[Samba] [OT?] passing group name with spaces to ntlm_auth...

Andrew Bartlett abartlet at samba.org
Thu Sep 27 18:30:12 UTC 2018 

On Thu, 2018-09-27 at 12:27 +0200, L.P.H. van Belle via samba wrote:
> Hai marco, 
> 
> More info on squid config might help here and no smb.conf.. 
> Ahead of things...  
> 
> And you better use something like this, change to negotiate auth. (
> and use SSO ). 
> 
> auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
>     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.
> internal.domain.tld at REALM \
>     #Or if you dont have the SPN set. --kerberos
> /usr/lib/squid/negotiate_kerberos_auth  -r -i -s GSS_C_NO_NAME \ 
>     --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --
> domain=NTDOM
> 
> And use ldap for the groups. Amos explain these thing better then me
> ;-) 
> Google this : [squid-users] external_acl_type LDAP for acl NOT
> related to auth
> And Re: [squid-users] Any suggestions or comments about my
> configuration? squid 3.5.20
> And you have a good group example ;-), 2 resent answered questions
> with some very good group examples. 


ntlm_auth can also do negotiate (which is much more efficient if
Kerberos is selected, I agree), however it looks like --require-
membership-of isn't hooked up to that (drat). 

The easiest way past the escaping issue is to pass the SID as S-x-y-z.

The reason --require-membership-of was implemented is that it can be
much more efficient, as at this point Samba knows the group memberships
so can look them up from the authentication reply, rather than starting
new LDAP traffic.

Andrew Bartlett

> 
> Greetz, 
> 
> Louis
> 
> 
> 
> > 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Marco Gaiarin via samba
> > Verzonden: donderdag 27 september 2018 12:12
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] [OT?] passing group name with spaces to 
> > ntlm_auth...
> > 
> > 
> > I've not clear if is a squid or a samba/ntlm_auth trouble...
> > indeed...
> > 
> > In Squid i've added:
> > 
> > 	auth_param ntlm program /usr/bin/ntlm_auth 
> > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG 
> > --require-membership-of='LNFFVG\Domain Users'
> > 	auth_param ntlm children 5
> > 
> > but in 'cache.log' i got:
> > 
> > 	Winbindd lookupname failed to resolve 'LNFFVG\Domain into a
> > SID!
> > 	Winbindd lookupname failed to resolve 'LNFFVG\Domain into a
> > SID!
> > 
> > I've tried some escape tecniques for the space character, but 
> > with no luck. Leaving simply:
> > 
> > 	auth_param ntlm program /usr/bin/ntlm_auth 
> > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG
> > 
> > works.
> > 
> > 
> > There's some hint? Thanks.
> > 
> > -- 
> > dott. Marco Gaiarin				        GNUPG 
> > Key ID: 240A3D66
> >   Associazione ``La Nostra Famiglia''          
> > http://www.lanostrafamiglia.it/
> >   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> > Tagliamento (PN)
> >   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> > f +39-0434-842797
> > 
> > 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
> >       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> > 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list