diff options
-rw-r--r-- | www/Makefile | 1 | ||||
-rw-r--r-- | www/smb_auth/Makefile | 39 | ||||
-rw-r--r-- | www/smb_auth/distinfo | 1 | ||||
-rw-r--r-- | www/smb_auth/files/README | 179 | ||||
-rw-r--r-- | www/smb_auth/files/patch-aa | 33 | ||||
-rw-r--r-- | www/smb_auth/pkg-comment | 1 | ||||
-rw-r--r-- | www/smb_auth/pkg-descr | 7 | ||||
-rw-r--r-- | www/smb_auth/pkg-plist | 5 |
8 files changed, 266 insertions, 0 deletions
diff --git a/www/Makefile b/www/Makefile index 48aaf217f337..3b619b6daac5 100644 --- a/www/Makefile +++ b/www/Makefile @@ -107,6 +107,7 @@ SUBDIR += ruboard SUBDIR += screem SUBDIR += sitecopy + SUBDIR += smb_auth SUBDIR += snarf SUBDIR += squid11 SUBDIR += squid11-novm diff --git a/www/smb_auth/Makefile b/www/smb_auth/Makefile new file mode 100644 index 000000000000..129bb991d6e6 --- /dev/null +++ b/www/smb_auth/Makefile @@ -0,0 +1,39 @@ +# New ports collection makefile for: smb_auth +# Version required: 0.05 +# Date created: 13 January 2000 +# Whom: Maxim Sobolev <sobomax@altavista.net> +# +# $FreeBSD$ +# + +DISTNAME= smb_auth-0.05 +CATEGORIES= www +MASTER_SITES= http://www.hacom.nl/~richard/software/ + +MAINTAINER= sobomax@altavista.net + +RUN_DEPENDS= ${LOCALBASE}/sbin/squid:${PORTSDIR}/www/squid22 \ + ${LOCALBASE}/sbin/smbd:${PORTSDIR}/net/samba + +ALL_TARGET= smb_auth + +do-install: + ${INSTALL_PROGRAM} ${WRKSRC}/smb_auth ${PREFIX}/bin + ${INSTALL_SCRIPT} ${WRKSRC}/smb_auth.sh ${PREFIX}/bin +.if !defined(NOPORTDOCS) + ${MKDIR} ${PREFIX}/share/doc/smb_auth + ${INSTALL_MAN} ${FILESDIR}/README ${PREFIX}/share/doc/smb_auth + ${INSTALL_MAN} ${WRKSRC}/COPYING-2.0 ${PREFIX}/share/doc/smb_auth +.endif + +post-install: + @${ECHO_MSG} + @${ECHO_MSG} ' +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' + @${ECHO_MSG} ' Refer to ${PREFIX}/share/doc/smb_auth/README on how to configure smb_auth.' + @${ECHO_MSG} + @${ECHO_MSG} ' NOTE: For smb_auth to work properly you must set debug level>0 in your' + @${ECHO_MSG} ' smb.conf file.' + @${ECHO_MSG} ' +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++' + @${ECHO_MSG} + +.include <bsd.port.mk> diff --git a/www/smb_auth/distinfo b/www/smb_auth/distinfo new file mode 100644 index 000000000000..a6e4d0439e97 --- /dev/null +++ b/www/smb_auth/distinfo @@ -0,0 +1 @@ +MD5 (smb_auth-0.05.tar.gz) = 4fb2484ab73f96972d595a8d89e98c81 diff --git a/www/smb_auth/files/README b/www/smb_auth/files/README new file mode 100644 index 000000000000..ac00bb2c6176 --- /dev/null +++ b/www/smb_auth/files/README @@ -0,0 +1,179 @@ +SMB proxy authentication module + +Current version: 0.05 +Released on : 28 September 1999 +Author : Richard Huveneers +License : GNU GPL + +smb_auth is a proxy authentication module. With smb_auth you can +authenticate proxy users against an SMB server like Windows NT or Samba. + +Download + +The current version is smb_auth-0.05.tar.gz. + +Highlights of new features: + + * Easier debugging (finally!) + * More flexibility + * Improved documentation + +Requirements + + * Squid 2.0 or above, or another proxy server with the same + authentication module interface. + Squid 1.1 with Arjan de Vet's patch works fine too. + * smb_auth needs Samba to talk SMB. If you don't have Samba installed on + your proxy server, download and install Samba now. You don't need to + start the Samba daemons, smb_auth only uses the Samba client + utilities. + + Note to Samba 2.0 users: The -E option of smbclient does not work + properly in Samba 2.0.3 and earlier, which breaks smb_auth. This has + been fixed in Samba 2.0.4, so make sure you are using Samba 2.0.4 or + later (the command "smbclient -h" shows the version number). If you + prefer not to upgrade to Samba 2.0.4, you can apply this patch which + fixes the bug. + +Installation + + * Check the Makefile. Make sure that SAMBAPREFIX and INSTALLBIN are set + correctly before running make. + * Run "make", then "make install". This will install smb_auth and + smb_auth.sh in the INSTALLBIN directory. + +Primary domain controller setup + +To get proxy access control by user and group, smb_auth reads the file +\netlogon\proxyauth on one of the domain controllers using the supplied +credentials. If reading this file returns "allow" then access will be +allowed, otherwise denied. + + * Create a file named "proxyauth" on the NETLOGON share of the primary + domain controller. In case you have one or more backup domain + controllers, I'm assuming you are replicating this share to the backup + domain controllers. If you prefer, you can change the location of this + file by using the -S option of smb_auth (see below). + * Put just the one word "allow" in this file. + * Assign "Read" access to the "proxyauth" file to all users or group + which you want to allow access to the proxy. + * If you want to allow access from multiple domains to your proxy, + repeat the above steps for the other domains. + +Configure Squid + +You need to configure Squid for proxy authentication. If you have problems +doing this, have a look at the FAQ. While reading the FAQ, replace +ncsa_auth with smb_auth. Please pay attention to the REQUIRED keyword in +the proxy_auth acl. As an example, here are the relevant lines of my own +squid.conf file: + + authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE + acl domainusers proxy_auth REQUIRED + http_access allow domainusers + +smb_auth has several options. Most people will call smb_auth like this: + + smb_auth -W domainname + +where domainname is the name of your domain. By default, smb_auth tries to +find a domain controller by broadcasting on the primary network interface. +If you want to broadcast on another interface (for instance, if you have +two ethernet interfaces installed), use: + + smb_auth -W domainname -B <broadcast IP address> + +If you really want to specify the IP address of a domain controller +yourself, use: + + smb_auth -W domainname -U <IP address> + +This might even work with a WINS server (untested, feedback appreciated). +If you have several domains from which you want to allow access to your +proxy, just add them: + + smb_auth -W domain1 -W domain2 -W domain3 ... + +in this case all users (except those of domain1) have to specify their +username as domainname\username when authenticating. If your users are +lazy, you can abbreviate the domainnames like this: + + smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 .. + +then users of domain2 can authenticate with d2\username instead of +domain2\username. You can also specify different broadcast addresses etc. +per domain. Note that you don't need an abbreviation for the first domain +since omitting a domainname implies authenticating against the first +domain. + +If you want to authenticate users of domain1 against a domain controller of +domain2 (you must have a trust relationship between domain1 and domain2) +then you can use the -P option. This is called pass-through authentication +and is useful to manage access from multiple domains to the proxy server +centrally (using a single proxyauth file): + + smb_auth -W domain1 -P domain2 -W domain2 .. + +If you want to change the location of the proxyauth file (for instance +because your NETLOGON share is located on a FAT filesystem) then you can +use the -S option to specify a different share (make sure you are +replicating this share to the backup domain controllers): + + smb_auth -W domain -S share + +You can also change the name of the proxyauth file and store it in a +sub-directory of the share by appending the full pathname of the proxyauth +file to the sharename. You may use both forward slashes and backslashes to +separate directories and you may (not required) prepend a (back)slash to +the sharename: + + smb_auth -W domain -S /share/path/to/proxyauth + +Troubleshooting + +You can run smb_auth on the command-line using the same options as in your +squid.conf. To debug authentication you can additionally use the -d option +which will print debug information after each step, so you can determine +which step is failing. +Do not use the -d option in your squid.conf, this corrupts the +communication between Squid and smb_auth. + +You need to feed one username and password (separated by a space character) +to smb_auth's standard input. After authenticating this username and +password, smb_auth will continue accepting such username/password +combinations until you close it's standard input by pressing Ctrl-D. + +Here's the output of a succesful authentication, so you know how the output +should look like: + +# smb_auth -W MEDIA@VANTAGE -d +richard xxxxxxxx +Domain name: MEDIA@VANTAGE +Pass-through authentication: no +Query address options: +Domain controller IP address: 192.168.1.2 +Domain controller NETBIOS name: VEGA +Contents of //VEGA/NETLOGON/proxyauth: allow +OK + +Still having problems? + +Please e-mail me if you have problems compiling, installing or configuring +smb_auth. Suggestions are welcome too. +If somebody could comment on NT licensing issues of smb_auth, that would be +more than welcome. + +TODO + +These are the items currently on my todo list. If you need another feature +currently not available, just let me know. I will add it to this list and +who knows, it might even get implemented. + + * research if smbclient does encrypted passwords on demand or needs + smb.conf option or something else. + * research if Samba 2.0 is able to retrieve NT group membership directly + * re-code the shell script in C. I used a shell script mainly to speedup + development. + * add a netbios name cache. This feature needs the previous one and will + speed up smb_auth considerably. + * research if linking smb_auth with the Samba code is worth the trouble. diff --git a/www/smb_auth/files/patch-aa b/www/smb_auth/files/patch-aa new file mode 100644 index 000000000000..cd2b11212a3b --- /dev/null +++ b/www/smb_auth/files/patch-aa @@ -0,0 +1,33 @@ +--- Makefile.orig Thu Jan 13 11:58:13 2000 ++++ Makefile Thu Jan 13 12:07:21 2000 +@@ -5,25 +5,25 @@ + # by using the --prefix option when configuring Samba, you need to change + # SAMBAPREFIX accordingly. + +-SAMBAPREFIX=/usr/local/samba ++SAMBAPREFIX=$(LOCALBASE) + + # INSTALLBIN is the directory in which both smb_auth and its helper script + # smb_auth.sh, will be installed. smb_auth uses this value to find its + # helper script, so change this before compiling smb_auth. + +-INSTALLBIN=/usr/local/bin ++INSTALLBIN=$(PREFIX)/bin + + # End of configuration section + + OBJECTS = smb_auth.o + SCRIPT = smb_auth.sh + +-CC = gcc +-CFLAGS = -O2 -Wall \ ++CC ?= gcc ++CFLAGS += -Wall \ + -DSAMBAPREFIX=\"$(SAMBAPREFIX)\" -DHELPERSCRIPT=\"$(INSTALLBIN)/$(SCRIPT)\" + + smb_auth: $(OBJECTS) +- $(CC) -o smb_auth $(OBJECTS) ++ $(CC) $(CFLAGS) -o smb_auth $(OBJECTS) + + install: smb_auth + install smb_auth $(SCRIPT) $(INSTALLBIN) diff --git a/www/smb_auth/pkg-comment b/www/smb_auth/pkg-comment new file mode 100644 index 000000000000..14431eb879e8 --- /dev/null +++ b/www/smb_auth/pkg-comment @@ -0,0 +1 @@ +A proxy authentication module against an SMB server diff --git a/www/smb_auth/pkg-descr b/www/smb_auth/pkg-descr new file mode 100644 index 000000000000..aa008e52cde6 --- /dev/null +++ b/www/smb_auth/pkg-descr @@ -0,0 +1,7 @@ +smb_auth is a proxy authentication module. With smb_auth you can authenticate +proxy users against an SMB server like Windows NT or Samba. + +WWW: http://www.hacom.nl/~richard/software/smb_auth.html + +- Maxim Sobolev +sobomax@altavista.net diff --git a/www/smb_auth/pkg-plist b/www/smb_auth/pkg-plist new file mode 100644 index 000000000000..41e1d41461c1 --- /dev/null +++ b/www/smb_auth/pkg-plist @@ -0,0 +1,5 @@ +bin/smb_auth +bin/smb_auth.sh +share/doc/smb_auth/COPYING-2.0 +share/doc/smb_auth/README +@dirrm share/doc/smb_auth |