[Samba] Samba PDC & Squid NTLM Auth - Same machine

Stefan Dengscherz stefan.dengscherz at gmail.com
Tue Mar 31 22:47:14 GMT 2009


Hello Victor,


did you try supplying the domain name along with the username? Like
"DOMAIN\administrator". Or adding "winbind use default domain = yes"
to your samba configuration.


Regards,

-sd

2009/3/31 Victor Medina <vittico at gmail.com>:
> David, it did not work.
>
> Any suggestion?
>
> Victor Medina
>
> Samuel Goldwyn  - "I don't think anyone should write their
> autobiography until after they're dead."
>
>
> On Wed, Apr 1, 2009 at 12:13 PM, David Wells <d.wells at vitalcan.com.ar> wrote:
>> Victor Medina wrote:
>>>
>>> Hi Guys!
>>>
>>>
>>> Probably this is not the best place to ask, I'll try anyway... =)
>>>
>>> I've been trying to configure a Samba PDC and a Squid Porxy server
>>> with NTLM auth on the same machine but NTML_AUTH keeps complaining
>>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
>>> Squid and Authenticating against a Samba Server but on different
>>> machines, this is the first time a try both on the same machine.
>>>
>>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
>>> machine? Is there any winbind issue with this kind of configuration?
>>>
>>> I'm using SLES10+SP2
>>> Samba version as reported by rpm is 3.0.32-0.8
>>> Squid version as reported by rpm is 2.5.STABLE12-18.13
>>>
>>> -------------------------------------------------
>>> This is my smb.conf
>>>
>>> [global]
>>>        dos charset = 850
>>>        unix charset = ISO8859-1
>>>        workgroup = C1.SV
>>>        netbios name = PDCSRVC1SV
>>>        server string =
>>>        interfaces = eth0
>>>        bind interfaces only = Yes
>>>        map to guest = Bad Password
>>>        passdb backend = ldapsam:ldap://127.0.0.1
>>>        guest account = Invitado
>>>        time server = Yes
>>>        deadtime = 20
>>>        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>        printcap name = cups
>>>        logon path =
>>>        logon home =
>>>        domain logons = Yes
>>>        os level = 65
>>>        preferred master = Yes
>>>        domain master = Yes
>>>        wins support = Yes
>>>        ldap admin dn = cn=Administrador,o=Ferreteria EPA
>>>        ldap delete dn = Yes
>>>        ldap group suffix = ou=group
>>>        ldap machine suffix = ou=people
>>>        ldap passwd sync = Yes
>>>        ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
>>>        ldap user suffix = ou=people
>>>        idmap domains = DEFAULT
>>>        idmap alloc backend = ldap
>>>        idmap alloc config:range = 10000-100000
>>>        idmap alloc config:ldap_url = ldap://127.0.0.1
>>>        idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
>>>        idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria
>>> EPA
>>>        idmap config DEFAULT:range = 10000-100000
>>>        idmap config DEFAULT:ldap_url = ldap://127.0.0.1
>>>        idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria
>>> EPA
>>>        idmap config DEFAULT:ldap_base_dn =
>>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
>>>        idmap config DEFAULT:default = yes
>>>        idmap config DEFAULT:readonly = no
>>>        idmap config DEFAULT:backend = ldap
>>>        ldapsam:editposix = yes
>>>        ldapsam:trusted = yes
>>>        create mask = 0640
>>>        force create mode = 0640
>>>        directory mask = 0750
>>>        force directory mode = 0750
>>>        case sensitive = No
>>>        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>>>
>>> My relevant squid.conf lines...
>>>
>>> auth_param ntlm program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
>>> auth_param basic program /usr/bin/ntlm_auth
>>> --helper-protocol=squid-2.5-basic  C1.SV/PDCSRVC1SV
>>> auth_param ntlm children 100
>>> auth_param basic children 100
>>> auth_param basic realm Squid proxy-caching web server
>>> auth_param basic credentialsttl 2 hours
>>>
>>>
>>>
>>>
>>> The pdc works as expected, machine join works like charm, users and
>>> groups management works equally right, all accounts are placed in the
>>> LDAP, getent passwd, groups and shadow shows the ldap accounts
>>>
>>> I also did a few tests with wbinfo
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -u
>>> invitado
>>> usuarioprueba
>>> e01ggen
>>> e01glogis
>>> e01gcont
>>> e01jcomp1
>>> e01jcomp2
>>> e01jcomp3
>>> e01jcomp4
>>> e01jrepo
>>> e01jreclu
>>> e01rrece
>>> e01gcom
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  -g
>>> BUILTIN
>>> BUILTIN
>>> domain users
>>> domain admins
>>> domain guests
>>> grupoprueba
>>> gcentralsv
>>> gcompras
>>> gcontrol
>>> ggerencia
>>> glogistica
>>> gmercadeo
>>> gpersonal
>>> gventas
>>> gjefecompras
>>> gjefecontrol
>>> gjefelogistica
>>> gjefepersonal
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo  --all-domains
>>> C1.SV
>>>
>>>
>>> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>>>
>>>
>>> I also noted this error:
>>>
>>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
>>> --authenticate=administrator%12345678
>>> plaintext password authentication failed
>>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
>>> error messsage was: No such user
>>> Could not authenticate user administrator%12345678 with plaintext password
>>> winbind separator was NULL!
>>> challenge/response password authentication failed
>>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
>>> error messsage was: Invalid handle
>>> Could not authenticate user administrator with challenge/response
>>>
>>> Does someone have any idea of could go wrong? When I use squid and
>>> samba on different machines i usually join the squid machine to the
>>> domain using a net join, is this necesary when the pdc and squid are
>>> on the same machine?
>>>
>>> Victor Medina
>>>
>>> Samuel Goldwyn  - "I don't think anyone should write their
>>> autobiography until after they're dead."
>>>
>>
>> I think you should add lo to the interfaces listed in smb.conf
>>
>> Best regards, David Wells.
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
The box said Windows Vista or better. So I bought a Mac.


More information about the samba mailing list