summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSteve Price <steve@FreeBSD.org>2000-01-29 05:56:29 +0000
committerSteve Price <steve@FreeBSD.org>2000-01-29 05:56:29 +0000
commitef50261ea97b54f24b73c2b62ede8f7402746197 (patch)
treeec1e8c0c28a8cc98c9e948c6fffa3ea37385294f
parentAdding cadaver version 0.10.0. (diff)
Adding smb_auth version 0.05.
A proxy authentication modules against an SMB server. PR: 16100 Submitted by: Maxim Sobolev <sobomax@altavista.net>
-rw-r--r--www/Makefile1
-rw-r--r--www/smb_auth/Makefile39
-rw-r--r--www/smb_auth/distinfo1
-rw-r--r--www/smb_auth/files/README179
-rw-r--r--www/smb_auth/files/patch-aa33
-rw-r--r--www/smb_auth/pkg-comment1
-rw-r--r--www/smb_auth/pkg-descr7
-rw-r--r--www/smb_auth/pkg-plist5
8 files changed, 266 insertions, 0 deletions
diff --git a/www/Makefile b/www/Makefile
index 48aaf217f337..3b619b6daac5 100644
--- a/www/Makefile
+++ b/www/Makefile
@@ -107,6 +107,7 @@
SUBDIR += ruboard
SUBDIR += screem
SUBDIR += sitecopy
+ SUBDIR += smb_auth
SUBDIR += snarf
SUBDIR += squid11
SUBDIR += squid11-novm
diff --git a/www/smb_auth/Makefile b/www/smb_auth/Makefile
new file mode 100644
index 000000000000..129bb991d6e6
--- /dev/null
+++ b/www/smb_auth/Makefile
@@ -0,0 +1,39 @@
+# New ports collection makefile for: smb_auth
+# Version required: 0.05
+# Date created: 13 January 2000
+# Whom: Maxim Sobolev <sobomax@altavista.net>
+#
+# $FreeBSD$
+#
+
+DISTNAME= smb_auth-0.05
+CATEGORIES= www
+MASTER_SITES= http://www.hacom.nl/~richard/software/
+
+MAINTAINER= sobomax@altavista.net
+
+RUN_DEPENDS= ${LOCALBASE}/sbin/squid:${PORTSDIR}/www/squid22 \
+ ${LOCALBASE}/sbin/smbd:${PORTSDIR}/net/samba
+
+ALL_TARGET= smb_auth
+
+do-install:
+ ${INSTALL_PROGRAM} ${WRKSRC}/smb_auth ${PREFIX}/bin
+ ${INSTALL_SCRIPT} ${WRKSRC}/smb_auth.sh ${PREFIX}/bin
+.if !defined(NOPORTDOCS)
+ ${MKDIR} ${PREFIX}/share/doc/smb_auth
+ ${INSTALL_MAN} ${FILESDIR}/README ${PREFIX}/share/doc/smb_auth
+ ${INSTALL_MAN} ${WRKSRC}/COPYING-2.0 ${PREFIX}/share/doc/smb_auth
+.endif
+
+post-install:
+ @${ECHO_MSG}
+ @${ECHO_MSG} ' +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
+ @${ECHO_MSG} ' Refer to ${PREFIX}/share/doc/smb_auth/README on how to configure smb_auth.'
+ @${ECHO_MSG}
+ @${ECHO_MSG} ' NOTE: For smb_auth to work properly you must set debug level>0 in your'
+ @${ECHO_MSG} ' smb.conf file.'
+ @${ECHO_MSG} ' +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++'
+ @${ECHO_MSG}
+
+.include <bsd.port.mk>
diff --git a/www/smb_auth/distinfo b/www/smb_auth/distinfo
new file mode 100644
index 000000000000..a6e4d0439e97
--- /dev/null
+++ b/www/smb_auth/distinfo
@@ -0,0 +1 @@
+MD5 (smb_auth-0.05.tar.gz) = 4fb2484ab73f96972d595a8d89e98c81
diff --git a/www/smb_auth/files/README b/www/smb_auth/files/README
new file mode 100644
index 000000000000..ac00bb2c6176
--- /dev/null
+++ b/www/smb_auth/files/README
@@ -0,0 +1,179 @@
+SMB proxy authentication module
+
+Current version: 0.05
+Released on : 28 September 1999
+Author : Richard Huveneers
+License : GNU GPL
+
+smb_auth is a proxy authentication module. With smb_auth you can
+authenticate proxy users against an SMB server like Windows NT or Samba.
+
+Download
+
+The current version is smb_auth-0.05.tar.gz.
+
+Highlights of new features:
+
+ * Easier debugging (finally!)
+ * More flexibility
+ * Improved documentation
+
+Requirements
+
+ * Squid 2.0 or above, or another proxy server with the same
+ authentication module interface.
+ Squid 1.1 with Arjan de Vet's patch works fine too.
+ * smb_auth needs Samba to talk SMB. If you don't have Samba installed on
+ your proxy server, download and install Samba now. You don't need to
+ start the Samba daemons, smb_auth only uses the Samba client
+ utilities.
+
+ Note to Samba 2.0 users: The -E option of smbclient does not work
+ properly in Samba 2.0.3 and earlier, which breaks smb_auth. This has
+ been fixed in Samba 2.0.4, so make sure you are using Samba 2.0.4 or
+ later (the command "smbclient -h" shows the version number). If you
+ prefer not to upgrade to Samba 2.0.4, you can apply this patch which
+ fixes the bug.
+
+Installation
+
+ * Check the Makefile. Make sure that SAMBAPREFIX and INSTALLBIN are set
+ correctly before running make.
+ * Run "make", then "make install". This will install smb_auth and
+ smb_auth.sh in the INSTALLBIN directory.
+
+Primary domain controller setup
+
+To get proxy access control by user and group, smb_auth reads the file
+\netlogon\proxyauth on one of the domain controllers using the supplied
+credentials. If reading this file returns "allow" then access will be
+allowed, otherwise denied.
+
+ * Create a file named "proxyauth" on the NETLOGON share of the primary
+ domain controller. In case you have one or more backup domain
+ controllers, I'm assuming you are replicating this share to the backup
+ domain controllers. If you prefer, you can change the location of this
+ file by using the -S option of smb_auth (see below).
+ * Put just the one word "allow" in this file.
+ * Assign "Read" access to the "proxyauth" file to all users or group
+ which you want to allow access to the proxy.
+ * If you want to allow access from multiple domains to your proxy,
+ repeat the above steps for the other domains.
+
+Configure Squid
+
+You need to configure Squid for proxy authentication. If you have problems
+doing this, have a look at the FAQ. While reading the FAQ, replace
+ncsa_auth with smb_auth. Please pay attention to the REQUIRED keyword in
+the proxy_auth acl. As an example, here are the relevant lines of my own
+squid.conf file:
+
+ authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE
+ acl domainusers proxy_auth REQUIRED
+ http_access allow domainusers
+
+smb_auth has several options. Most people will call smb_auth like this:
+
+ smb_auth -W domainname
+
+where domainname is the name of your domain. By default, smb_auth tries to
+find a domain controller by broadcasting on the primary network interface.
+If you want to broadcast on another interface (for instance, if you have
+two ethernet interfaces installed), use:
+
+ smb_auth -W domainname -B <broadcast IP address>
+
+If you really want to specify the IP address of a domain controller
+yourself, use:
+
+ smb_auth -W domainname -U <IP address>
+
+This might even work with a WINS server (untested, feedback appreciated).
+If you have several domains from which you want to allow access to your
+proxy, just add them:
+
+ smb_auth -W domain1 -W domain2 -W domain3 ...
+
+in this case all users (except those of domain1) have to specify their
+username as domainname\username when authenticating. If your users are
+lazy, you can abbreviate the domainnames like this:
+
+ smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 ..
+
+then users of domain2 can authenticate with d2\username instead of
+domain2\username. You can also specify different broadcast addresses etc.
+per domain. Note that you don't need an abbreviation for the first domain
+since omitting a domainname implies authenticating against the first
+domain.
+
+If you want to authenticate users of domain1 against a domain controller of
+domain2 (you must have a trust relationship between domain1 and domain2)
+then you can use the -P option. This is called pass-through authentication
+and is useful to manage access from multiple domains to the proxy server
+centrally (using a single proxyauth file):
+
+ smb_auth -W domain1 -P domain2 -W domain2 ..
+
+If you want to change the location of the proxyauth file (for instance
+because your NETLOGON share is located on a FAT filesystem) then you can
+use the -S option to specify a different share (make sure you are
+replicating this share to the backup domain controllers):
+
+ smb_auth -W domain -S share
+
+You can also change the name of the proxyauth file and store it in a
+sub-directory of the share by appending the full pathname of the proxyauth
+file to the sharename. You may use both forward slashes and backslashes to
+separate directories and you may (not required) prepend a (back)slash to
+the sharename:
+
+ smb_auth -W domain -S /share/path/to/proxyauth
+
+Troubleshooting
+
+You can run smb_auth on the command-line using the same options as in your
+squid.conf. To debug authentication you can additionally use the -d option
+which will print debug information after each step, so you can determine
+which step is failing.
+Do not use the -d option in your squid.conf, this corrupts the
+communication between Squid and smb_auth.
+
+You need to feed one username and password (separated by a space character)
+to smb_auth's standard input. After authenticating this username and
+password, smb_auth will continue accepting such username/password
+combinations until you close it's standard input by pressing Ctrl-D.
+
+Here's the output of a succesful authentication, so you know how the output
+should look like:
+
+# smb_auth -W MEDIA@VANTAGE -d
+richard xxxxxxxx
+Domain name: MEDIA@VANTAGE
+Pass-through authentication: no
+Query address options:
+Domain controller IP address: 192.168.1.2
+Domain controller NETBIOS name: VEGA
+Contents of //VEGA/NETLOGON/proxyauth: allow
+OK
+
+Still having problems?
+
+Please e-mail me if you have problems compiling, installing or configuring
+smb_auth. Suggestions are welcome too.
+If somebody could comment on NT licensing issues of smb_auth, that would be
+more than welcome.
+
+TODO
+
+These are the items currently on my todo list. If you need another feature
+currently not available, just let me know. I will add it to this list and
+who knows, it might even get implemented.
+
+ * research if smbclient does encrypted passwords on demand or needs
+ smb.conf option or something else.
+ * research if Samba 2.0 is able to retrieve NT group membership directly
+ * re-code the shell script in C. I used a shell script mainly to speedup
+ development.
+ * add a netbios name cache. This feature needs the previous one and will
+ speed up smb_auth considerably.
+ * research if linking smb_auth with the Samba code is worth the trouble.
diff --git a/www/smb_auth/files/patch-aa b/www/smb_auth/files/patch-aa
new file mode 100644
index 000000000000..cd2b11212a3b
--- /dev/null
+++ b/www/smb_auth/files/patch-aa
@@ -0,0 +1,33 @@
+--- Makefile.orig Thu Jan 13 11:58:13 2000
++++ Makefile Thu Jan 13 12:07:21 2000
+@@ -5,25 +5,25 @@
+ # by using the --prefix option when configuring Samba, you need to change
+ # SAMBAPREFIX accordingly.
+
+-SAMBAPREFIX=/usr/local/samba
++SAMBAPREFIX=$(LOCALBASE)
+
+ # INSTALLBIN is the directory in which both smb_auth and its helper script
+ # smb_auth.sh, will be installed. smb_auth uses this value to find its
+ # helper script, so change this before compiling smb_auth.
+
+-INSTALLBIN=/usr/local/bin
++INSTALLBIN=$(PREFIX)/bin
+
+ # End of configuration section
+
+ OBJECTS = smb_auth.o
+ SCRIPT = smb_auth.sh
+
+-CC = gcc
+-CFLAGS = -O2 -Wall \
++CC ?= gcc
++CFLAGS += -Wall \
+ -DSAMBAPREFIX=\"$(SAMBAPREFIX)\" -DHELPERSCRIPT=\"$(INSTALLBIN)/$(SCRIPT)\"
+
+ smb_auth: $(OBJECTS)
+- $(CC) -o smb_auth $(OBJECTS)
++ $(CC) $(CFLAGS) -o smb_auth $(OBJECTS)
+
+ install: smb_auth
+ install smb_auth $(SCRIPT) $(INSTALLBIN)
diff --git a/www/smb_auth/pkg-comment b/www/smb_auth/pkg-comment
new file mode 100644
index 000000000000..14431eb879e8
--- /dev/null
+++ b/www/smb_auth/pkg-comment
@@ -0,0 +1 @@
+A proxy authentication module against an SMB server
diff --git a/www/smb_auth/pkg-descr b/www/smb_auth/pkg-descr
new file mode 100644
index 000000000000..aa008e52cde6
--- /dev/null
+++ b/www/smb_auth/pkg-descr
@@ -0,0 +1,7 @@
+smb_auth is a proxy authentication module. With smb_auth you can authenticate
+proxy users against an SMB server like Windows NT or Samba.
+
+WWW: http://www.hacom.nl/~richard/software/smb_auth.html
+
+- Maxim Sobolev
+sobomax@altavista.net
diff --git a/www/smb_auth/pkg-plist b/www/smb_auth/pkg-plist
new file mode 100644
index 000000000000..41e1d41461c1
--- /dev/null
+++ b/www/smb_auth/pkg-plist
@@ -0,0 +1,5 @@
+bin/smb_auth
+bin/smb_auth.sh
+share/doc/smb_auth/COPYING-2.0
+share/doc/smb_auth/README
+@dirrm share/doc/smb_auth