[Samba] Re: auth samba+squid+ntlm

Kevin Kobb kkobb at skylinecorp.com
Tue Jan 18 20:20:27 GMT 2005


Xavier Callejas wrote:
> Hi.
> 
> I need to use the ntlm_auth module to auth. users so a group can use Internet 
> and other not, using squid. The users that belong to "Internet" group may use 
> Internet.
> 
> I've being looking for info. about this but there is no much info. in google.
> 
> Until now this is the only info. that I had found:
> 
> for squid.conf:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
> --require-membership-of="dominio+Internet"
> 
> the "dominio+internet": I made proof of "dominio\internet" , 
> "dominio\\internet" and always there is an error like this:
> 
> [2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
>   Winbindd lookupname failed to resolve dominio+Internet into a SID!
> 
> so I tried the SID:
> 
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
> --require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005
> 
> and:
> 
> [2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
>   Got 'ibcinc+xavier acacadac' from squid (length: 22).
> [2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
>   NT_STATUS_OK: Success (0x0)
> OK
> 
> But, even doing this (putting the SID) the users can't be authenticated by the 
> server. Squid and the smb PDC are the same box, is this possible???
> 
> this the error from log when a user run its web browser and ask for a 
> user/password:
> 
Is your "winbind separator = +" in the smb.conf file? By the first 
example you gave, I believe it should be.

On my box to get the "--require-membership-of=domain.group" to work, I 
had to tack on "--username=%LOGIN" as well. After that, it works like a 
champ.




More information about the samba mailing list