[Samba] Samba PDC & Squid NTLM Auth - Same machine

Victor Medina vittico at gmail.com
Tue Mar 31 16:49:40 GMT 2009 

David, it did not work.

Any suggestion?

Victor Medina

Samuel Goldwyn  - "I don't think anyone should write their
autobiography until after they're dead."


On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
> Victor Medina wrote:
>>
>> Hi Guys!
>>
>>
>> Probably this is not the best place to ask, I'll try anyway... =)
>>
>> I've been trying to configure a Samba PDC and a Squid Porxy server
>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>> Squid and Authenticating against a Samba Server but on different
>> machines, this is the first time a try both on the same machine.
>>
>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>> machine? Is there any winbind issue with this kind of configuration?
>>
>> I'm using SLES10+SP2
>> Samba version as reported by rpm is 3.0.32-0.8
>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>
>> -------------------------------------------------
>> This is my smb.conf
>>
>> [global]
>>        dos charset = 850
>>        unix charset = ISO8859-1
>>        workgroup = C1.SV
>>        netbios name = PDCSRVC1SV
>>        server string =
>>        interfaces = eth0
>>        bind interfaces only = Yes
>>        map to guest = Bad Password
>>        passdb backend = ldapsam:ldap://127.0.0.1
>>        guest account = Invitado
>>        time server = Yes
>>        deadtime = 20
>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>        printcap name = cups
>>        logon path =
>>        logon home =
>>        domain logons = Yes
>>        os level = 65
>>        preferred master = Yes
>>        domain master = Yes
>>        wins support = Yes
>>        ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>        ldap delete dn = Yes
>>        ldap group suffix = ou=group
>>        ldap machine suffix = ou=people
>>        ldap passwd sync = Yes
>>        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>        ldap user suffix = ou=people
>>        idmap domains = DEFAULT
>>        idmap alloc backend = ldap
>>        idmap alloc config:range = 10000-100000
>>        idmap alloc config:ldap_url = ldap://127.0.0.1
>>        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>> EPA
>>        idmap config DEFAULT:range = 10000-100000
>>        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>> EPA
>>        idmap config DEFAULT:ldap_base_dn =
>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>        idmap config DEFAULT:default = yes
>>        idmap config DEFAULT:readonly = no
>>        idmap config DEFAULT:backend = ldap
>>        ldapsam:editposix = yes
>>        ldapsam:trusted = yes
>>        create mask = 0640
>>        force create mode = 0640
>>        directory mask = 0750
>>        force directory mode = 0750
>>        case sensitive = No
>>        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>
>> My relevant squid.conf lines...
>>
>> auth_param ntlm program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>> auth_param basic program /usr/bin/ntlm_auth
>> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
>> auth_param ntlm children 100
>> auth_param basic children 100
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>>
>>
>> The pdc works as expected, machine join works like charm, users and
>> groups management works equally right, all accounts are placed in the
>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>
>> I also did a few tests with wbinfo
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
>> invitado
>> usuarioprueba
>> e01ggen
>> e01glogis
>> e01gcont
>> e01jcomp1
>> e01jcomp2
>> e01jcomp3
>> e01jcomp4
>> e01jrepo
>> e01jreclu
>> e01rrece
>> e01gcom
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
>> BUILTIN
>> BUILTIN
>> domain users
>> domain admins
>> domain guests
>> grupoprueba
>> gcentralsv
>> gcompras
>> gcontrol
>> ggerencia
>> glogistica
>> gmercadeo
>> gpersonal
>> gventas
>> gjefecompras
>> gjefecontrol
>> gjefelogistica
>> gjefepersonal
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
>> C1.SV
>>
>>
>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>
>>
>> I also noted this error:
>>
>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>> --authenticate=administrator%12345678
>> plaintext password authentication failed
>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>> error messsage was: No such user
>> Could not authenticate user administrator%12345678 with plaintext password
>> winbind separator was NULL!
>> challenge/response password authentication failed
>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>> error messsage was: Invalid handle
>> Could not authenticate user administrator with challenge/response
>>
>> Does someone have any idea of could go wrong? When I use squid and
>> samba on different machines i usually join the squid machine to the
>> domain using a net join, is this necesary when the pdc and squid are
>> on the same machine?
>>
>> Victor Medina
>>
>> Samuel Goldwyn  - "I don't think anyone should write their
>> autobiography until after they're dead."
>>
>
> I think you should add lo to the interfaces listed in smb.conf
>
> Best regards, David Wells.
>
>

More information about the samba mailing list