7 Replies Latest reply on Oct 26, 2016 11:18 AM by smveloso

    McAfee Web Gateway - NTLM with Samba

    hackerfreak

      Hi all!

       

      I'm trying to use NTLM authentication with a Samba backend (the goal is single-sign-on authentication to the proxy). I tested this already with a productive samba3 server but I didn't get a connect to the directory. So I built a test-environment in VMware Workstation with a Web Gateway, Windows 8 Client and a Debian Linux System with Samba4. I choosed Samba4 because I know an issue with Samba3 and domain-join with computers which have Windows 7 etc. where you need to pre-configure registry settings: https://wiki.samba.org/index.php/Registry_changes_for_NT4-style_domains so I thought Samba4 in my test-environment would be the better choise. So I installed Debian and Samba4 (howto: http://www.matrix44.net/cms/notes/gnulinux/samba-4-ad-domain-with-ubuntu-12-04) and could join a Windows 8.1 directly to my test domain "nemo.local". But I still can't join the Web Gateway to the domain. In the tcpdump I always see "STATUS_INVALID_PARAMETER". Maybe there is a tweak option for samba or an inoffical way at the Web Gateway. I uploaded screenshots from the tcpdumps (one shows a connect to the samba domain and one to a microsoft AD to see the differences). Maybe someone has an idea for this.

       

      Thanks in advance!

        • 1. Re: McAfee Web Gateway - NTLM with Samba
          exbrit

          Move to the Web Gateway sub-forums for better handling.

          • 2. Re: McAfee Web Gateway - NTLM with Samba
            ericklans

            into sambala.nemo.local try to use IP-address of  DC.

            And in DNS configuration page, at first domain enter IP of the DC if it has DNS server or local dns.

             

            Message was edited by: ericklans on 3/20/14 5:23:28 AM CDT
            • 3. Re: McAfee Web Gateway - NTLM with Samba
              asabban

              Hello,

               

              in the DNS settings you should configure a DNS that can resolve all domain related queries. It is not advisable to enter the IP address of the DC, if DNS is not working as required I recommend to place an entry to /etc/hosts which allows MWG to resolve the name of the DC forward and backwards (both is required to work).

               

              Please note that MWG has not been built or tested against Samba. Also Samba is not supported, if it works that is perfectly fine, but support probably won't be able to assist in case of issues with NTLM. For production environments I recommend to switch to a windows domain.

               

              Best,

              Andre

              1 of 1 people found this helpful
              • 4. Re: McAfee Web Gateway - NTLM with Samba
                hackerfreak

                Hi Andre,

                 

                we canceled the project at the customer. It is a 4000 user environment and I don't want to implement a non supported way we've never get it to work, even with host entries. But thank you all in advance for help!

                • 5. Re: McAfee Web Gateway - NTLM with Samba
                  smveloso

                  Hi Andre,

                   

                    Do you know of any "official" information stating that samba is not supported by web gateway ?

                   

                    I am trying to join a web gateway (7.7.x) to a samba domain (3.x). It fails and I see the same error in the captured traffic: STATUS_INVALID_PARAMETER.

                   

                    I wonder if it isn't pointless to keep trying ...

                   

                    It's an old message but if you have any information I'd be grateful.

                   

                  Regards

                  • 6. Re: McAfee Web Gateway - NTLM with Samba
                    asabban

                    Hello,

                     

                    I am not sure where it is documented, but I was told that all tests performed are done against Microsofts Active Directory. So noone ever tried to join a Samba 3.x domain thus we don't know if there is anything specific to configure on the Samba side. Also support won't provide support in case there is trouble setting up or maintaining the connection.

                     

                    I have not heard that we added support for Samba lately.

                     

                    Best,

                    Andre

                    1 of 1 people found this helpful
                    • 7. Re: McAfee Web Gateway - NTLM with Samba
                      smveloso

                      Andre,

                       

                      Thank you very much for the quick answer.

                       

                      I guess I'll  give it up ...

                       

                      Regards