[Samba] Samba PDC & Squid NTLM Auth - Same machine
Victor Medina
vittico at gmail.com
Tue Mar 31 16:49:40 GMT 2009
David, it did not work.
Any suggestion?
Victor Medina
Samuel Goldwyn - "I don't think anyone should write their
autobiography until after they're dead."
On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
> Victor Medina wrote:
>>
>> Hi Guys!
>>
>>
>> Probably this is not the best place to ask, I'll try anyway... =)
>>
>> I've been trying to configure a Samba PDC and a Squid Porxy server
>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>> Squid and Authenticating against a Samba Server but on different
>> machines, this is the first time a try both on the same machine.
>>
>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>> machine? Is there any winbind issue with this kind of configuration?
>>
>> I'm using SLES10+SP2
>> Samba version as reported by rpm is 3.0.32-0.8
>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>
>> -------------------------------------------------
>> This is my smb.conf
>>
>> [global]
>> dos charset = 850
>> unix charset = ISO8859-1
>> workgroup = C1.SV
>> netbios name = PDCSRVC1SV
>> server string =
>> interfaces = eth0
>> bind interfaces only = Yes
>> map to guest = Bad Password
>> passdb backend = ldapsam:ldap://127.0.0.1
>> guest account = Invitado
>> time server = Yes
>> deadtime = 20
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>> printcap name = cups
>> logon path =
>> logon home =
>> domain logons = Yes
>> os level = 65
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> ldap admin dn = cn=Administrador,o=Ferreteria EPA
>> ldap delete dn = Yes
>> ldap group suffix = ou=group
>> ldap machine suffix = ou=people
>> ldap passwd sync = Yes
>> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>> ldap user suffix = ou=people
>> idmap domains = DEFAULT
>> idmap alloc backend = ldap
>> idmap alloc config:range = 10000-100000
>> idmap alloc config:ldap_url = ldap://127.0.0.1
>> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>> EPA
>> idmap config DEFAULT:range = 10000-100000
>> idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>> EPA
>> idmap config DEFAULT:ldap_base_dn =
>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>> idmap config DEFAULT:default = yes
>> idmap config DEFAULT:readonly = no
>> idmap config DEFAULT:backend = ldap
>> ldapsam:editposix = yes
>> ldapsam:trusted = yes
>> create mask = 0640
>> force create mode = 0640
>> directory mask = 0750
>> force directory mode = 0750
>> case sensitive = No
>> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>
>> My relevant squid.conf lines...
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV
>> auth_param ntlm children 100
>> auth_param basic children 100
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>>
>>
>> The pdc works as expected, machine join works like charm, users and
>> groups management works equally right, all accounts are placed in the
>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>
>> I also did a few tests with wbinfo
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u
>> invitado
>> usuarioprueba
>> e01ggen
>> e01glogis
>> e01gcont
>> e01jcomp1
>> e01jcomp2
>> e01jcomp3
>> e01jcomp4
>> e01jrepo
>> e01jreclu
>> e01rrece
>> e01gcom
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g
>> BUILTIN
>> BUILTIN
>> domain users
>> domain admins
>> domain guests
>> grupoprueba
>> gcentralsv
>> gcompras
>> gcontrol
>> ggerencia
>> glogistica
>> gmercadeo
>> gpersonal
>> gventas
>> gjefecompras
>> gjefecontrol
>> gjefelogistica
>> gjefepersonal
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains
>> C1.SV
>>
>>
>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>
>>
>> I also noted this error:
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>> --authenticate=administrator%12345678
>> plaintext password authentication failed
>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>> error messsage was: No such user
>> Could not authenticate user administrator%12345678 with plaintext password
>> winbind separator was NULL!
>> challenge/response password authentication failed
>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>> error messsage was: Invalid handle
>> Could not authenticate user administrator with challenge/response
>>
>> Does someone have any idea of could go wrong? When I use squid and
>> samba on different machines i usually join the squid machine to the
>> domain using a net join, is this necesary when the pdc and squid are
>> on the same machine?
>>
>> Victor Medina
>>
>> Samuel Goldwyn - "I don't think anyone should write their
>> autobiography until after they're dead."
>>
>
> I think you should add lo to the interfaces listed in smb.conf
>
> Best regards, David Wells.
>
>
More information about the samba
mailing list