Web-proxy is interfering with the samba fileserver

robb · January 12, 2017, 9:30pm

Shared Folder ACL applied to a group sometimes not respected

I want to re-open this issue. I am not completely convinced what I noticed is the same problem.

Base install:
NethServer 7RC3
installed modules:

Samba4 DC
Fileserver
Basic Firewall

Samba4 DC provider is configured and I created several users, both as Domain Users and Domain admins. I created several shares and put in data.
With this base install I can connect to the shares using both samba-client and with Nautilus using the credentials of the created users.

Now if I install the web-proxy module I can not connect to a share with Nautilus anymore. I can connect with samba-client (I get a smb:/> prompt) but when I do an ls, I get a access denied.

It looks like web-proxy is ‘interfering’ with the samba fileserver or account provider module.

When I de-install the web-proxy module and restart the server, the shares are accessible normal again. Same goes for web-filter module which also installs squid.

Anyone care to check if this is default behavior or only with my setup?

dnutan · January 12, 2017, 11:48pm

I can reproduce the problem.

After installing the proxy for the first time, access to shared folder is ok.

After submitting proxy settings, shares missbehave. No matter if proxy is disabled afterwards or if share permissions are reset.

Cannot see anything suspicious on the logs.

giacomo · January 13, 2017, 8:36am

I can reproduce it too.
The problem is winbind is started when proxy is enabled. This is the systemd unit which causes the error: /usr/lib/systemd/system/squid.service.wants/winbind.service

The unit is created here: nethserver-squid/createlinks at master · NethServer/nethserver-squid · GitHub

I guess it’s something to make squid work with Windows integrated authentication and I have no idea if it’s still needed. @davidep is only one who can shed some light on this

Edit: @robb you can fix your installation with these commands:

rm -f /usr/lib/systemd/system/squid.service.wants/winbind.service
systemctl stop winbind
systemctl daemon-reload

giacomo · January 13, 2017, 9:11am

I’m guessing we need to drop the support for NTLM authentication:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos

robb · January 13, 2017, 11:33am

I de-installed squid for the time being. After server restart I can use the shares as normal. I will set up a VM to test this.

davidep · January 13, 2017, 3:37pm

A package with @giacomo’s fix is available from nethserver-testing:

yum --enablerepo=nethserver-testing update nethserver-squid-1.5.1-1.3.g2f509d3.ns7.noarch

The NTLM authentication method is no longer supported because NethServer 7 does not run winbind due to upstream default Samba configuration, which relies on sssd-idmap.

giacomo · January 13, 2017, 4:01pm

Rob, you should already be able also to test the windows integrated authentication (if you already have the environment).

robb · January 13, 2017, 5:17pm

I just applied the patch. I can confirm that with web-proxy and web-filter installed, after a server restart, i can connect to a file share with Nautilus from an Ubuntu 16.04 machine.

gerald_FS · January 13, 2017, 7:53pm

Jupp, it can confirm the problem is solved!

gerald_FS · January 14, 2017, 7:55am

Good Morning!

I tested the patch yesterday, since then Samba works with Squid.

However, now the phenomenon occurs that I can not log in the Nextcloud, all user names / passwords are declared as wrong.

I have already made the following steps to the error limit:
Patch uninstalled
(yum -enablerepo = nethserver-testing remove nethserver-squid-1.5.1-1.3.g2f509d3.s7.noarch)

Nextcloud i.O. Samba i.O.

Then install Squid again (nethserver-squid)

Nextcloud i.O. - Samba / Squid influence

greetings
Gerald