Hi there,
I'm trying to configure Squid to use a windows domain for authentication, and all goes well until I add the "--require-membership-of" option on ntlm_auth. I need to restrict access based on group membership, however ntlm_auth does not seem to be behaving correctly. I'm using Samba 3.0.6 on Debian and I'm using a Windows 2000 (SP4) Domain Controller. I configured winbind as discussed here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
ntlm_auth seems to report the membership of some groups correctly, but incorrectly for others.
Checking the group membership using getent, shows that the user "matt" belongs to the "Domain Admins", "Domain Users" and "TestGroup" groups.
~$ getent group -s winbind | grep matt VM-DOMAIN\Domain Admins:x:10002:VM-DOMAIN\Administrator,VM-DOMAIN\matt VM-DOMAIN\Domain Users:x:10000:VM-DOMAIN\Administrator, <snip....>, VM-DOMAIN\matt VM-DOMAIN\TestGroup:x:10022:VM-DOMAIN\Administrator,VM-DOMAIN\matt
Then using ntlm_auth to check for membership to the "Domain Users" or "Domain Admins" groups works as expected.
~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Users' --username=matt --password=XXXX NT_STATUS_OK: Success (0x0)
~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Admins' --username=matt --password=XXXX NT_STATUS_OK: Success (0x0)
But when I check for membership of the "TestGroup" (which is a Global group just like Domain Admins) it fails:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt --password=XXXX NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)
So the getent output above, shows that "matt" is a member of the "TestGroup" group, but ntlm_auth seems to produce the incorrect output. It appears to know that the group and user exists and the password is valid because varying these params gives different error messages:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup2'
--username=matt --password=XXXX
[2004/09/07 22:48:18, 0]
utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve VM-DOMAIN\TestGroup2 into a SID!~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt2 --password=XXXX NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt --password=WRONG_PWD NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Now for the really weird part. If I test to see if the "Administrator" user belongs to this group (which it does ... see the getent output above) then it succeeds:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=Administrator --password=password NT_STATUS_OK: Success (0x0)
The logs don't produce anything that looks relevant. I'm stumped. I've tried many different things, but I can't figure out the pattern as to why these are failing. Something to do with user defined groups/users. Could there be something wrong missing from the windows user/group setup? The domain controller is a clean install of W2K SP4, which was then activated as a domain controller.
Any ideas would be greatly appreciated!
Regards,
-- Matt Doran PaperCut Software Pty. Ltd. Web: http://www.papercut.biz Blog: http://blogs.papercutsoftware.com/matt.doran/
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
