[Samba] [OT?] passing group name with spaces to ntlm_auth...

Marco Gaiarin gaio at sv.lnf.it
Fri Sep 28 14:31:30 UTC 2018


Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> >     --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \
> >     #Or if you dont have the SPN set. --kerberos /usr/lib/squid/negotiate_kerberos_auth  -r -i -s GSS_C_NO_NAME \ 
> >     --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
> ntlm_auth can also do negotiate (which is much more efficient if
> Kerberos is selected, I agree), however it looks like --require-
> membership-of isn't hooked up to that (drat). 

Ahem, sorry... this mean that it is not needed to use
'negotiate_wrapper_auth' to do  negotiate auth, but ntlm_auth can be
used directly?


> The easiest way past the escaping issue is to pass the SID as S-x-y-z.

Effectively, i've re-read manpage and found that passing SID works as
expected.


> The reason --require-membership-of was implemented is that it can be
> much more efficient, as at this point Samba knows the group memberships
> so can look them up from the authentication reply, rather than starting
> new LDAP traffic.

I use that options because i've some user (most notably: user that i
use to access LDAP data) that are NOT member of 'Domain Users' and that
don't need to use the proxy.


Glad to know i'm doing the right thing. ;-)

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)



More information about the samba mailing list