[Samba] Multiple Group checking using ntlm_auth

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Sep 18 13:34:32 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2006 03:38 AM, Ian Barnes escreveu:
> Hi,
> We are running Squid version:  2.5.STABLE13 and Samba version: Version
> 3.0.21b
> 
> We have it setup to use NTLM to check that the user belongs to a group
> within the domain. The need has arrisen to be able to support multiple
> groups. Is this possible?

	Ok, I don't have a NTLM auth working but I have an idea. :)


> Our squid.conf section:
> auth_param ntlm program /ntlm_auth.sh ntlmssp
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm children 20
> auth_param ntlm use_ntlm_negotiate on
> auth_param basic program /ntlm_auth.sh basic
> auth_param basic children 20
> auth_param basic realm SERVER.DOMAIN.CO.ZA Cache NTLM Authentication
> auth_param basic credentialsttl 2 hours
> 
> Our smb.conf:
> [global]
> winbind separator = +
> winbind cache time = 10
> workgroup=DOMAIN
> security=ads
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind use default domain = yes
> realm=SERVER.DOMAIN.CO.ZA
> client ntlmv2 auth=yes
> 
> Our ntlm auth line ($W will be either basic or ntlmssp per the squid config
> file):
> /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-$W--require-membership-of='DOMAIN+webusers'

	Is this a script? Can you pass a parameter to it? You could
easily pass the 'require-membership-of' as a parameter of your script.


> Now, I have a second group DOMAIN+managers that also needs to be allowed
> out
> and AD wont change it to have the same security group.
> Thanks,
> Ian

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFDqBoCj65ZxU4gPQRAiQaAKCs1CXTVsdT7DK2JaBNq6NorI829gCfTH9e
/2YHoL9UqSs3CmhGMy0uSVY=
=C5pV
-----END PGP SIGNATURE-----


More information about the samba mailing list