[Samba] Re: auth samba+squid+ntlm
Kevin Kobb
kkobb at skylinecorp.com
Tue Jan 18 20:20:27 GMT 2005
Xavier Callejas wrote:
> Hi.
>
> I need to use the ntlm_auth module to auth. users so a group can use Internet
> and other not, using squid. The users that belong to "Internet" group may use
> Internet.
>
> I've being looking for info. about this but there is no much info. in google.
>
> Until now this is the only info. that I had found:
>
> for squid.conf:
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of="dominio+Internet"
>
> the "dominio+internet": I made proof of "dominio\internet" ,
> "dominio\\internet" and always there is an error like this:
>
> [2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
> Winbindd lookupname failed to resolve dominio+Internet into a SID!
>
> so I tried the SID:
>
> auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005
>
> and:
>
> [2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
> Got 'ibcinc+xavier acacadac' from squid (length: 22).
> [2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
> NT_STATUS_OK: Success (0x0)
> OK
>
> But, even doing this (putting the SID) the users can't be authenticated by the
> server. Squid and the smb PDC are the same box, is this possible???
>
> this the error from log when a user run its web browser and ask for a
> user/password:
>
Is your "winbind separator = +" in the smb.conf file? By the first
example you gave, I believe it should be.
On my box to get the "--require-membership-of=domain.group" to work, I
had to tack on "--username=%LOGIN" as well. After that, it works like a
champ.
More information about the samba
mailing list