Сообщение от :
]#############################
WHATS NEW IN Samba 3.0.0
September 24, 2003
==============================
This is the first official release of Samba 3.0.0 code base. Work
on the SAMBA_3_0 CVS branch continues. Please refer to the section
on "Known Issues" for more details.
Major new features:
-------------------
1) Active Directory support. Samba 3.0 is now able to
join a ADS realm as a member server and authenticate
users using LDAP/Kerberos.
2) Unicode support. Samba will now negotiate UNICODE on the wire
and internally there is now a much better infrastructure for
multi-byte and UNICODE character sets.
3) New authentication system. The internal authentication system
has been almost completely rewritten. Most of the changes are
internal, but the new auth system is also very configurable.
4) New default filename mangling system.
5) A new "net" command has been added. It is somewhat similar to
the "net" command in windows. Eventually we plan to replace
numerous other utilities (such as smbpasswd) with subcommands
in "net".
6) Samba now negotiates NT-style status32 codes on the wire. This
improves error handling a lot.
7) Better Windows 2000/XP/2003 printing support including publishing
printer attributes in active directory.
8) New loadable module support for passdb backends and character
sets.
9) New default dual-daemon winbindd support for better performance.
10) Support for migrating from a Windows NT 4.0 domain to a Samba
domain and maintaining user, group and domain SIDs.
11) Support for establishing trust relationships with Windows NT 4.0
domain controllers.
12) Initial support for a distributed Winbind architecture using
an LDAP directory for storing SID to uid/gid mappings.
13) Major updates to the Samba documentation tree.
14) Full support for client and server SMB signing to ensure
compatibility with default Windows 2003 security settings.
15) Improvement of ACL mapping features based on code donated by
Andreas Grünbacher.
Plus lots of other improvements!
[samba.org]
Сообщение от :
[squid-users] Samba3 ntlm_auth Helper and Trusted Domains
--------------------------------------------------------------------------------
From: Wilshire, Andrew
Subject: [squid-users] Samba3 ntlm_auth Helper and Trusted Domains
Date: Thu, 18 Sep 2003 20:33:05 -0700
--------------------------------------------------------------------------------
Hi Everyone,
Here's just a few notes and a quick "how to" for enterprises looking towards
migrating a (sizeable) Microsoft proxy and ISA infrastructure to Squid. Our
requirements were to produce a Linux, Squid and Samba solution that
provided;
1. Transparent authentication of IE clients
2. ACL's based on membership of domain NT group
3. Support for traversing trusted domains (e.g. a resource domain model)
We have managed to achieve this in a test environment where;
-> The squid proxy is a member server in the Resource domain
-> Our test users reside in domains trusted by the Resource domain
-> Resource domain contains a domain local group RESOURCE\ProxyFullAccess
-> Group RESOURCE\ProxyFullAccess contains user accounts from the trusted
domains
-> The Samba3 supplied ntlm_auth helper is used by "auth_param ntlm ..."
-> The Squid supplied wbinfo_group.pl is used by "external_acl_type ... "
-> Squid proxy has an ACL to allow http_access for RESOURCE\ProxyFullAccess
We have used Samba 3.0.0rc2 and Squid-2.5-STABLE3 in our test environment.
Andrew Tridgell of the Samba team provided us with a patch to make Samba
domain local group aware WITHOUT having to be a DC for that domain. This
patch can be found at
http://samba.org/ftp/tridge/misc/sam...l_groups.patch
A quick "How To" for your own transparently authenticated, trusted-domain
aware Squid proxy;
1. Download Samba-3.0.0rc2 and download the samba3_local_groups patch from
the URL above
2. Patch the Samba source and then ./configure --with-winbind
--with-winbind-auth-challenge, make and make install
3. Using the 'net join' command, join your resource domain, configure
smb.conf as appropriate
4. Start the nmbd daemon. Start the winbindd daemon (test using wbinfo - you
can also start winbindd with a "-i" for interactive mode)
5. Download Squid-2.5.STABLE3 and then ./configure --enable-auth=basic,ntlm
--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB
--enable-ntlm-auth-helpers=SMB,fakeauth --enable-ntlm-fail-open
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group
then make and make install
6. Relevant squid.conf bits
auth_param ntlm program /opt/squid/lib/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d 3
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
external_acl_type ntgroup_helper %LOGIN /opt/squid/lib/wbinfo_group.pl
acl proxyfullaccess external ntgroup_helper RESOURCE\ProxyFullAccess
http_access allow proxyfullaccess
http_access deny all
7. Find the location of the winbindd_privileged pipe and chgrp squid (or
your cache_effective_group from squid.conf)
8. Kill any running samba daemons and start them (always) in this order -
nmbd, winbindd and then squid
And that's it! I hope this post helps someone else with a similar goal.
(Many thanks to Tridge from the Samba team!)
Andrew Wilshire
IBM / Air New Zealand
[EMAIL PROTECTED]
Сообщение от :
Since late 2001, Samba has gained the ability to interact with Microsoft Windows 2000 using
its “Native Mode” protocols, rather than the NT4 RPC services. Using LDAP and Kerberos,
a Domain Member running Winbind can enumerate users and groups in exactly the same way as a Windows 200x client would, and in so doing provide a much more efficient and effective
Winbind implementation.
