port.mk>

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars NoodŽén
Luca Dell'Oca wrote:
> I would like to authenticate user and password of users in an Active
> Directory

No.  You wouldn't.

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

David Gwynne
On 04/02/2008, at 8:13 PM, Lars Noodin wrote:

> Luca Dell'Oca wrote:
>> I would like to authenticate user and password of users in an Active
>> Directory
>
> No.  You wouldn't.

pretty sure he would. it's useful.

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Eduardo Alvarenga
I am the patch author.

It's working since it's first implementation.
Maybe it's time for the maintainers to consider committing it.

2008/2/4, David Gwynne <[hidden email]>:

> On 04/02/2008, at 8:13 PM, Lars Noodin wrote:
>
> > Luca Dell'Oca wrote:
> >> I would like to authenticate user and password of users in an Active
> >> Directory
> >
> > No.  You wouldn't.
>
> pretty sure he would. it's useful.
>
>


--
Eduardo Alvarenga

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Leonardo Rodrigues
Hummm, I wish I had seen this patch earlier. Anyway, when I need
winbind, I just edit squid's Makefile and add winbind configure
args...
As Eduardo said, why not have a winbind flavor for the squid package?

--
An OpenBSD user... and that's all you need to know =)

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
In reply to this post by David Gwynne
David Gwynne wrote:

> pretty sure he would. it's useful.

Running squid against an authentication service is useful.  Yes.

Allowing AD near any part of your infrastructure is the opposite of
useful and results in a net loss of productivity.  No.

LDAP+Kerberos is one tried and true option, but there are others
nowadays.  Don't confuse AD with a useful tool or with an authentication
service

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Andre-21
> Allowing AD near any part of your infrastructure is the opposite of
> useful and results in a net loss of productivity.  No.
>
> LDAP+Kerberos is one tried and true option, but there are others
> nowadays.  Don't confuse AD with a useful tool or with an authentication
> service


This has to be one of the most ignorant posts I've read in a while...

-Andre

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
[hidden email] wrote:
[blather]

Obviously you've had no contact with AD or the cruftware it is infesting.

So what standards-based authentication service would you propose besides
LDAP+Kerberos?  Hesiod?  Shibboleth?

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

daemon1
On Feb 5, 2008, at 10:32 AM, Lars Noodin wrote:

> [hidden email] wrote:
> [blather]
>
> Obviously you've had no contact with AD or the cruftware it is
> infesting.
>
> So what standards-based authentication service would you propose
> besides LDAP+Kerberos?  Hesiod?  Shibboleth?
>
> -Lars
>
I think Andre's point, which I happen to agree with, is that the OP
may well not have control over what authentication system is in use.
It is a sad but undeniable fact that Windows networks are ubiquitous,
and having tools to interface with them would increase usability and
provide a real alternative to proprietary closed source options.
Given the choice, I'd prefer not to use AD. Given the choice I'd
elect not to use windows at all. Sometimes that's just not an option,
and I'm not rich enough to turn down the work.

I won't argue either way for the inclusion of the patch, as I have no
real information about it, but to simply reject the idea of AD
authentication may be tempting, but it really does smack of denial.
Does AD suck major ass? Absolutely. Is it in extremely wide use by
companies who wouldn't even consider moving away from it? Absolutely.
Would it be useful to have squid authenticate to AD?  Absolutely.

Should this be included..... ?  Maybe, maybe not. There are other
tools available, some work better than others. I rather like the
flexibility of Squid, and I am prepared to state that if this were
included, I'd use it.

On the other hand, I have Squid running on OpenBSD as a proxy at one
location now, and simply provide separate proxies based on AD OU's
using group policy. It's not elegant, but it works.

-Jonathan

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Brett Lymn
In reply to this post by Lars D. Noodén
On Tue, Feb 05, 2008 at 05:32:48PM +0200, Lars Nood?n wrote:
>
> Obviously you've had no contact with AD or the cruftware it is infesting.
>

Looks like you have not had much either.

> So what standards-based authentication service would you propose besides
> LDAP+Kerberos?  Hesiod?  Shibboleth?
>

AD is based on standards.  They use LDAP+kerberos plus a bit of DNS to
allow the kerberos to locate the kerberos infrastructure automatically
- something that the non-windows world sadly lacks.  The database is
automatically replicated with tombstoning of records - again something
the non-windows world lacks.  MS may have bastardised some parts of
kerberos and DNS to get AD working but it mostly works pretty much
automatically and can scale up without requiring too much extra admin,
something I have yet to see happen in the opensource world.

I don't like AD but, big picture wise, it does have some attributes
that would be good to adopt (attributes, not implimentation).  Bagging
it without offering a solid alternative is just pointless rhetoric.
But given the domain you appear to be posting from I guess there is
already somewhat of a mindset going on anyway.

--
Brett Lymn
"Warning:
The information contained in this email and any attached files is
confidential to BAE Systems Australia. If you are not the intended
recipient, any use, disclosure or copying of this email or any
attachments is expressly prohibited.  If you have received this email
in error, please notify us immediately. VIRUS: Every care has been
taken to ensure this email and its attachments are virus free,
however, any loss or damage incurred in using this email is not the
sender's responsibility.  It is your responsibility to ensure virus
checks are completed before installing any data sent in this email to
your computer."

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Andre-21
In reply to this post by Lars D. Noodén
> Obviously you've had no contact with AD or the cruftware it is infesting.
>

More than enough to call you out on the ignorant, unsubstantiated crap
you're posting.

Please show me the proof that my customers are experiencing "a net loss of
productivity" because their squid boxes authenticate to AD. Or, for that
matter, the transcript of a meeting where you have convinced the management
at a company with 8000 windows clients and a couple of hundred windows
servers that they should just drop Microsoft because you think *AD* isn't
up to scratch...  
 
Obviously you've had no contact with an environment larger than your home
network. Windows networks are the majority in the corporate world as far as
end-user infrastructure goes, and they're not going anywhere anytime soon.
I, for one, have accepted the reality, and adapted.  

> So what standards-based authentication service would you propose besides
> LDAP+Kerberos?  Hesiod?  Shibboleth?
>

Well, it sounds like the OP or his cusomer has a Windows network, so how
about uh... AD???


-Andre

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

lars (Bugzilla)-6
In reply to this post by daemon1
Jonathan Franks wrote:

> I think Andre's point, ...

There are at least two perspectives on the problem.  One perspective is
always how can the computer be used to avoid having the problem again in
the future.

By incorpo

> ... Sometimes that's just not an option, and I'm not rich enough to
> turn down the work.

Bizarre.  There are tons and tons of well-paying jobs out there if you
know anything about computing (read: anything but MS).

> I won't argue either way for the inclusion of the patch,

That's a different topic.  The patch can help sites that got suckered
into AD make a phased transition to tools that don't such major ass.

> ... On the other hand, I have Squid running on OpenBSD as a proxy
> at one location now, and simply provide separate proxies based
> on AD OU's using group policy. It's not elegant, but it works.

However good squid and obsd are, piggy-backing them on to a failed
infrastructure only digs the hole deeper.  Such solutions are in the
short term helpful, but can easily end up mortgaging your future.

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
In reply to this post by Brett Lymn
Brett Lymn wrote:

> ... They use LDAP+kerberos plus a bit of DNS ...

Please.  There is enough bs here without intentionally piling it on.
Assuming a positive aspect to that, either you're confused about the
meaning of word 'based' or unfamiliar with AD.

AD is *not* Kerberos nor is it LDAP. AD may well be inspired by LDAP and
Kerberos and DNS, but go back and read up on it.  The
added/missing/changed parts prevent or, at best, hinder
interoperability.  A tool that does not conform to the
specification is, guess what, not a standard.

It is one of the many text book examples of MS' embrace, extend,
extinguish strategy and relies on broken, incorrect variations of LDAP,
Kerberos and DNS.  You can call it many things, but not standards based.

  standards : AD :: organic meat : meat-like flavor

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Lars D. Noodén
In reply to this post by Andre-21
Andre van Zyl wrote:
> Please show me the proof that my customers are experiencing "a net loss of
> productivity" ...

You've provided that data point yourself: MS Windows.

Just because people quickly get used to and comfortable with a lower
level of productivity doesn't mean that it's not a problem or that it
doesn't affect the bottom line.

What part of the infrastructure, in addition to squid, can you improve
by using OpenBSD or better OpenBSD + standards?

-Lars

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

Andre-21
>> Please show me the proof that my customers are experiencing "a net loss
> of
>> productivity"

You left out "because their squid boxes authenticate to AD"

>
> You've provided that data point yourself: MS Windows.
>

Ah, I see, so in other words you don't have a clue?

> Just because people quickly get used to and comfortable with a lower
> level of productivity doesn't mean that it's not a problem or that it
> doesn't affect the bottom line.
>

Blah blah blah... Show me the numbers, or come back when you know what
you're talking about, because now you're just trolling.

-Andre

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

bofh-6
In reply to this post by Lars D. Noodén
On Feb 6, 2008 3:09 AM, Lars Noodin <[hidden email]> wrote:

>
> Please.  There is enough bs here without intentionally piling it on.
> Assuming a positive aspect to that, either you're confused about the
> meaning of word 'based' or unfamiliar with AD.
>
> AD is *not* Kerberos nor is it LDAP. AD may well be inspired by LDAP and
> Kerberos and DNS, but go back and read up on it.  The
> added/missing/changed parts prevent or, at best, hinder
> interoperability.  A tool that does not conform to the
> specification is, guess what, not a standard.
>

I think you haven't been following the story.  They screwed with one unused
field and refuse to release the information for interoperability.  However,
the kerberos team told them - if the information is not released, they'll go
ahead and define the field, and then Microsoft's kerberos implementation
will be out of spec.  Microsoft gave that a thought, and then grudgingly
said, ok, here's the info.

So, while they tried to piss on folks, as it stands, it is quite standard.


--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Reply | Threaded
Open this post in threaded view
|

R: Authenticate squid in Active Directory

Luca Dell'Oca
In reply to this post by Andre-21
> Well, it sounds like the OP or his cusomer has a Windows
> network, so how about uh... AD???

Exactly.
I cannot take away AD, I need to read it and authenticate users in squid.

While reading at the discussion going on without a solution, I still have the
problema patching the makefile. I read someone managed to correctly patch and
make squid, can you tell me where is the error in the patched makefile?

In the meantime, I found another way maybe: ldap auth towards AD, following
this post

http://www.mail-archive.com/misc@.../msg30134.html

right now I had not so much time to test it, the modifications to the makefile
worked and squid compiled correctly. One of the interesting part of this
solution is not having to install samba stuff in openbsd, you only need squid.
Next week I'm gonna test it against AD and see if it works.

Luca.

Reply | Threaded
Open this post in threaded view
|

Re: Authenticate squid in Active Directory

bofh-6
In reply to this post by Lars D. Noodén
On Feb 6, 2008 3:45 AM, Lars Noodin <[hidden email]> wrote:

> Andre van Zyl wrote:
> > Please show me the proof that my customers are experiencing "a net loss
> of
> > productivity" ...
>
> You've provided that data point yourself: MS Windows.


That's just plain stupid, just like people who used to say microsoft office
users are less productive than people who use star office.  I used
starorifice for a while - it was a pile of steekin dung.  When Sun bought it
and turned it into openoffice, one of the things they promised was turning
everything into components, so that anyone who wants to use it, and include
it in their programs could.  We see how well that has turned out.

OO has come a long way, and there are things it is good at, and certainly
there are plenty of suck in MS Office, but to say that people who use MS
Office are less productive than OO users is simply bunk.

Same for saying that about MS Windows.  It may be that _YOU_ are less
productive on a MS Windows box, but certainly not a whole bunch of people.

Just because people quickly get used to and comfortable with a lower
> level of productivity doesn't mean that it's not a problem or that it
> doesn't affect the bottom line.
>
> What part of the infrastructure, in addition to squid, can you improve
> by using OpenBSD or better OpenBSD + standards?


And replace the software they're running today, with?  OpenBSD doesn't even
have a good implementation of wine.  So who's going to rewrite years of
crufty software?  Take a good look at how long it took OpenOffice to get
from StarOffice to where it is today, where it is... functionally
tolerable.  Then take a look at where it needs to go (say, like Appleworks
on the original Apple ][e and //c - now that's solid performance) or Pages
in the current iWorks suite.  Or hell, the nimbleness of KOffice.



--
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=j1G-3laJJP0&feature=related

Reply | Threaded
Open this post in threaded view
|

R: Authenticate squid in Active Directory

Luca Dell'Oca
In reply to this post by Eduardo Alvarenga
> I am the patch author.
>
> It's working since it's first implementation.
> Maybe it's time for the maintainers to consider committing it.

Is there any reason for not having it committed?
Did you had some reply from the maintainers?

I think it would be useful to have it.

Luca.

Reply | Threaded
Open this post in threaded view
|

Re: R: Authenticate squid in Active Directory

Andre Naehring
In reply to this post by Luca Dell'Oca
On Wed, 6 Feb 2008, Luca Dell'Oca wrote:

> http://www.mail-archive.com/misc@.../msg30134.html
>
> right now I had not so much time to test it, the modifications to the makefile
> worked and squid compiled correctly. One of the interesting part of this
> solution is not having to install samba stuff in openbsd, you only need squid.
> Next week I'm gonna test it against AD and see if it works.

Oh, it's still working. Never tried to use winbind on OpenBSD for this.


---

andre

123