SMB proxy authentication module

Spanish translation of this page, kindly contributed by Marcelo A. Paolini.
Portuguese translation of this page, kindly contributed by Laudelino Amaral de Oliveira Lima.

Current version: 0.05
Released on: 28 September 1999
Author: Richard Huveneers
License: GNU GPL

smb_auth is a proxy authentication module. With smb_auth you can authenticate proxy users against an SMB server like Windows NT or Samba.

Download

The current version is smb_auth-0.05.tar.gz.

Highlights of new features:

Requirements

Installation

Primary domain controller setup

To get proxy access control by user and group, smb_auth reads the file \netlogon\proxyauth on one of the domain controllers using the supplied credentials. If reading this file returns "allow" then access will be allowed, otherwise denied.

Configure Squid

You need to configure Squid for proxy authentication. If you have problems doing this, have a look at the FAQ. While reading the FAQ, replace ncsa_auth with smb_auth. Please pay attention to the REQUIRED keyword in the proxy_auth acl. As an example, here are the relevant lines of my own squid.conf file:

    authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE
    acl domainusers proxy_auth REQUIRED
    http_access allow domainusers

smb_auth has several options. Most people will call smb_auth like this:

    smb_auth -W domainname

where domainname is the name of your domain. By default, smb_auth tries to find a domain controller by broadcasting on the primary network interface. If you want to broadcast on another interface (for instance, if you have two ethernet interfaces installed), use:

    smb_auth -W domainname -B <broadcast IP address>

If you really want to specify the IP address of a domain controller yourself, use:

    smb_auth -W domainname -U <IP address>

This might even work with a WINS server (untested, feedback appreciated). If you have several domains from which you want to allow access to your proxy, just add them:

    smb_auth -W domain1 -W domain2 -W domain3 ...

in this case all users (except those of domain1) have to specify their username as domainname\username when authenticating. If your users are lazy, you can abbreviate the domainnames like this:

    smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 ..

then users of domain2 can authenticate with d2\username instead of domain2\username. You can also specify different broadcast addresses etc. per domain. Note that you don't need an abbreviation for the first domain since omitting a domainname implies authenticating against the first domain.

If you want to authenticate users of domain1 against a domain controller of domain2 (you must have a trust relationship between domain1 and domain2) then you can use the -P option. This is called pass-through authentication and is useful to manage access from multiple domains to the proxy server centrally (using a single proxyauth file):

    smb_auth -W domain1 -P domain2 -W domain2 ..

If you want to change the location of the proxyauth file (for instance because your NETLOGON share is located on a FAT filesystem) then you can use the -S option to specify a different share (make sure you are replicating this share to the backup domain controllers):

    smb_auth -W domain -S share

You can also change the name of the proxyauth file and store it in a sub-directory of the share by appending the full pathname of the proxyauth file to the sharename. You may use both forward slashes and backslashes to separate directories and you may (not required) prepend a (back)slash to the sharename:

    smb_auth -W domain -S /share/path/to/proxyauth

Troubleshooting

You can run smb_auth on the command-line using the same options as in your squid.conf. To debug authentication you can additionally use the -d option which will print debug information after each step, so you can determine which step is failing.
Do not use the -d option in your squid.conf, this corrupts the communication between Squid and smb_auth.

You need to feed one username and password (separated by a space character) to smb_auth's standard input. After authenticating this username and password, smb_auth will continue accepting such username/password combinations until you close it's standard input by pressing Ctrl-D.

Here's the output of a succesful authentication, so you know how the output should look like:

# smb_auth -W MEDIA@VANTAGE -d
richard xxxxxxxx
Domain name: MEDIA@VANTAGE
Pass-through authentication: no
Query address options:
Domain controller IP address: 192.168.1.2
Domain controller NETBIOS name: VEGA
Contents of //VEGA/NETLOGON/proxyauth: allow
OK

If you use special characters (like German umlauts) in your usernames or passwords, then you might need to set the "character set" and "client code page" options in your smb.conf file. Please refer to the Samba documentation for more details. Thanks to Markus Fuhrmann for this information (added "character set = ISO8859-1" and "client code page = 850" to smb.conf and everything works fine).

Still having problems?

Please e-mail me if you have problems compiling, installing or configuring smb_auth. Suggestions are welcome too.
If somebody could comment on NT licensing issues of smb_auth, that would be more than welcome.

TODO

These are the items currently on my todo list. If you need another feature currently not available, just let me know. I will add it to this list and who knows, it might even get implemented.

Silly counter: 134709