[Samba] Re: ntml_auth --require-membership-of

simonj simonj at gmail.com
Wed Mar 1 22:30:47 GMT 2006 

Hey guys,

I have found that using a + as the seperator opposed to the slash in the
group name works.

IE:  Sending "company+user pass" to
  ntlm_auth --helper-protocol=squid-2.5-basic
--require-membership-of="company\internet"
returns
  Could not parse company/internet into seperate domain/name parts!
but sending it to
  ntlm_auth --helper-protocol=squid-2.5-basic
--require-membership-of="company+internet"
returns OK

I found this after looking through ntlm_auth.c and finding that it relies on
winbindd to provide the serperator.  This maybe platform dependant, I have
not dug deeper.

The Man page is what thru me here as it states to use a backslash as the
seperator in the example.

Cheers,
Simon Woodward.




Andrew Bartlett wrote:
> 
> On Thu, 2006-01-19 at 12:42 -0600, Rex Dieter wrote:
>> Andrew Bartlett wrote:
>> > On Wed, 2006-01-18 at 10:21 -0600, Rex Dieter wrote:
>> > 
>> >>Rex Dieter wrote:
>> >>
>> >>>Rex Dieter wrote:
>> 
>> >>>>I'm having trouble getting ntml_auth to recognize ActiveDirectory 
>> >>>>groups that aren't in AD\Users.  In particular, we've a few groups in 
>> >>>>our department OU that I'd like to be able to use.  If I specify any 
>> >>>>of our OU-specific groups, using something like:
>> >>>># ntlm_auth --username=foo --require-membership-of="AD\OUGroup1"
>> >>>>password:
>> >>>>I get:
>> >>>>Winbindd lookupname failed to resolve AD\OUGroup1 into a SID!
>> 
>> >>>Turns out using
>> >>>wbinfo --name-to-sid=OUGroup1
>> 
>> >>So my question is: why can wbinfo resolve the name to a SID, but 
>> >>ntlm_auth can't?
>> 
>> > Sometimes this is a problem of timing, as ntlm_auth does this when
>> squid
>> > is starting.
>> 
>> I'm skeptical.  I repeated this on several occasions on several 
>> different boxes.  ntlm-auth *always* failed the same way when trying to 
>> resolve Groups not in the top-level AD\Users OU.
> 
> Interesting.  It should be asking the same question as wbinfo -n....
> 
> Can you chase this down a bit more, with the current code, and file a
> bug?
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Student Network Administrator, Hawker College  http://hawkerc.net
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
--
View this message in context: http://www.nabble.com/ntml_auth---require-membership-of-t945220.html#a3193055
Sent from the Samba - General forum at Nabble.com.

More information about the samba mailing list