[Samba] ntlm authentication

Matt Skerritt matt.skerritt at agrav.net
Fri Dec 1 05:05:29 GMT 2006


My apologies if this mail arrives twice. The first time I sent it my  
email address didn't correspond to the one I signed onto the list  
with (one was an alias for the other). I'm not sure if the original  
will eventually make it through or not.

I have a NT Domain which is run by my samba server (v3.0.22-r3 on  
Gentoo Linux). Everything works well, and the backend database is an  
ldap directory which is also the authentication directory for my 3  
odd linux servers. All users have a posix account as well as a samba  
account, however in most cases the posix account is disabled (homedir  
is /dev/null, shell is /bin/false and null password), and is only  
there because samba requires it. As I said - this setup has worked  
really well for about 2 or 3 years now. I also have a kerberos domain  
running from a MIT Kerberos server. Passwords are not automatically  
synced between the two realms - but tickets are automatically gotten  
at login on the Windows clients (all XP) if the passwords happen to  
be the same between the samba domain and the kerberos domain - this  
also works fairly well. Password synchronisation is somehting I'll  
look into later and isn't in the scope of this email.

What I am trying to do is to get my squid proxy to start  
authenticating users so I can keep better track at who's doing what  
web-wise. Now since the users don't have an a posix password, I can't  
do an ldap lookup for this. Further than this, I'd really like the  
cache authentication to be done transparently by the browsers. So  
this leaves me with either NTLM authentication, or negotiated gssapi  
authentication. The latter is my preferred method but seems to be out  
of the question at the moment (unforunately) because Internet  
Explorer doesn't see the kerberos tickets gotten by the MIT Kerberos  
for windows tickets (although Firefox - the default browser on the  
network does), and because there doesn't seem to be a helper program  
for squid that does gssapi authehntication to a non-microsoft  
kerberos domain. However, that's a squid problem and not a samba  
problem, so is not really relevant here apart from background.

So this brings me to NTLM authentication. All the documentation I've  
found so far is based around the idea that one uses the ntlm_auth  
program that comes with samba. The ntlm_auth manpage states that  
winbindd must be running for ntlm_auth to work.  And winbindd seems  
to be used for joining a unix machine to a NT PDC. My problem (or  
maybe confusion) is that my linux machine *is* my PDC. So it seems  
that I would need to connect samba to itself, and would potentially  
have multiple UID's for the same user - one from their legitimate  
posix account, and one from the idmap they get for their DOMAIN/user  
account from winbind.

So is there any way to do ntlm authentication in a way similar to  
"ntlm_auth --helper-protocol=squid-2.5-ntlmssp" against the samba  
backend database (instead of going to another PDC). Is there an  
ntlm_auth option that I missed that let's me do this? Or do I just  
have to use "net rpc join" to join winbind to the samba domain  
running on the same machine?

I suppose I could use the code from apache mod_kerberos to write a  
helper app for the negotiated gssapi case, but I'd like to get  
something intermediate happening sooner than that. Can somebody help  
here please? I imagine I'm not the first person with this setup.

Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list