[Samba] auth samba+squid+ntlm (ANS)

Xavier Callejas xcallejas at ibcinc.com.sv
Sat Jan 22 00:40:54 GMT 2005 

El Mar 18 Ene 2005 12:09, Xavier Callejas escribió:

I'm answering my self: the problem use to be that I don't realize that I've 
running selinux in my fc3, it was blocking access to the /var mounted 
partition.

but, I still have the problem with wbinfo -u since fedora core 2, I can't see 
a list of users with that command.

Please help me.

> Hi.
>
> I need to use the ntlm_auth module to auth. users so a group can use
> Internet and other not, using squid. The users that belong to "Internet"
> group may use Internet.
>
> I've being looking for info. about this but there is no much info. in
> google.
>
> Until now this is the only info. that I had found:
>
> for squid.conf:
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of="dominio+Internet"
>
> the "dominio+internet": I made proof of "dominio\internet" ,
> "dominio\\internet" and always there is an error like this:
>
> [2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
>   Winbindd lookupname failed to resolve dominio+Internet into a SID!
>
> so I tried the SID:
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> --require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005
>
> and:
>
> [2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
>   Got 'ibcinc+xavier acacadac' from squid (length: 22).
> [2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
>   NT_STATUS_OK: Success (0x0)
> OK
>
> But, even doing this (putting the SID) the users can't be authenticated by
> the server. Squid and the smb PDC are the same box, is this possible???
>
> this the error from log when a user run its web browser and ask for a
> user/password:
>
> Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc:  denied
> { getattr } for  pid=17126 exe=/usr/bin/ntlm_auth
> path=/var/run/winbindd/pipe dev=hda7 ino=108681
> scontext=root:system_r:squid_t
> tcontext=root:object_r:var_run_t tclass=sock_file
>
> this are the permissions on the /var/cache/samba:
> -rw-------  1 root root   8192 ene 13 00:02 account_policy.tdb
> -rw-r--r--  1 root root   8192 ene 17 08:52 brlock.tdb
> -rw-r--r--  1 root root    695 ene 18 12:13 browse.dat
> -rw-r--r--  1 root root  16384 ene 14 08:00 connections.tdb
> -rw-r--r--  1 root root   8192 ene 13 00:10 gencache.tdb
> -rw-------  1 root root   8192 ene 13 00:02 group_mapping.tdb
> -rw-r--r--  1 root root  16384 ene 17 08:52 locking.tdb
> -rw-------  1 root root  16384 ene 14 08:56 messages.tdb
> -rw-r--r--  1 root root  11438 ene 16 04:02 namelist.debug
> -rw-------  1 root root   8192 ene 13 03:50 netsamlogon_cache.tdb
> -rw-------  1 root root   8192 ene 13 00:02 ntdrivers.tdb
> -rw-------  1 root root    696 ene 13 00:02 ntforms.tdb
> -rw-------  1 root root   8192 ene 13 00:02 ntprinters.tdb
> drwxr-xr-x  2 root root   4096 ene 13 00:02 printing
> -rw-------  1 root root   8192 ene 13 00:02 registry.tdb
> -rw-r--r--  1 root root  24576 ene 14 08:00 sessionid.tdb
> -rw-------  1 root root   8192 ene 13 00:02 share_info.tdb
> -rw-r--r--  1 root root   8192 ene 13 19:08 unexpected.tdb
> -rw-------  1 root root  20172 ene 14 14:15 winbindd_cache.tdb
> -rw-r--r--  1 root root   8192 ene 13 00:21 winbindd_idmap.tdb
> drwxr-x---  2 root squid  4096 ene 14 14:15 winbindd_privileged
> -rw-r--r--  1 root root   1523 ene 18 12:12 wins.dat
>
> What can I do???
>
> thanks!
>
> --
> Xavier Callejas
>
> E-Mail + MSN: xcallejas at ibcinc.com.sv
> ICQ: 33336224
> ------------------------------------------
> Open your Mind, use Open Source.

-- 
Xavier Callejas
IT Manager
International Bonded Couriers
El Salvador
E-Mail + MSN: xcallejas at ibcinc.com.sv
ICQ: 33336224
------------------------------------------
Open your Mind, use Open Source.

More information about the samba mailing list