[Samba] auth samba+squid+ntlm

Xavier Callejas xcallejas at ibcinc.com.sv
Tue Jan 18 18:09:20 GMT 2005 

Hi.

I need to use the ntlm_auth module to auth. users so a group can use Internet 
and other not, using squid. The users that belong to "Internet" group may use 
Internet.

I've being looking for info. about this but there is no much info. in google.

Until now this is the only info. that I had found:

for squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of="dominio+Internet"

the "dominio+internet": I made proof of "dominio\internet" , 
"dominio\\internet" and always there is an error like this:

[2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
  Winbindd lookupname failed to resolve dominio+Internet into a SID!

so I tried the SID:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005

and:

[2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
  Got 'ibcinc+xavier acacadac' from squid (length: 22).
[2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
  NT_STATUS_OK: Success (0x0)
OK

But, even doing this (putting the SID) the users can't be authenticated by the 
server. Squid and the smb PDC are the same box, is this possible???

this the error from log when a user run its web browser and ask for a 
user/password:

Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc:  denied  
{ getattr } for  pid=17126 exe=/usr/bin/ntlm_auth path=/var/run/winbindd/pipe 
dev=hda7 ino=108681 scontext=root:system_r:squid_t 
tcontext=root:object_r:var_run_t tclass=sock_file

this are the permissions on the /var/cache/samba:
-rw-------  1 root root   8192 ene 13 00:02 account_policy.tdb
-rw-r--r--  1 root root   8192 ene 17 08:52 brlock.tdb
-rw-r--r--  1 root root    695 ene 18 12:13 browse.dat
-rw-r--r--  1 root root  16384 ene 14 08:00 connections.tdb
-rw-r--r--  1 root root   8192 ene 13 00:10 gencache.tdb
-rw-------  1 root root   8192 ene 13 00:02 group_mapping.tdb
-rw-r--r--  1 root root  16384 ene 17 08:52 locking.tdb
-rw-------  1 root root  16384 ene 14 08:56 messages.tdb
-rw-r--r--  1 root root  11438 ene 16 04:02 namelist.debug
-rw-------  1 root root   8192 ene 13 03:50 netsamlogon_cache.tdb
-rw-------  1 root root   8192 ene 13 00:02 ntdrivers.tdb
-rw-------  1 root root    696 ene 13 00:02 ntforms.tdb
-rw-------  1 root root   8192 ene 13 00:02 ntprinters.tdb
drwxr-xr-x  2 root root   4096 ene 13 00:02 printing
-rw-------  1 root root   8192 ene 13 00:02 registry.tdb
-rw-r--r--  1 root root  24576 ene 14 08:00 sessionid.tdb
-rw-------  1 root root   8192 ene 13 00:02 share_info.tdb
-rw-r--r--  1 root root   8192 ene 13 19:08 unexpected.tdb
-rw-------  1 root root  20172 ene 14 14:15 winbindd_cache.tdb
-rw-r--r--  1 root root   8192 ene 13 00:21 winbindd_idmap.tdb
drwxr-x---  2 root squid  4096 ene 14 14:15 winbindd_privileged
-rw-r--r--  1 root root   1523 ene 18 12:12 wins.dat

What can I do???

thanks!

-- 
Xavier Callejas

E-Mail + MSN: xcallejas at ibcinc.com.sv
ICQ: 33336224
------------------------------------------
Open your Mind, use Open Source.

More information about the samba mailing list