[Samba] Re: samba Digest, Vol 48, Issue 1

Daniel Carmo Olops danielolops at yahoo.com.br
Fri Dec 1 14:07:30 GMT 2006

Well, maybe it's not the "best" or the "most elegant"
solution - I've never tried to tweak this -, but it
- Insert the following lines on your PDC's smb.conf:
        winbind enum groups = yes
        winbind enum users = yes
        winbind trusted domains only = yes
        winbind use default domain = yes
        template homedir = /home/%U
        template shell = /bin/false
- Start Winbind.
- Join the PDC to its own domain (net rpc join)
- Check if it was successful (net rpc testjoin)
- Check if the shared secrets of Winbind are OK
(wbinfo -t)
- Test if you can authenticate a user via winbind
(wbinfo -a user%password)
- Test if you can use ntlm_auth with basic schema
(ntlm_auth --helper-protocol=squid-2.5-basic)

If all else works, then you can set up your squid.conf
to use NTLM and the ntlm_auth helper.

Note: for a reason that is unknown for me, wbinfo -g
and wbinfo -u doesn't work at all. Answers are

Hope that it helps.


> > De: Matt Skerritt <matt.skerritt at agrav.net>
> Assunto: [Samba] ntlm authentication
> Data: Fri, 1 Dec 2006 15:43:12 +1100
> Para: samba at lists.samba.org
> Heyho.
> I have a NT Domain which is run by my samba server
> (v3.0.22-r3 on  
> Gentoo Linux). Everything works well, and the
> backend database is an  
> ldap directory which is also the authentication
> directory for my 3  
> odd linux servers. All users have a posix account as
> well as a samba  
> account, however in most cases the posix account is
> disabled (homedir  
> is /dev/null, shell is /bin/false and null
> password), and is only  
> there because samba requires it. As I said - this
> setup has worked  
> really well for about 2 or 3 years now. I also have
> a kerberos domain  
> running from a MIT Kerberos server. Passwords are
> not automatically  
> synced between the two realms - but tickets are
> automatically gotten  
> at login on the Windows clients (all XP) if the
> passwords happen to  
> be the same between the samba domain and the
> kerberos domain - this  
> also works fairly well. Password synchronisation is
> somehting I'll  
> look into later and isn't in the scope of this
> email.
> What I am trying to do is to get my squid proxy to
> start  
> authenticating users so I can keep better track at
> who's doing what  
> web-wise. Now since the users don't have an a posix
> password, I can't  
> do an ldap lookup for this. Further than this, I'd
> really like the  
> cache authentication to be done transparently by the
> browsers. So  
> this leaves me with either NTLM authentication, or
> negotiated gssapi  
> authentication. The latter is my preferred method
> but seems to be out  
> of the question at the moment (unforunately) because
> Internet  
> Explorer doesn't see the kerberos tickets gotten by
> the MIT Kerberos  
> for windows tickets (although Firefox - the default
> browser on the  
> network does), and because there doesn't seem to be
> a helper program  
> for squid that does gssapi authehntication to a
> non-microsoft  
> kerberos domain. However, that's a squid problem and
> not a samba  
> problem, so is not really relevant here apart from
> background.
> So this brings me to NTLM authentication. All the
> documentation I've  
> found so far is based around the idea that one uses
> the ntlm_auth  
> program that comes with samba. The ntlm_auth manpage
> states that  
> winbindd must be running for ntlm_auth to work.  And
> winbindd seems  
> to be used for joining a unix machine to a NT PDC.
> My problem (or  
> maybe confusion) is that my linux machine *is* my
> PDC. So it seems  
> that I would need to connect samba to itself, and
> would potentially  
> have multiple UID's for the same user - one from
> their legitimate  
> posix account, and one from the idmap they get for
> their DOMAIN/user  
> account from winbind.
> So is there any way to do ntlm authentication in a
> way similar to  
> "ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
> against the samba  
> backend database (instead of going to another PDC).
> Is there an  
> ntlm_auth option that I missed that let's me do
> this? Or do I just  
> have to use "net rpc join" to join winbind to the
> samba domain  
> running on the same machine?
> I suppose I could use the code from apache
> mod_kerberos to write a  
> helper app for the negotiated gssapi case, but I'd
> like to get  
> something intermediate happening sooner than that.
> Can somebody help  
> here please? I imagine I'm not the first person with
> this setup.
> --
> Matt Skerritt
> matt.skerritt at agrav.net

O Yahoo! está de cara nova. Venha conferir! 

More information about the samba mailing list