[Samba] Winbind and Windows 2000 AD Domain Membership

[Jay Turner]

Hi All,

I am experiencing an unusual problem with NTLM/Winbind and Domain
Membership..
I am using Winbind in conjunction with Squid 2.5 STABLE2 to authenticate my
proxy users.
I have a post about this on the Squid mailing list, but my gut thinks it is
a Windows 2000 AD issue
that others may have experienced while using Winbind so I would like to post
my problem here too.

Environment:
Red Hat 7.3
Squid2.5-STABLE2
Samba 2.2.7-3.7.3 (Red Hat) re-compiled rpm
with --with-winbind --with-winbind-auth-challenge
Windows 2000 AD server (Native Mode with Pre-2000 compatibility)
WinXP SP1, IE6 SP1 + all current patches applied

Background:
I have deployed Squid and NTLM a number of times now so I have a bit of
experience installing & trouble shooting it.
Winbindd is working correctly from the command line with
wbinfo -t, -u, -g, -r and -a all performing correctly.
wb_auth from the command line also works correctly and so does wb_group
So from what I can see Winbindd is working fine.

If have a client computer (Win2000 or WinXP) that is on the network, but not
a member of the domain and I access the
proxy, I receive an authentication window. This is correct as NTLM will fail
as it is not a member of the domain and fall
back to Basic. I can enter a valid username/password/domain and then access
the proxy correctly. Cache and access.log all report the correct behaviour
as I expect.

As soon as I add this client computer to become a member of the domain,
everything stops working.
NTLM authentication does not work, and neither does Basic authentication.
The browser sits there for a second then displays
the standard IE 'Page cannot be found'.

I have increased debugging on Authentication in squid.conf and run winbindd
in debug mode (winbindd -i -d 3) to try and establish the problem. When a
client on the domain requests a page cache.log reports
"authenticateValidateUser: Validating Auth_user request '0x8413238'"
"authenticateValidateUser: Validated Auth_user request '0x8413238'"
"User not fully authenticated"

But nothing is being recorded by Winbindd (as opposed to when it works).

This message could hold the key, but I'm not entirely sure where I should
look next for this.



I have reams of log files with debugging turned right up which I can post
specific sections of if required, but I'm not going to post all of them now
for people to wade through.

I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to
see if I could get the basic auth to work and that did the same thing..

The interesting thing is that I brought this server back to my office and
changed it's IP address and made it a member of our Windows NT4 domain and
then using the same Win XP client from the other network (it's a laptop) it
works perfectly!!

This leads me to believe that there must be something in the way their AD is
setup that might be causing this problem??

Any advice will be greatly appreciated.

Thanks

Regards
Jay