[Samba] Re: winbindd + mod_ntlm_winbind, why do we need "net join ..." ?

Andrew Bartlett abartlet at samba.org
Fri Sep 22 08:33:10 GMT 2006 

On Thu, 2006-09-21 at 18:00 +0200, Juan Rodriguez wrote:
> On 9/21/06, Juan Rodriguez <juan.fco.rodriguez at gmail.com> wrote:
> >
> > Hello,
> >
> > I would like to use NTLM authentication on my Apache2 server, and I've
> > found
> > out this link which works very well for me,
> > http://download.samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind
> >
> > I'm newbie to samba, and to make this stuff work, I had to execute
> > "net join -S <DC> -U <Admin>", because winbindd complained about
> > "did we join ?"... (all of this can be found on man winbindd).
> 
> 
> I've managed to avoid this message using:
> "net rpc getsid", but then I get the following error when I try to
> authenticate
> through mod_auth_winbind:
> 
> (this is the output of winbindd)
> ...
> process_request: request fn AUTH_CRAP
> [11189]: pam auth crap domain: <mydomain> user: <myuser>
> is_myname("<mydomain>") returns 0
> secrets_fetch failed!
> get_trust_pw: could not fetch trust account password for domain <mydomain>
> could not open handle to NETLOGON pipe (error:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> ....

You must join.  Samba supports no other mode for mod_ntlm_winbindd.  It
is more secure, as we gain some assurance that the DC is real, and more
reliable, as the DC communication is stateless. 

This is identical to how windows member servers operate.  Other hacks
often work, then fail (which is why ntlm_auth was created, to allow
squid admins to use NTLM without these occasional failures)

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060922/398ac4b0/attachment.bin

More information about the samba mailing list