On 09:35:16 wrote Alessandro: > I should use an authenticated proxy with Squid, but I have a problem > with winbind. > I'm working on a PDC, debian squeeze with samba from backport (ver. > 2:3.5.11~dfsg-1~bpo60+1 ) > > Here the problem: I can authenticate users. > > /usr/bin/ntlm_auth --username=myname --domain=MYCOMPANY > password: XXXX > NT_STATUS_INVALID_HANDLE: Invalid handle (0xc0000008) > > > wbinfo -a myname > Enter myname's password: XXXX > plaintext password authentication failed > Could not authenticate user myname with plaintext password > Enter myname's password: XXXX > challenge/response password authentication failed > error code was NT_STATUS_INVALID_HANDLE (0xc0000008) > error messsage was: Invalid handle > Could not authenticate user myname with challenge/response > > With --domain argument the result is the same > > wbinfo seems to work fine with all other arguments (-u, -g, etc.. a > strange behavior: with -m it gives two domains, "BUILTIN" and > "MYCOMPNAY")
wbinfo should show three domains: # wbinfo -m BULITIN YOUR_DOMAIN YOUR_SERVER # net getdomainsid SID for local machine YOUR_SERVER is: LOCAL-SID SID for domain YOUR_DOMAIN is: DOMAIN-SID # ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))" sambasid dn: sambaDomainName=YOUR_DOMAIN,dc=example,dc=net sambaSID: DOMAIN-SID dn: sambaDomainName=YOUR_SERVER,dc=example,dc=net sambaSID: LOCAL-SID and finally # wbinfo --ping-dc MUST succeed As SATOH Fumiyas tells us, one SHOULD join without a running winbindd Daemon. # net rpc join -S localhost -U administrator One are NOT joining "localhost"! One join $HOSTNAME!! Verify with # net rpc testjoin Join to 'YOUR_DOMAIN' is OK and # pdbedit -v $HOSTNAME$ Account Flags: [S ] User SID: "DOMAIN-SID"-"SERVER-RID" Primary Group SID: "DOMAIN-SID"-515 These tree settings are imortant. It MUST be a server account and the primary group sid MUST have the RID=515 # wbinfo -a user%secret plaintext password authentication succeeded challenge/response password authentication succeeded Dont forget to add the user "proxy" to the group "winbindd_priv", so that the ntlm_auth helper from squid has enough rights. > > I found the following bug: > https://bugzilla.samba.org/show_bug.cgi?id=7481 > http://osdir.com/ml/debian-bugs-dist/2011-02/msg00966.html > http://osdir.com/ml/debian-bugs-dist/2011-02/msg09069.html > > I could compile samba from source applying the #7481 patch, but I'm > not sure this is my case, because the workaround exposed at the end > of #7481 doesn't work for me. > Any idea? It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-) . I use openldap as passdb backend. Step-by-step guide You should verify these three groups: # net sam list builtin administrators guests users # net sam show administrators BUILTIN\administrators is a Local Group with SID S-1-5-32-544 # net sam show guests BUILTIN\guests is a Local Group with SID S-1-5-32-546 # net sam show users BUILTIN\users is a Local Group with SID S-1-5-32-545 and verify that these groups have their default members: # net rpc group members Administrators YOUR_DOMAIN\Domain Admins # net rpc group members guests YOUR_DOMAIN\Domain Guests # net rpc group members users YOUR_DOMAIN\Domain Users You must have a valid "idmap alloc setup" and have stored the secret in secrets.tdb smb.conf: ; idmap Konfiguration fuer SAMBA 3.5.6 mit LDAP idmap backend = ldap idmap uid = 1000000-1999999 idmap gid = 1000000-1999999 idmap alloc backend = ldap idmap alloc config : ldap_url = ldap://127.0.0.1/ idmap alloc config : ldap_base_dn = ou=Idmap,dc=example,dc=net idmap alloc config : ldap_user_dn = cn=admin,dc=example,dc=net Store the idmap secret in secrets.tdb # net idmap secret alloc <secret> The <secret> must be the password from ldap_user_dn If you are using ldap as passdb backend then set this: ldapsam:editposix = yes in smb.conf. This will prevent samba to use the smbldaptools. They produce wrong joins! And by the way, check that the previously created builtin groups have sambaGroupType=4. smbldaptools set this to 5, which does not work. If you now have set ldapsam:editposix dont forget to restart samba now, you should join as explained earlier Store the authuser in secrets.tdb # net -Uroot setauthuser will store user and passord in secrets.tdb, so that winbindd has enough rights to work. If your administrator account has uidnumber=0, you may use this account. stop samba, start winbind, start samba wait some seconds, winbindd will now create the third domain which has the name of your PDCs hostname. check with wbinfo HINT when I checked winbindd.conf with testparm, I have get some errors, until I put an empty or comment line before the line with the include statement :-) . > Thanks > Alessandro -- Regards Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
