[Samba] [OT?] passing group name with spaces to ntlm_auth...
Marco Gaiarin
gaio at sv.lnf.it
Fri Sep 28 14:31:30 UTC 2018
Mandi! Andrew Bartlett via samba
In chel di` si favelave...
> > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \
> > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \
> > #Or if you dont have the SPN set. --kerberos /usr/lib/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME \
> > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM
> ntlm_auth can also do negotiate (which is much more efficient if
> Kerberos is selected, I agree), however it looks like --require-
> membership-of isn't hooked up to that (drat).
Ahem, sorry... this mean that it is not needed to use
'negotiate_wrapper_auth' to do negotiate auth, but ntlm_auth can be
used directly?
> The easiest way past the escaping issue is to pass the SID as S-x-y-z.
Effectively, i've re-read manpage and found that passing SID works as
expected.
> The reason --require-membership-of was implemented is that it can be
> much more efficient, as at this point Samba knows the group memberships
> so can look them up from the authentication reply, rather than starting
> new LDAP traffic.
I use that options because i've some user (most notably: user that i
use to access LDAP data) that are NOT member of 'Domain Users' and that
don't need to use the proxy.
Glad to know i'm doing the right thing. ;-)
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
More information about the samba
mailing list