cancel
Showing results for 
Search instead for 
Did you mean: 
hackerfreak
Level 7

McAfee Web Gateway - NTLM with Samba

Hi all!

I'm trying to use NTLM authentication with a Samba backend (the goal is single-sign-on authentication to the proxy). I tested this already with a productive samba3 server but I didn't get a connect to the directory. So I built a test-environment in VMware Workstation with a Web Gateway, Windows 8 Client and a Debian Linux System with Samba4. I choosed Samba4 because I know an issue with Samba3 and domain-join with computers which have Windows 7 etc. where you need to pre-configure registry settings: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains so I thought Samba4 in my test-environment would be the better choise. So I installed Debian and Samba4 (howto: http://www.matrix44.net/cms/notes/gnulinux/samba-4-ad-domain-with-ubuntu-12-04) and could join a Windows 8.1 directly to my test domain "nemo.local". But I still can't join the Web Gateway to the domain. In the tcpdump I always see "STATUS_INVALID_PARAMETER". Maybe there is a tweak option for samba or an inoffical way at the Web Gateway. I uploaded screenshots from the tcpdumps (one shows a connect to the samba domain and one to a microsoft AD to see the differences). Maybe someone has an idea for this.

Thanks in advance!

0 Kudos
7 Replies
exbrit
Level 21

Re: McAfee Web Gateway - NTLM with Samba

Move to the Web Gateway sub-forums for better handling.

0 Kudos
ericklans
Level 9

Re: McAfee Web Gateway - NTLM with Samba

into sambala.nemo.local try to use IP-address of  DC.

And in DNS configuration page, at first domain enter IP of the DC if it has DNS server or local dns.

Message was edited by: ericklans on 3/20/14 5:23:28 AM CDT
0 Kudos
asabban
Level 17

Re: McAfee Web Gateway - NTLM with Samba

Hello,

in the DNS settings you should configure a DNS that can resolve all domain related queries. It is not advisable to enter the IP address of the DC, if DNS is not working as required I recommend to place an entry to /etc/hosts which allows MWG to resolve the name of the DC forward and backwards (both is required to work).

Please note that MWG has not been built or tested against Samba. Also Samba is not supported, if it works that is perfectly fine, but support probably won't be able to assist in case of issues with NTLM. For production environments I recommend to switch to a windows domain.

Best,

Andre

0 Kudos
hackerfreak
Level 7

Re: McAfee Web Gateway - NTLM with Samba

Hi Andre,

we canceled the project at the customer. It is a 4000 user environment and I don't want to implement a non supported way we've never get it to work, even with host entries. But thank you all in advance for help!

0 Kudos
smveloso
Level 7

Re: McAfee Web Gateway - NTLM with Samba

Hi Andre,

  Do you know of any "official" information stating that samba is not supported by web gateway ?

  I am trying to join a web gateway (7.7.x) to a samba domain (3.x). It fails and I see the same error in the captured traffic: STATUS_INVALID_PARAMETER.

  I wonder if it isn't pointless to keep trying ...

  It's an old message but if you have any information I'd be grateful.

Regards

0 Kudos
asabban
Level 17

Re: McAfee Web Gateway - NTLM with Samba

Hello,

I am not sure where it is documented, but I was told that all tests performed are done against Microsofts Active Directory. So noone ever tried to join a Samba 3.x domain thus we don't know if there is anything specific to configure on the Samba side. Also support won't provide support in case there is trouble setting up or maintaining the connection.

I have not heard that we added support for Samba lately.

Best,

Andre

0 Kudos
smveloso
Level 7

Re: McAfee Web Gateway - NTLM with Samba

Andre,

Thank you very much for the quick answer.

I guess I'll  give it up ...

Regards

0 Kudos