Squid + NTLM authentication failing in a Windows 2008 Domain Environment

Even the latest versions of Samba via yum updates has troubles talking to Windows 2008 Domain Controllers.  A partial solution was found here.

Upon an upgrade to the AD environment, winbind starts throwing errors like the one below:

Aug 16 16:20:38 ourhost winbindd[2459]:   rpc_api_pipe: Remote machine OURDOMAINCONTROLLER.ourdomain.com pipe \NETLOGON fnum 0x800areturned critical error. Error was NT_STATUS_PIPE_DISCONNECTED

After the upgrade to Samba / winbind, squid started throwing the following authentication errors:

Aug 16 16:39:58 ourhost (ntlm_auth):   Login for user [ourdomain\[username]@[DESKTOPHOST] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.]

In the end, it turns out that the latest Samba installation resolves this problem:

  • /etc/init.d/squid stop
  • /etc/init.d/winbind stop
  • cp /etc/samba/smb.conf /tmp/smb.conf
  • yum erase samba samba-common
  • yum install samba3x samba3x-client –disablerepo=rpmforge
  • cp /tmp/smb.conf /etc/samba/smb.conf
  • setfacl -m u:squid:rx /var/lib/samba/winbindd_privileged
  • kinit Administrator@OURDOMAIN.COM
  • net ads join -U Administrator
  • /etc/init.d/winbind start
  • wbinfo -u (to test to make sure you see user names)
  • /etc/init.d/squid start

Generating self signed SSL certificates

Creating a self signed certificate is relatively easy. Once the certificate of authority has been established, generating certificates off of it is rather straight forward. However, the commands can get lost over time since one is not generating certificates every day. To simplify matters, a quick script handles all of the necessary steps to generate the certificate.

#!/bin/sh
#
#  MakePEM                                              Author: Rich West
#                                                       Rich.West@wesmo.com
#
# A simple script to generate a self signed certificate that does not require
# a passphrase in order to use it.
################################################################################

##
# Make sure we are started as we should be.
##
if [ "X"$1 == "X" ] || [ "X"$2 == "X" ] || [ "X"$3 == "X" ]; then
        echo "Usage: $0 <serial number> <days> <certificate_file.pem>"
        echo
        exit;
fi

##
# Set our defaults
##
ssldir=/usr/bin
conf=/etc/ssl/openssl.cnf
certs_dir=/etc/ssl/certs
serial=$1
days=$2
cert=$3

##
# Generate the certificate.
##
$ssldir/openssl req -new -x509 -days $days -config $conf \
-out $certs_dir/$cert -keyout $certs_dir/$cert \
-set_serial $serial
##
# Sign the certificate
##
$ssldir/openssl gendh >> $certs_dir/$cert

##
# We need randomness
##
$ssldir/openssl gendh -rand \
`test -c /dev/urandom && echo /dev/urandom` 1024 >> $certs_dir/$cert

##
# For sanity sake, display the contents of the generated and signed certificate.
##
echo
echo "Your new certificate is as follows:"
$ssldir/openssl x509 -subject -dates -fingerprint -noout \
-in $certs_dir/$cert

##
# Make it only readable by the owner.
##
chmod 600 $certs_dir/$cert

Renew Self-Signed SSL Certificate on Linux

If you are receiving a similar email to the one below, it can be a bit misleading if you are using self-signed certificates. The warning below really only applies to purchased certificates, not ones that have been home grown.

If you are using self signed certificates, there is no option to renew it. You just can’t (you’re the certificate authority anyhow), so you must generate a completely new certificate.

################# SSL Certificate Warning ################

  Certificate for hostname 'your.host.name', in file:
     /etc/ssl/certs/https_www.pem

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)