[Samba] Problems with 'ntlm_auth --require-membership-of' (samba: message 1 of 10) using Samba 3.0.6

Matt Doran samba.10.matt_doran at spamgourmet.com
Sun Sep 19 09:08:59 GMT 2004


I didn't have the time to compile and test the pre-3.0.7 releases, but 
just did some testing on the 3.0.7 release.... and it looks good.

The ntlm_auth "--require-membership-of" option appears to work as 
expected.  This will make it really easy to use squid in fairly 
sophisticated access policy.

Thanks for your help,

Matt Doran
PaperCut Software Pty. Ltd.
Web:     http://www.papercut.biz
Blog:    http://blogs.papercutsoftware.com/matt.doran/

Andrew Bartlett - abartlet at samba.org wrote:

>On Tue, 2004-09-07 at 23:08, Matt Doran wrote:
>>Hi there,
>>I'm trying to configure Squid to use a windows domain for 
>>authentication, and all goes well until I add the 
>>"--require-membership-of" option on ntlm_auth.   I need to restrict 
>>access based on group membership, however ntlm_auth does not seem to be 
>>behaving correctly.  I'm using Samba 3.0.6 on Debian and I'm using a 
>>Windows 2000 (SP4) Domain Controller.  I configured winbind as discussed 
>>here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>>ntlm_auth seems to report the membership of some groups correctly, but 
>>incorrectly for others.
>You are actually lucky it didn't segfault.  There are a number of logic
>bugs, the fixes for which I think didn't make 3.0.6.  Try current SVN,
>but I suspect we might need some extra code to correctly pick up the
>universal groups.  (We know how to do it, so it's a simple matter of
>programming - bug #1562.)
>Andrew Bartlett

More information about the samba mailing list