Specify WINBINDD_SOCKET_DIR variable before calling NTLM AUTH
Alexander Bokovoy
ab at samba.org
Mon May 22 16:28:49 UTC 2017
On ma, 22 touko 2017, Arnab Roy wrote:
> Thanks for the clarification.
>
> Just so I have got the steps correct
>
> 1. Winbind is already configured as you described.
>
> 2. Create a wrapper script around ntlm auth which has the env variables set
> ?
No, don't set environmental variables because there are none. Use
'chroot /path/to/new/chroot ntlm-auth ...' in the script.
/path/to/new/chroot would need to be to the top level of a tree where
enough libraries exist that ntlm-auth requires and where winbindd socket
dir is available (e.g. /path/to/new/chroot/var/run/winbindd). The actual
path would be different for different domains, I'd guess.
>
> 3. Christ the ntlm auth wrapper script ?
>
> My original question was ntlmauth doesn't seem recognise that the
> environment variable is set ?
As I said, it is not defined by environment anymore.
>
> Thanks a ton for all the input.
>
> Arnab
>
> On 22 May 2017 5:12 pm, "Alexander Bokovoy" <ab at samba.org> wrote:
>
> > On ma, 22 touko 2017, Arnab Roy wrote:
> > > So do I jail just the winbind instances or need to do the same for the
> > ntlm
> > > auth process ..my ntlm auth is going to get called from freeradius.
> > At least ntlm-auth. For winbindd you can use 'winbindd socket directory'
> > in smb.conf and different smb.conf for each instance.
> >
> > Nothing prevents you from making ntlm-auth a shell script that chroots
> > into a correct place before running authentication.
> >
> > >
> > > Any chance you can provide little more info on this.
> > Sorry, that's all I can say without getting hands on.
> >
> >
> > --
> > / Alexander Bokovoy
> >
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list