Wpad.dat misformed due to wrong $smb

InformatiqueOLLN · October 19, 2018, 2:02pm

Hi all,

My wpad.dat contains PROXY [IPADDRESS]:3128

I just promoted him as domain controller.

in /etc/e-smith/templates/var/www/html/wpad.dat/90proxyDefault
at row 10 $smb{‘ServerRole’} is empty.
Here is what he contents:
service|DeadTime|10080|HomeAdmStatus|disabled|InheritOwner|no|NetbiosAliasList||ShareAdmStatus|disabled|TCPPorts|139,445|UseClientDriver|yes|UseCups|enabled|WinsServerIP||access|green|status|enabled

There is no ServerRole definition

The consequence is that I get the IP address instead of the hostname

In /etc/samba/smb.conf I’ve got security = ADS

Thanks

mrmarkuz · October 19, 2018, 6:50pm

Hi @InformatiqueOLLN,

welcome to Nethserver Community. This is a known bug:

github.com/NethServer/dev

Non-transparent proxy: WPAD file contains IP address of Nethserver server, should be FQDN

opened 04:49PM - 30 Jul 18 UTC

closed 07:14AM - 27 Sep 18 UTC

ramiro

bug invalid

**Steps to reproduce** - Nethserver host has been configured as a AD member …- Nethserver Remote Accounts provider is the AD DC - Squid has been enabled and configured in "Authenticated mode" for the green zone - Green zone info: IP address: 192.168.1.1. LAN IP subnet is 192.168.1.0/24 - FQDN (set at install time or modified via the nethserver web admin interface): proxy.lan.example.com **Expected behavior** Trying to access Web sites through a Web browser (Firefox, Chrome) configured to auto-detect the proxy configuration should be allowed possibly asking for the AD credentials at most once. (From http://docs.nethserver.org/en/v7/web_proxy.html#authenticated-mode): *When Samba Active Directory is installed, or the server is joined to a remote Active Directory, Windows machines can use integrated authentication with Kerberos. All Windows clients must access the proxy server using the FQDN.* **Actual behavior** Nethserver 7.3 creates this `wpad.dat` file on `/var/www/html/`: ```js function FindProxyForURL(url, host) { // Direct access to localhost if (isInNet(host, "127.0.0.1", "255.255.255.255")) return "DIRECT"; // Direct access to local hosts if (isPlainHostName(host)) return "DIRECT"; // eno1:192.168.1.0 green authenticated if (isInNet(myIpAddress(), "192.168.1.0", "255.255.255.0")) return "PROXY 192.168.1.1:3128"; // DEFAULT return "PROXY 192.168.1.1:3128"; } ``` Notice it uses PROXY return values containing the server LAN IP address. When a user whose workstation web browser has been configured (in a way or another) to use http://proxy.lan.example.com/wpad.dat as a proxy auto configuration script then he/she is: - Presented a proxy authentication dialog - The credentials, even when correctly entered, aren’t accepted The `/var/log/squid/cache.log log` file records: ``` 2017/06/12 11:19:50 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: received type 1 NTLM token; }} ``` Which indicates the browser is trying to negotiate NTLM (which is unsupported by Nethserver’s Squid as of Netherver 7.x) instead of Kerberos. The switching or fallback to NTLM by the browser is caused by the fact that the proxy specification sent by the WPAD file is a IP address. This contradicts Nethserver own documentation (see links to docs above). **Components** * Nethserver: `NethServer release 7.5.1804 (final)` * `nethserver-squid-1.7.1-1.ns7.noarch` **See also** https://community.nethserver.org/t/non-transparent-proxy-wpad-file-contains-ip-address-of-nethserver-server-should-be-fqdn/7093 ----

InformatiqueOLLN · October 22, 2018, 12:14pm

Hi,
I’ve seen the bug you’ve linked, but I thought it was different.
I just added $adJoin = 1; after the test and it worked like a charm.
Thanks