Specify WINBINDD_SOCKET_DIR variable before calling NTLM AUTH

[Alexander Bokovoy]

On ma, 22 touko 2017, Arnab Roy wrote:
> Thanks for the clarification.
> 
> Just so I have got the steps correct
> 
> 1. Winbind is already configured as you described.
> 
> 2. Create a wrapper script around ntlm auth which has the env variables set
> ?
No, don't set environmental variables because there are none. Use
'chroot /path/to/new/chroot ntlm-auth ...' in the script.

/path/to/new/chroot would need to be to the top level of a tree where
enough libraries exist that ntlm-auth requires and where winbindd socket
dir is available (e.g. /path/to/new/chroot/var/run/winbindd). The actual
path would be different for different domains, I'd guess.

> 
> 3. Christ the ntlm auth wrapper script ?
> 
> My original question was ntlmauth doesn't seem recognise that the
> environment variable is set ?
As I said, it is not defined by environment anymore.


> 
> Thanks a ton for all the input.
> 
> Arnab
> 
> On 22 May 2017 5:12 pm, "Alexander Bokovoy" <ab at samba.org> wrote:
> 
> > On ma, 22 touko 2017, Arnab Roy wrote:
> > > So do I jail just the winbind instances or need to do the same for the
> > ntlm
> > > auth process ..my ntlm auth is going to get called from freeradius.
> > At least ntlm-auth. For winbindd you can use 'winbindd socket directory'
> > in smb.conf and different smb.conf for each instance.
> >
> > Nothing prevents you from making ntlm-auth a shell script that chroots
> > into a correct place before running authentication.
> >
> > >
> > > Any chance you can provide little more info on this.
> > Sorry, that's all I can say without getting hands on.
> >
> >
> > --
> > / Alexander Bokovoy
> >

-- 
/ Alexander Bokovoy