Well, maybe it's not the "best" or the "most elegant" solution - I've never tried to tweak this -, but it works: - Insert the following lines on your PDC's smb.conf: winbind enum groups = yes winbind enum users = yes winbind trusted domains only = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/false - Start Winbind. - Join the PDC to its own domain (net rpc join) - Check if it was successful (net rpc testjoin) - Check if the shared secrets of Winbind are OK (wbinfo -t) - Test if you can authenticate a user via winbind (wbinfo -a user%password) - Test if you can use ntlm_auth with basic schema (ntlm_auth --helper-protocol=squid-2.5-basic)
If all else works, then you can set up your squid.conf to use NTLM and the ntlm_auth helper. Note: for a reason that is unknown for me, wbinfo -g and wbinfo -u doesn't work at all. Answers are welcome. Hope that it helps. Daniel > > De: Matt Skerritt <[EMAIL PROTECTED]> > Assunto: [Samba] ntlm authentication > Data: Fri, 1 Dec 2006 15:43:12 +1100 > Para: samba@lists.samba.org > > Heyho. > > I have a NT Domain which is run by my samba server > (v3.0.22-r3 on > Gentoo Linux). Everything works well, and the > backend database is an > ldap directory which is also the authentication > directory for my 3 > odd linux servers. All users have a posix account as > well as a samba > account, however in most cases the posix account is > disabled (homedir > is /dev/null, shell is /bin/false and null > password), and is only > there because samba requires it. As I said - this > setup has worked > really well for about 2 or 3 years now. I also have > a kerberos domain > running from a MIT Kerberos server. Passwords are > not automatically > synced between the two realms - but tickets are > automatically gotten > at login on the Windows clients (all XP) if the > passwords happen to > be the same between the samba domain and the > kerberos domain - this > also works fairly well. Password synchronisation is > somehting I'll > look into later and isn't in the scope of this > email. > > What I am trying to do is to get my squid proxy to > start > authenticating users so I can keep better track at > who's doing what > web-wise. Now since the users don't have an a posix > password, I can't > do an ldap lookup for this. Further than this, I'd > really like the > cache authentication to be done transparently by the > browsers. So > this leaves me with either NTLM authentication, or > negotiated gssapi > authentication. The latter is my preferred method > but seems to be out > of the question at the moment (unforunately) because > Internet > Explorer doesn't see the kerberos tickets gotten by > the MIT Kerberos > for windows tickets (although Firefox - the default > browser on the > network does), and because there doesn't seem to be > a helper program > for squid that does gssapi authehntication to a > non-microsoft > kerberos domain. However, that's a squid problem and > not a samba > problem, so is not really relevant here apart from > background. > > So this brings me to NTLM authentication. All the > documentation I've > found so far is based around the idea that one uses > the ntlm_auth > program that comes with samba. The ntlm_auth manpage > states that > winbindd must be running for ntlm_auth to work. And > winbindd seems > to be used for joining a unix machine to a NT PDC. > My problem (or > maybe confusion) is that my linux machine *is* my > PDC. So it seems > that I would need to connect samba to itself, and > would potentially > have multiple UID's for the same user - one from > their legitimate > posix account, and one from the idmap they get for > their DOMAIN/user > account from winbind. > > So is there any way to do ntlm authentication in a > way similar to > "ntlm_auth --helper-protocol=squid-2.5-ntlmssp" > against the samba > backend database (instead of going to another PDC). > Is there an > ntlm_auth option that I missed that let's me do > this? Or do I just > have to use "net rpc join" to join winbind to the > samba domain > running on the same machine? > > I suppose I could use the code from apache > mod_kerberos to write a > helper app for the negotiated gssapi case, but I'd > like to get > something intermediate happening sooner than that. > Can somebody help > here please? I imagine I'm not the first person with > this setup. > > -- > Matt Skerritt > [EMAIL PROTECTED] > > > > _______________________________________________________ O Yahoo! está de cara nova. Venha conferir! http://br.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba