[Samba] Samba PDC & Squid NTLM Auth - Same machine

David Wells d.wells at vitalcan.com.ar
Tue Mar 31 16:43:35 GMT 2009 

Victor Medina wrote:
> Hi Guys!
>
>
> Probably this is not the best place to ask, I'll try anyway... =)
>
> I've been trying to configure a Samba PDC and a Squid Porxy server
> with NTLM auth on the same machine but NTML_AUTH keeps complaining
> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
> Squid and Authenticating against a Samba Server but on different
> machines, this is the first time a try both on the same machine.
>
> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
> machine? Is there any winbind issue with this kind of configuration?
>
> I'm using SLES10+SP2
> Samba version as reported by rpm is 3.0.32-0.8
> Squid version as reported by rpm is 2.5.STABLE12-18.13
>
> -------------------------------------------------
> This is my smb.conf
>
> [global]
> 	dos charset = 850
> 	unix charset = ISO8859-1
> 	workgroup = C1.SV
> 	netbios name = PDCSRVC1SV
> 	server string =
> 	interfaces = eth0
> 	bind interfaces only = Yes
> 	map to guest = Bad Password
> 	passdb backend = ldapsam:ldap://127.0.0.1
> 	guest account = Invitado
> 	time server = Yes
> 	deadtime = 20
> 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 	printcap name = cups
> 	logon path =
> 	logon home =
> 	domain logons = Yes
> 	os level = 65
> 	preferred master = Yes
> 	domain master = Yes
> 	wins support = Yes
> 	ldap admin dn = cn=Administrador,o=Ferreteria EPA
> 	ldap delete dn = Yes
> 	ldap group suffix = ou=group
> 	ldap machine suffix = ou=people
> 	ldap passwd sync = Yes
> 	ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
> 	ldap user suffix = ou=people
> 	idmap domains = DEFAULT
> 	idmap alloc backend = ldap
> 	idmap alloc config:range = 10000-100000
> 	idmap alloc config:ldap_url = ldap://127.0.0.1
> 	idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
> 	idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
> 	idmap config DEFAULT:range = 10000-100000
> 	idmap config DEFAULT:ldap_url = ldap://127.0.0.1
> 	idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
> 	idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
> 	idmap config DEFAULT:default = yes
> 	idmap config DEFAULT:readonly = no
> 	idmap config DEFAULT:backend = ldap
> 	ldapsam:editposix = yes
> 	ldapsam:trusted = yes
> 	create mask = 0640
> 	force create mode = 0640
> 	directory mask = 0750
> 	force directory mode = 0750
> 	case sensitive = No
> 	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>
> My relevant squid.conf lines...
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
> auth_param ntlm children 100
> auth_param basic children 100
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
>
>
>
> The pdc works as expected, machine join works like charm, users and
> groups management works equally right, all accounts are placed in the
> LDAP, getent passwd, groups and shadow shows the ldap accounts
>
> I also did a few tests with wbinfo
>
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
> invitado
> usuarioprueba
> e01ggen
> e01glogis
> e01gcont
> e01jcomp1
> e01jcomp2
> e01jcomp3
> e01jcomp4
> e01jrepo
> e01jreclu
> e01rrece
> e01gcom
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
> BUILTIN
> BUILTIN
> domain users
> domain admins
> domain guests
> grupoprueba
> gcentralsv
> gcompras
> gcontrol
> ggerencia
> glogistica
> gmercadeo
> gpersonal
> gventas
> gjefecompras
> gjefecontrol
> gjefelogistica
> gjefepersonal
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
> C1.SV
>
>
> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>
>
> I also noted this error:
>
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
> --authenticate=administrator%12345678
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user administrator%12345678 with plaintext password
> winbind separator was NULL!
> challenge/response password authentication failed
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
> error messsage was: Invalid handle
> Could not authenticate user administrator with challenge/response
>
> Does someone have any idea of could go wrong? When I use squid and
> samba on different machines i usually join the squid machine to the
> domain using a net join, is this necesary when the pdc and squid are
> on the same machine?
>
> Victor Medina
>
> Samuel Goldwyn  - "I don't think anyone should write their
> autobiography until after they're dead."
>   
I think you should add lo to the interfaces listed in smb.conf

Best regards, David Wells.

More information about the samba mailing list