[Samba] Samba PDC & Squid NTLM Auth - Same machine
Victor Medina
vittico at gmail.com
Sun Apr 5 14:50:40 GMT 2009
yeap! no success just yet :(
Victor Medina
Phyllis Diller - "If it weren't for baseball, many kids wouldn't know
what a millionaire looked like."
On Tue, Mar 31, 2009 at 6:17 PM, Stefan Dengscherz
<stefan.dengscherz at gmail.com> wrote:
> Hello Victor,
>
>
> did you try supplying the domain name along with the username? Like
> "DOMAIN\administrator". Or adding "winbind use default domain = yes"
> to your samba configuration.
>
>
> Regards,
>
> -sd
>
> 2009/3/31 Victor Medina <vittico at gmail.com>:
>> David, it did not work.
>>
>> Any suggestion?
>>
>> Victor Medina
>>
>> Samuel Goldwyn - "I don't think anyone should write their
>> autobiography until after they're dead."
>>
>>
>> On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
>>> Victor Medina wrote:
>>>>
>>>> Hi Guys!
>>>>
>>>>
>>>> Probably this is not the best place to ask, I'll try anyway... =)
>>>>
>>>> I've been trying to configure a Samba PDC and a Squid Porxy server
>>>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>>>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>>>> Squid and Authenticating against a Samba Server but on different
>>>> machines, this is the first time a try both on the same machine.
>>>>
>>>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>>>> machine? Is there any winbind issue with this kind of configuration?
>>>>
>>>> I'm using SLES10+SP2
>>>> Samba version as reported by rpm is 3.0.32-0.8
>>>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>>>
>>>> -------------------------------------------------
>>>> This is my smb.conf
>>>>
>>>> [global]
>>>> dos charset = 850
>>>> unix charset = ISO8859-1
>>>> workgroup = C1.SV
>>>> netbios name = PDCSRVC1SV
>>>> server string =
>>>> interfaces = eth0
>>>> bind interfaces only = Yes
>>>> map to guest = Bad Password
>>>> passdb backend = ldapsam:ldap://127.0.0.1
>>>> guest account = Invitado
>>>> time server = Yes
>>>> deadtime = 20
>>>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>> printcap name = cups
>>>> logon path =
>>>> logon home =
>>>> domain logons = Yes
>>>> os level = 65
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>>> ldap delete dn = Yes
>>>> ldap group suffix = ou=group
>>>> ldap machine suffix = ou=people
>>>> ldap passwd sync = Yes
>>>> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>>> ldap user suffix = ou=people
>>>> idmap domains = DEFAULT
>>>> idmap alloc backend = ldap
>>>> idmap alloc config:range = 10000-100000
>>>> idmap alloc config:ldap_url = ldap://127.0.0.1
>>>> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>>> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>>>> EPA
>>>> idmap config DEFAULT:range = 10000-100000
>>>> idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>>> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>>>> EPA
>>>> idmap config DEFAULT:ldap_base_dn =
>>>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>>> idmap config DEFAULT:default = yes
>>>> idmap config DEFAULT:readonly = no
>>>> idmap config DEFAULT:backend = ldap
>>>> ldapsam:editposix = yes
>>>> ldapsam:trusted = yes
>>>> create mask = 0640
>>>> force create mode = 0640
>>>> directory mask = 0750
>>>> force directory mode = 0750
>>>> case sensitive = No
>>>> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>>>
>>>> My relevant squid.conf lines...
>>>>
>>>> auth_param ntlm program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>>>> auth_param basic program /usr/bin/ntlm_auth
>>>> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV
>>>> auth_param ntlm children 100
>>>> auth_param basic children 100
>>>> auth_param basic realm Squid proxy-caching web server
>>>> auth_param basic credentialsttl 2 hours
>>>>
>>>>
>>>>
>>>>
>>>> The pdc works as expected, machine join works like charm, users and
>>>> groups management works equally right, all accounts are placed in the
>>>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>>>
>>>> I also did a few tests with wbinfo
>>>>
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u
>>>> invitado
>>>> usuarioprueba
>>>> e01ggen
>>>> e01glogis
>>>> e01gcont
>>>> e01jcomp1
>>>> e01jcomp2
>>>> e01jcomp3
>>>> e01jcomp4
>>>> e01jrepo
>>>> e01jreclu
>>>> e01rrece
>>>> e01gcom
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g
>>>> BUILTIN
>>>> BUILTIN
>>>> domain users
>>>> domain admins
>>>> domain guests
>>>> grupoprueba
>>>> gcentralsv
>>>> gcompras
>>>> gcontrol
>>>> ggerencia
>>>> glogistica
>>>> gmercadeo
>>>> gpersonal
>>>> gventas
>>>> gjefecompras
>>>> gjefecontrol
>>>> gjefelogistica
>>>> gjefepersonal
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains
>>>> C1.SV
>>>>
>>>>
>>>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>>>
>>>>
>>>> I also noted this error:
>>>>
>>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>>>> --authenticate=administrator%12345678
>>>> plaintext password authentication failed
>>>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>>>> error messsage was: No such user
>>>> Could not authenticate user administrator%12345678 with plaintext password
>>>> winbind separator was NULL!
>>>> challenge/response password authentication failed
>>>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>>>> error messsage was: Invalid handle
>>>> Could not authenticate user administrator with challenge/response
>>>>
>>>> Does someone have any idea of could go wrong? When I use squid and
>>>> samba on different machines i usually join the squid machine to the
>>>> domain using a net join, is this necesary when the pdc and squid are
>>>> on the same machine?
>>>>
>>>> Victor Medina
>>>>
>>>> Samuel Goldwyn - "I don't think anyone should write their
>>>> autobiography until after they're dead."
>>>>
>>>
>>> I think you should add lo to the interfaces listed in smb.conf
>>>
>>> Best regards, David Wells.
>>>
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> The box said Windows Vista or better. So I bought a Mac.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list