[Samba] Samba PDC & Squid NTLM Auth - Same machine

Victor Medina vittico at gmail.com
Tue Mar 31 16:40:54 GMT 2009 

Hi Guys!


Probably this is not the best place to ask, I'll try anyway... =)

I've been trying to configure a Samba PDC and a Squid Porxy server
with NTLM auth on the same machine but NTML_AUTH keeps complaining
about: NT_STATUS_INVALID_HANDLE.... I have others machines running
Squid and Authenticating against a Samba Server but on different
machines, this is the first time a try both on the same machine.

Can I use Squid+NTLM Auth and Samba configured as PDC on the same
machine? Is there any winbind issue with this kind of configuration?

I'm using SLES10+SP2
Samba version as reported by rpm is 3.0.32-0.8
Squid version as reported by rpm is 2.5.STABLE12-18.13

-------------------------------------------------
This is my smb.conf

[global]
	dos charset = 850
	unix charset = ISO8859-1
	workgroup = C1.SV
	netbios name = PDCSRVC1SV
	server string =
	interfaces = eth0
	bind interfaces only = Yes
	map to guest = Bad Password
	passdb backend = ldapsam:ldap://127.0.0.1
	guest account = Invitado
	time server = Yes
	deadtime = 20
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	printcap name = cups
	logon path =
	logon home =
	domain logons = Yes
	os level = 65
	preferred master = Yes
	domain master = Yes
	wins support = Yes
	ldap admin dn = cn=Administrador,o=Ferreteria EPA
	ldap delete dn = Yes
	ldap group suffix = ou=group
	ldap machine suffix = ou=people
	ldap passwd sync = Yes
	ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
	ldap user suffix = ou=people
	idmap domains = DEFAULT
	idmap alloc backend = ldap
	idmap alloc config:range = 10000-100000
	idmap alloc config:ldap_url = ldap://127.0.0.1
	idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
	idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
	idmap config DEFAULT:range = 10000-100000
	idmap config DEFAULT:ldap_url = ldap://127.0.0.1
	idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
	idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
	idmap config DEFAULT:default = yes
	idmap config DEFAULT:readonly = no
	idmap config DEFAULT:backend = ldap
	ldapsam:editposix = yes
	ldapsam:trusted = yes
	create mask = 0640
	force create mode = 0640
	directory mask = 0750
	force directory mode = 0750
	case sensitive = No
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

My relevant squid.conf lines...

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
auth_param ntlm children 100
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours




The pdc works as expected, machine join works like charm, users and
groups management works equally right, all accounts are placed in the
LDAP, getent passwd, groups and shadow shows the ldap accounts

I also did a few tests with wbinfo

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
invitado
usuarioprueba
e01ggen
e01glogis
e01gcont
e01jcomp1
e01jcomp2
e01jcomp3
e01jcomp4
e01jrepo
e01jreclu
e01rrece
e01gcom
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
BUILTIN
BUILTIN
domain users
domain admins
domain guests
grupoprueba
gcentralsv
gcompras
gcontrol
ggerencia
glogistica
gmercadeo
gpersonal
gventas
gjefecompras
gjefecontrol
gjefelogistica
gjefepersonal
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
C1.SV


I also made sure squid users can read /var/lib/samba/winbindd_privileged


I also noted this error:

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
--authenticate=administrator%12345678
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user administrator%12345678 with plaintext password
winbind separator was NULL!
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
error messsage was: Invalid handle
Could not authenticate user administrator with challenge/response

Does someone have any idea of could go wrong? When I use squid and
samba on different machines i usually join the squid machine to the
domain using a net join, is this necesary when the pdc and squid are
on the same machine?

Victor Medina

Samuel Goldwyn  - "I don't think anyone should write their
autobiography until after they're dead."

More information about the samba mailing list