[Samba] samba4 and squid with NTLM auth
Eugene M. Zheganin
eugene at zhegan.in
Wed Aug 7 03:57:32 MDT 2013
Hi.
Samba-4.0.7
FreeBSD 10.0-CURRENT
Besides serving files I'm using Samba to authenticate users in the
Windows AD with squid.
After having issues with samba 3.6.16 I decided to see if samba4 will
fit me more. I was surprised, but I found that Samba 4 is fully
functional in my environment and is nearly production-ready.
After that I tried to setup squid to use samba for NTLM authentication.
I found something that may be a bug, but may be also a misconfiguration
of some sort. In short words - it doesn't work.
To describe what's not working, I should say that in my configuration
squid is authorizing user in two stages:
- ntlm_auth is authenticating user
- external squid helper is authorizing user's access to an URL using a
supplied by ntlm_auth name and the group membership information from the AD.
It turns out that for some reason ntlm_auth authenticates user just
fine, but then it is supplying squid with some sort of corrupted username:
squid access log:
1375868558.129 1957 192.168.7.71 TCP_DENIED/403 2338 GET
http://www.ru/rus/index.php ZZZZZZZZZZZZZZZZ%a0%92%03\r%08 HI
ER_NONE/- text/html
This ZZZZ[...] is actually my username - 'emz', but looks it's
authenticated by ntlm_auth. Squid also thinks that this username has
been just authenticated, and tries to look it's group membership
information.
Squid cache log:
support_member.cc(124): pid=12390 :2013/08/07 15:42:38|
kerberos_ldap_group: INFO: User ZZZZZZZZZZZZZZZZ═..
. is not member of group at domain Internet Users - Crystal at NULL
Considering that everything is fine when using samba 3.5.x, I suppose
the answer is is samba software.
Is this some bug or a misconfiguration ?
Thanks.
Eugene.
More information about the samba
mailing list