[Samba] Samba PDC & Squid NTLM Auth - Same machine

Victor Medina vittico at gmail.com
Sun Apr 5 14:50:40 GMT 2009


yeap! no success just yet :(
Victor Medina

Phyllis Diller  - "If it weren't for baseball, many kids wouldn't know
what a millionaire looked like."


On Tue, Mar 31, 2009 at 6:17 PM, Stefan Dengscherz
<stefan.dengscherz at gmail.com> wrote:
> Hello Victor,
>
>
> did you try supplying the domain name along with the username? Like
> "DOMAIN\administrator". Or adding "winbind use default domain = yes"
> to your samba configuration.
>
>
> Regards,
>
> -sd
>
> 2009/3/31 Victor Medina <vittico at gmail.com>:
>> David, it did not work.
>>
>> Any suggestion?
>>
>> Victor Medina
>>
>> Samuel Goldwyn  - "I don't think anyone should write their
>> autobiography until after they're dead."
>>
>>
>> On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
>>> Victor Medina wrote:
>>>>
>>>> Hi Guys!
>>>>
>>>>
>>>> Probably this is not the best place to ask, I'll try anyway... =)
>>>>
>>>> I've been trying to configure a Samba PDC and a Squid Porxy server
>>>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>>>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>>>> Squid and Authenticating against a Samba Server but on different
>>>> machines, this is the first time a try both on the same machine.
>>>>
>>>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>>>> machine? Is there any winbind issue with this kind of configuration?
>>>>
>>>> I'm using SLES10+SP2
>>>> Samba version as reported by rpm is 3.0.32-0.8
>>>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>>>
>>>> -------------------------------------------------
>>>> This is my smb.conf
>>>>
>>>> [global]
>>>>        dos charset = 850
>>>>        unix charset = ISO8859-1
>>>>        workgroup = C1.SV
>>>>        netbios name = PDCSRVC1SV
>>>>        server string =
>>>>        interfaces = eth0
>>>>        bind interfaces only = Yes
>>>>        map to guest = Bad Password
>>>>        passdb backend = ldapsam:ldap://127.0.0.1
>>>>        guest account = Invitado
>>>>        time server = Yes
>>>>        deadtime = 20
>>>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>>        printcap name = cups
>>>>        logon path =
>>>>        logon home =
>>>>        domain logons = Yes
>>>>        os level = 65
>>>>        preferred master = Yes
>>>>        domain master = Yes
>>>>        wins support = Yes
>>>>        ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>>>        ldap delete dn = Yes
>>>>        ldap group suffix = ou=group
>>>>        ldap machine suffix = ou=people
>>>>        ldap passwd sync = Yes
>>>>        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>>>        ldap user suffix = ou=people
>>>>        idmap domains = DEFAULT
>>>>        idmap alloc backend = ldap
>>>>        idmap alloc config:range = 10000-100000
>>>>        idmap alloc config:ldap_url = ldap://127.0.0.1
>>>>        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>>>        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>>>> EPA
>>>>        idmap config DEFAULT:range = 10000-100000
>>>>        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>>>        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>>>> EPA
>>>>        idmap config DEFAULT:ldap_base_dn =
>>>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>>>        idmap config DEFAULT:default = yes
>>>>        idmap config DEFAULT:readonly = no
>>>>        idmap config DEFAULT:backend = ldap
>>>>        ldapsam:editposix = yes
>>>>        ldapsam:trusted = yes
>>>>        create mask = 0640
>>>>        force create mode = 0640
>>>>        directory mask = 0750
>>>>        force directory mode = 0750
>>>>        case sensitive = No
>>>>        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>>>
>>>> My relevant squid.conf lines...
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
>>>> auth_param ntlm children 100
>>>> auth_param basic children 100
>>>> auth_param basic realm Squid proxy-caching web server
>>>> auth_param basic credentialsttl 2 hours
>>>>
>>>>
>>>>
>>>>
>>>> The pdc works as expected, machine join works like charm, users and
>>>> groups management works equally right, all accounts are placed in the
>>>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>>>
>>>> I also did a few tests with wbinfo
>>>>
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
>>>> invitado
>>>> usuarioprueba
>>>> e01ggen
>>>> e01glogis
>>>> e01gcont
>>>> e01jcomp1
>>>> e01jcomp2
>>>> e01jcomp3
>>>> e01jcomp4
>>>> e01jrepo
>>>> e01jreclu
>>>> e01rrece
>>>> e01gcom
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
>>>> BUILTIN
>>>> BUILTIN
>>>> domain users
>>>> domain admins
>>>> domain guests
>>>> grupoprueba
>>>> gcentralsv
>>>> gcompras
>>>> gcontrol
>>>> ggerencia
>>>> glogistica
>>>> gmercadeo
>>>> gpersonal
>>>> gventas
>>>> gjefecompras
>>>> gjefecontrol
>>>> gjefelogistica
>>>> gjefepersonal
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
>>>> C1.SV
>>>>
>>>>
>>>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>>>
>>>>
>>>> I also noted this error:
>>>>
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>>>> --authenticate=administrator%12345678
>>>> plaintext password authentication failed
>>>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>>>> error messsage was: No such user
>>>> Could not authenticate user administrator%12345678 with plaintext password
>>>> winbind separator was NULL!
>>>> challenge/response password authentication failed
>>>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>>>> error messsage was: Invalid handle
>>>> Could not authenticate user administrator with challenge/response
>>>>
>>>> Does someone have any idea of could go wrong? When I use squid and
>>>> samba on different machines i usually join the squid machine to the
>>>> domain using a net join, is this necesary when the pdc and squid are
>>>> on the same machine?
>>>>
>>>> Victor Medina
>>>>
>>>> Samuel Goldwyn  - "I don't think anyone should write their
>>>> autobiography until after they're dead."
>>>>
>>>
>>> I think you should add lo to the interfaces listed in smb.conf
>>>
>>> Best regards, David Wells.
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> The box said Windows Vista or better. So I bought a Mac.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list