[Samba] ntlm authentication
Matt Skerritt
matt.skerritt at agrav.net
Fri Dec 1 04:43:12 GMT 2006
Heyho.
I have a NT Domain which is run by my samba server (v3.0.22-r3 on
Gentoo Linux). Everything works well, and the backend database is an
ldap directory which is also the authentication directory for my 3
odd linux servers. All users have a posix account as well as a samba
account, however in most cases the posix account is disabled (homedir
is /dev/null, shell is /bin/false and null password), and is only
there because samba requires it. As I said - this setup has worked
really well for about 2 or 3 years now. I also have a kerberos domain
running from a MIT Kerberos server. Passwords are not automatically
synced between the two realms - but tickets are automatically gotten
at login on the Windows clients (all XP) if the passwords happen to
be the same between the samba domain and the kerberos domain - this
also works fairly well. Password synchronisation is somehting I'll
look into later and isn't in the scope of this email.
What I am trying to do is to get my squid proxy to start
authenticating users so I can keep better track at who's doing what
web-wise. Now since the users don't have an a posix password, I can't
do an ldap lookup for this. Further than this, I'd really like the
cache authentication to be done transparently by the browsers. So
this leaves me with either NTLM authentication, or negotiated gssapi
authentication. The latter is my preferred method but seems to be out
of the question at the moment (unforunately) because Internet
Explorer doesn't see the kerberos tickets gotten by the MIT Kerberos
for windows tickets (although Firefox - the default browser on the
network does), and because there doesn't seem to be a helper program
for squid that does gssapi authehntication to a non-microsoft
kerberos domain. However, that's a squid problem and not a samba
problem, so is not really relevant here apart from background.
So this brings me to NTLM authentication. All the documentation I've
found so far is based around the idea that one uses the ntlm_auth
program that comes with samba. The ntlm_auth manpage states that
winbindd must be running for ntlm_auth to work. And winbindd seems
to be used for joining a unix machine to a NT PDC. My problem (or
maybe confusion) is that my linux machine *is* my PDC. So it seems
that I would need to connect samba to itself, and would potentially
have multiple UID's for the same user - one from their legitimate
posix account, and one from the idmap they get for their DOMAIN/user
account from winbind.
So is there any way to do ntlm authentication in a way similar to
"ntlm_auth --helper-protocol=squid-2.5-ntlmssp" against the samba
backend database (instead of going to another PDC). Is there an
ntlm_auth option that I missed that let's me do this? Or do I just
have to use "net rpc join" to join winbind to the samba domain
running on the same machine?
I suppose I could use the code from apache mod_kerberos to write a
helper app for the negotiated gssapi case, but I'd like to get
something intermediate happening sooner than that. Can somebody help
here please? I imagine I'm not the first person with this setup.
--
Matt Skerritt
matt.skerritt at agrav.net
More information about the samba
mailing list