[Samba] Samba PDC & Squid NTLM Auth - Same machine
Stefan Dengscherz
stefan.dengscherz at gmail.com
Tue Mar 31 22:47:14 GMT 2009
Hello Victor,
did you try supplying the domain name along with the username? Like
"DOMAIN\administrator". Or adding "winbind use default domain = yes"
to your samba configuration.
Regards,
-sd
2009/3/31 Victor Medina <vittico at gmail.com>:
> David, it did not work.
>
> Any suggestion?
>
> Victor Medina
>
> Samuel Goldwyn - "I don't think anyone should write their
> autobiography until after they're dead."
>
>
> On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
>> Victor Medina wrote:
>>>
>>> Hi Guys!
>>>
>>>
>>> Probably this is not the best place to ask, I'll try anyway... =)
>>>
>>> I've been trying to configure a Samba PDC and a Squid Porxy server
>>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>>> Squid and Authenticating against a Samba Server but on different
>>> machines, this is the first time a try both on the same machine.
>>>
>>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>>> machine? Is there any winbind issue with this kind of configuration?
>>>
>>> I'm using SLES10+SP2
>>> Samba version as reported by rpm is 3.0.32-0.8
>>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>>
>>> -------------------------------------------------
>>> This is my smb.conf
>>>
>>> [global]
>>> dos charset = 850
>>> unix charset = ISO8859-1
>>> workgroup = C1.SV
>>> netbios name = PDCSRVC1SV
>>> server string =
>>> interfaces = eth0
>>> bind interfaces only = Yes
>>> map to guest = Bad Password
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> guest account = Invitado
>>> time server = Yes
>>> deadtime = 20
>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>> printcap name = cups
>>> logon path =
>>> logon home =
>>> domain logons = Yes
>>> os level = 65
>>> preferred master = Yes
>>> domain master = Yes
>>> wins support = Yes
>>> ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>> ldap delete dn = Yes
>>> ldap group suffix = ou=group
>>> ldap machine suffix = ou=people
>>> ldap passwd sync = Yes
>>> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>> ldap user suffix = ou=people
>>> idmap domains = DEFAULT
>>> idmap alloc backend = ldap
>>> idmap alloc config:range = 10000-100000
>>> idmap alloc config:ldap_url = ldap://127.0.0.1
>>> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>>> EPA
>>> idmap config DEFAULT:range = 10000-100000
>>> idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>>> EPA
>>> idmap config DEFAULT:ldap_base_dn =
>>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>> idmap config DEFAULT:default = yes
>>> idmap config DEFAULT:readonly = no
>>> idmap config DEFAULT:backend = ldap
>>> ldapsam:editposix = yes
>>> ldapsam:trusted = yes
>>> create mask = 0640
>>> force create mode = 0640
>>> directory mask = 0750
>>> force directory mode = 0750
>>> case sensitive = No
>>> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>>
>>> My relevant squid.conf lines...
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV
>>> auth_param ntlm children 100
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>>
>>>
>>>
>>>
>>> The pdc works as expected, machine join works like charm, users and
>>> groups management works equally right, all accounts are placed in the
>>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>>
>>> I also did a few tests with wbinfo
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u
>>> invitado
>>> usuarioprueba
>>> e01ggen
>>> e01glogis
>>> e01gcont
>>> e01jcomp1
>>> e01jcomp2
>>> e01jcomp3
>>> e01jcomp4
>>> e01jrepo
>>> e01jreclu
>>> e01rrece
>>> e01gcom
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g
>>> BUILTIN
>>> BUILTIN
>>> domain users
>>> domain admins
>>> domain guests
>>> grupoprueba
>>> gcentralsv
>>> gcompras
>>> gcontrol
>>> ggerencia
>>> glogistica
>>> gmercadeo
>>> gpersonal
>>> gventas
>>> gjefecompras
>>> gjefecontrol
>>> gjefelogistica
>>> gjefepersonal
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains
>>> C1.SV
>>>
>>>
>>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>>
>>>
>>> I also noted this error:
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>>> --authenticate=administrator%12345678
>>> plaintext password authentication failed
>>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>>> error messsage was: No such user
>>> Could not authenticate user administrator%12345678 with plaintext password
>>> winbind separator was NULL!
>>> challenge/response password authentication failed
>>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>>> error messsage was: Invalid handle
>>> Could not authenticate user administrator with challenge/response
>>>
>>> Does someone have any idea of could go wrong? When I use squid and
>>> samba on different machines i usually join the squid machine to the
>>> domain using a net join, is this necesary when the pdc and squid are
>>> on the same machine?
>>>
>>> Victor Medina
>>>
>>> Samuel Goldwyn - "I don't think anyone should write their
>>> autobiography until after they're dead."
>>>
>>
>> I think you should add lo to the interfaces listed in smb.conf
>>
>> Best regards, David Wells.
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
The box said Windows Vista or better. So I bought a Mac.
More information about the samba
mailing list