[Samba] ntlm challenges not working

[robert rottermann]

Hi there,

I try to have a XP box using ntlm authentication when accessing a samba domain.

In apache I have the following stanza:

AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/opt/samba/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user


In IE7 on the client I added the apache site to the list of intranet sites so
windows should use ntlm to send its credentials.

now when I access the apache site appache issues a challenge and announces it
would accept ntlm.
I checked that using whireshark, the relevant frame shows the following:

Hypertext Transfer Protocol
HTTP/1.1 401 Authorization Required\r\n
Request Version: HTTP/1.1
Response Code: 401
Date: Tue, 07 Apr 2009 10:53:07 GMT\r\n
Proxy-Authenticate: NTLM\r\n
Proxy-Authenticate: NTLM\r\n
Content-Length: 622
Keep-Alive: timeout=15, max=100\r\n
Connection: Keep-Alive\r\n
Content-Type: text/html; charset=iso-8859-1\r\n
\r\n

however windows does not answer at all. IE does nothing but issuing a
"authorization required" error. Whireshark shows no more traffic.

can anybody help me to resolve this? (I am really desperate.., having worked
trough everyy tutorial I can find)

robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] can not join linux box to PDC, windows works

[robert rottermann]

Hi ther,
I try to join a linux box to to a bdc.
Attempting to do so produces a failure.

chrissy:~ # net rpc join MEMBER -Uroot%secret -I 10.168.1.2
[2009/04/05 14:35:27,  0] utils/net_rpc_join.c:net_rpc_join_ok(87)
  net_rpc_join_ok: failed to get schannel session key from server 10.168.1.2 for
domain MITELERDE. Error was NT_STATUS_ACCESS_DENIED
Unable to join domain MITELERDE.

when I use a bad password, I get a different error:

chrissy:~ # net rpc join MEMBER -Uroot%secretxx -I 10.168.1.2
Could not connect to server 10.168.1.2
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE


net -V on the client that wants to join prints:
Version 3.2.7-11.2.1-2080-SUSE-CODE11
on the server:
Version 3.2.3

I added the configs of the server and the client.


I would be grateful for pointers how to fix that.

thanks
robert

-
client that wants to join
-
[global]
workgroup = ROTTI
netbios name = CHRISSY
security = domain
idmap gid = 2-3
idmap uid = 2-3

winbind uid = 2-3
winbind gid = 2-3
winbind use default domain = yes

wins server = 10.168.1.2
password server = 10.168.1.2
idmap backend = rid:ROTTI=2-3

-
server
-
[global]
workgroup = MITELERDE
netbios name = FRODO
passdb backend = tdbsam
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -m %u
add group script = /usr/sbin/groupadd -m %u
delete group script = /usr/sbin/groupadd -m %u
add user to group script = /usr/sbin/usermod -G %g %u
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u

logon script = scripts\logon.bat

logon path = \\%L\Profiles\%U
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 35
local master = Yes
preferred master = Yes
domain master = Yes
idmap uid = 15000-2
idmap gid = 15000-2
printing = cups
wins support = Yes

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] no SERVER entry in smbclient output

[robert rottermann]

hi there,
I try to work trough the examples book on samba.org.


now I have a problem.
smbclient -L localhost -U%

generates the following output:
r...@server:~# smbclient -L localhost -U%

Sharename   Type  Comment
-     ---
IPC$IPC   IPC Service (Samba 3.2.3)
appsDisk  Application Files
pidata  Disk  Property Insurance Files
service Disk  Financial Services Files
accountsDisk  Accounting Files
profilesDisk  Profile Share
netlogonDisk  Network Logon Service

Server   Comment
----

WorkgroupMaster
----
WORKGROUPSERVER
as you can see, there is no entry under server.

why?

I would not mind, but I can not login:
r...@server:~# smbclient //diamond/accounts -U robert
Enter robert's password:
session setup failed: NT_STATUS_LOGON_FAILURE


my smb.conf file follows

thanks for any pointer
robert

[global]
workgroup = PROMISES
netbios name = DIAMOND
interfaces = eth1, lo
bind interfaces only = Yes
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*Password* %n\n *Re-enter*new*password*%n\n 
*Password*changed*
username map = /etc/samba/smbusers
unix password sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /tmp '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
logon home = \\%L\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
utmp = Yes
map acl inherit = Yes
printing = cups
cups options = Raw
veto files = /*.eml/*.nws/*.{*}/
veto oplock files = /*.doc/*.xls/*.mdb/

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
use client driver = Yes
default devmode = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[accounts]
comment = Accounting Files
path = /data/accounts
read only = No

[service]
comment = Financial Services Files
path = /data/service
read only = No
[pidata]
comment = Property Insurance Files
path = /data/pidata
read only = No
[apps]
comment = Application Files
path = /apps
read only = Yes
admin users = bjordan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] confused: when do I have to use \\DOMAN and when \\ip.address

[robert rottermann]

Hi there,

I am (rather desperately, and failingly) trying to build a samba network.

I have a linux box woring as pdc. this machine is reachable as haydn.redcor.home
(or just haydn).
its domain name is ROTTI

then I have a suse box as a domain member. I could join it with
net join -U root%XXX -S haydn.redcor.home

now I would like to login into a shell with  smbclient
smbclient haydn\\robert -U robert works fine

but
smbclient ROTTI\\robert -U robert
does not. it producec the following error:
Connection to ROTTI failed (Error NT_STATUS_BAD_NETWORK_NAME


my question is now: when do i use the domain \\ROTTI (as I do in windows)
and when do I use \\url

thanks
robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4:login works, but domain not found afterwards

[robert rottermann]

Hi there,
I am trying to work trough the samba4 tutorial.

What I did so far downloading samba, and updating it afterwards with git pull.

I did compile and install samba 4, and added the base user database with
./setup/provision.
I can start samba 4 and and use smbclient //localhost/test -Uadministrator%XXX
which puts me at the smb: \> prompt.

I did *not* configure the Step 8 (Optional): Configure Server-side DNS
as I could not convince named to work with the suggested
tkey-gssapi-credential "DNS/redcor.home";
tkey-domain "REDCOR.HOME";
entries in options.

on the windows xp I could join the domain REDCOR.HOME and log into the domain as
administrator.
however the logingin in is *very* slow (some minutes), and afterwards all
attempts to deal with the domain end in a "domain not found" error.

for instance dsa.msc needs some 30 secs to start with an error: "naming
information can not be located because the domain name does not exist or no
connection could be established"

in the msc console I can browse for a domain, and will get "redcor.home" after a
lengthy period, but can not use it.


what should I do, to find/fix the problem?

thanks
robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] wbinfo -t produces NT_STATUS_INVALID_HANDLE

[robert rottermann]

hi there,

on my linux box, with samba 3.2.6 wbinfo -t produces the following output:

wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_INVALID_HANDLE (0xc008)
Could not check secret

what could be the reason?
globals from my smb.conf is attached

thanks for your help
robert

[global]
workgroup = rotti
security = user
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$
domain logons = No
domain master = No
netbios name = chrissy
passdb backend = smbpasswd
;;;
;;; Options for winbind
;;;
winbind uid = 2-3
winbind gid = 2-3
winbind use default domain = yes

log level = 3
idmap gid = 2-3
idmap uid = 2-3
usershare allow guests = No
wins server = 10.168.1.102
password server = 10.168.1.102
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] how to add a linux box into a samba domain

[robert rottermann]

robert rottermann schrieb:
> hi there,
> I am trying to setup a test nework to learn the interaction of the diverse 
> tools
> in a smaba/windows network.
> now it looks as if I do something wrong when adding a linux box into the 
> domain.
> 
> I have a samba domain ROTTI.
> It is running on server haydn.redcor.home
> 
> from windows I can log into this domain.
> 
> now I have a linux box I wanto to join to this domain.
> this is its global section:
> [global]
>   workgroup = rotti
>   security = user

I changed that to security=domain

> add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
> /bin/false %m$
>   domain logons = No
>   domain master = No
>   netbios name = chrissy
>   passdb backend = smbpasswd
> ;;;
> ;;; Options for winbind
> ;;;
>   winbind uid = 2-3
>   winbind gid = 2-3
>   winbind use default domain = yes
> 
>   log level = 3
>   idmap gid = 2-3
>   idmap uid = 2-3
>   usershare allow guests = No
> 
> now my questions:
> net join produces the message:
> "cannot join as standalone machine"
> why ?
> what do I have to change?
> 
> wbinfo -a robert%secret
> plaintext password authentication failed
> Could not authenticate user robert with plaintext password
> challenge/response password authentication failed
> error code was NT_STATUS_INVALID_HANDLE (0xc008)
> error messsage was: Invalid handle
> Could not authenticate user robert with challenge/response
> 
> what have I to do, that wbinfo authenticates against the domain?
> 
> thanks
> robert
now I get the following:
net join
Unable to find a suitable server
Unable to find a suitable server

and:
wbinfo -a robert%secret
plaintext password authentication failed
Could not authenticate user robert with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc05e)
error messsage was: No logon servers
Could not authenticate user robert with challenge/response

thanks for your time
robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] how to add a linux box into a samba domain

[robert rottermann]

hi there,
I am trying to setup a test nework to learn the interaction of the diverse tools
in a smaba/windows network.
now it looks as if I do something wrong when adding a linux box into the domain.

I have a samba domain ROTTI.
It is running on server haydn.redcor.home

from windows I can log into this domain.

now I have a linux box I wanto to join to this domain.
this is its global section:
[global]
workgroup = rotti
security = user
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$
domain logons = No
domain master = No
netbios name = chrissy
passdb backend = smbpasswd
;;;
;;; Options for winbind
;;;
winbind uid = 2-3
winbind gid = 2-3
winbind use default domain = yes

log level = 3
idmap gid = 2-3
idmap uid = 2-3
usershare allow guests = No

now my questions:
net join produces the message:
"cannot join as standalone machine"
why ?
what do I have to change?

wbinfo -a robert%secret
plaintext password authentication failed
Could not authenticate user robert with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc008)
error messsage was: Invalid handle
Could not authenticate user robert with challenge/response

what have I to do, that wbinfo authenticates against the domain?

thanks
robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] how to use auth_ntlm_winbind?

[robert rottermann]

Hi there,

I would like to setup up SSO using auth_ntlm_winbind.

I have everything working (as far I can see).
However trying to access a site in apache produces an Authorization Required 
error.
no matter whether I try IE7 or firefox.


/usr/bin/ntlm_auth --username=robert
[2009/03/05 20:04:26,  1] param/loadparm.c:set_server_role(7948)
  Server's Role (logon server) NOT ADVISED with domain-level security
password:
NT_STATUS_OK: Success (0x0)

and in apache I have:


AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
NTLMBasicAuthoritative off
AuthType NTLM
require valid-user


what Am I doing wrong ?

thanks for your help.

robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] user profile is not saved. why?

[robert rottermann]

answer to myself:
I do not need roaming profiles, so I disabeled them
sorry for the noise
robert
robert rottermann schrieb:
> Hi there,
> 
> I just installed successfuly my first sam/ldap network (and feel quite elated
> after some frustrating time  of hacking into lots of new concepts).
> 
> now my first (and only) windows box on the net can happily log into the samba
> domain. i did then configure some somftware like mozilla and friends, and 
> loged
> out again.
> 
> unfortunately after my login, all my configurations are lost, and I get (like
> with the first login) a message saying, that no profile was found.
> 
> what do I have to do, that the profiles are saved?
> do I have to use automount or some such?
> 
> I include my smb.conf
> 
> thanks for your time
> robert
> 
> 
> # smb.conf is the main Samba configuration file. You find a full commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> # Date: 2009-01-08
> #[global]
> #workgroup = haydn
> #printing = cups
> #printcap name = cups
> #printcap cache time = 750
> #cups options = raw
> #map to guest = Bad User
> #include = /etc/samba/dhcp.conf
> #usershare allow guests = Yes
> #add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
> /bin/false %m$
> #domain logons = Yes
> #domain master = Yes
> #local master = Yes
> #os level = 65
> #preferred master = Yes
> #security = user
> 
> [global]
> workgroup = rotti
> printcap name = /etc/printcap
> logon path = \\%N\profile\%U
> logon drive = H:
> domain logons = Yes
> os level = 99
> domain master = Yes
> passdb backend = ldapsam:ldap://haydn.redcor.home
> ldap admin dn = cn=manager,dc=redcor,dc=ch
> ldap group suffix = ou=groups
> ldap machine suffix = ou=hosts
> ldap passwd sync = Yes
> ldap suffix = dc=redcor,dc=ch
> ldap ssl = start tls
> ldap user suffix = ou=users
> cups options = raw
> enable privileges = yes
> domain logons = Yes
> domain master = Yes
> local master = Yes
> preferred master = Yes
> security = user
> 
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
> 
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] user profile is not saved. why?

[robert rottermann]

Hi there,

I just installed successfuly my first sam/ldap network (and feel quite elated
after some frustrating time  of hacking into lots of new concepts).

now my first (and only) windows box on the net can happily log into the samba
domain. i did then configure some somftware like mozilla and friends, and loged
out again.

unfortunately after my login, all my configurations are lost, and I get (like
with the first login) a message saying, that no profile was found.

what do I have to do, that the profiles are saved?
do I have to use automount or some such?

I include my smb.conf

thanks for your time
robert


# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
# Date: 2009-01-08
#[global]
#workgroup = haydn
#printing = cups
#printcap name = cups
#printcap cache time = 750
#cups options = raw
#map to guest = Bad User
#include = /etc/samba/dhcp.conf
#usershare allow guests = Yes
#add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false %m$
#domain logons = Yes
#domain master = Yes
#local master = Yes
#os level = 65
#preferred master = Yes
#security = user

[global]
workgroup = rotti
printcap name = /etc/printcap
logon path = \\%N\profile\%U
logon drive = H:
domain logons = Yes
os level = 99
domain master = Yes
passdb backend = ldapsam:ldap://haydn.redcor.home
ldap admin dn = cn=manager,dc=redcor,dc=ch
ldap group suffix = ou=groups
ldap machine suffix = ou=hosts
ldap passwd sync = Yes
ldap suffix = dc=redcor,dc=ch
ldap ssl = start tls
ldap user suffix = ou=users
cups options = raw
enable privileges = yes
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
security = user

[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] problem when PDC machine name equals domain name

[robert rottermann]

Hi there,
I am trying to learn samba, ldap and co.

now I installed a test  net consisting from three computers

haydn: this is the pdc with haydn.redcor.home (ip 10.168.1.102)
memphis: tis is a windows box -> memhis.redcor.home (ip 10.168.1.103)
chrissy: this is a unix box -> chrissy.redcor.home (ip 10.168.1.100)

dns server, ldap-server and samba are all running on haydn.

on haydn samba is running as pdc with a domain name HAYDN.

I could add memphis to the domain. but when I boot windows I get an err "this
name is alredy used in the network" (or some such, it is in german).

in the windows error log I find an error 4321 stating that the name 'HAYDN  ':0
could not be registered with  ip 10.168.1.102. ip 10.168.1.103 vetoed the use of
this name.


my real problem is: I could join the domain, but when I want to log into the
domain, I get an error stating  that domain haydn could not be found.

is it not possible, that a machine name and a the domain name are the same?

thanks for your help

robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba can not contact the ldap server

[robert rottermann]

hi there,
I am working trough a tutorial on setting up samba and ldbap on a suses 11.1 box

everything worked fine so far but now samba can not contact the the ldap server.
all command trying it issue the following error message.

Failed to issue the StartTLS instruction: Can't contact LDAP server

how can I trace down what causes this?

thanks for your help

I added my slapd.conf and the global parts of the smb.conf


robert


-
[global]
workgroup = redcor
map to guest = Bad User
passdb backend = ldapsam:ldap://haydn.redcor.net/
printcap name = /etc/printcap
logon path = \\%N\profile\%U
logon drive = H:
domain logons = Yes
os level = 99
domain master = Yes
ldap admin dn = cn=manager,dc=redcor,dc=ch
ldap group suffix = ou=groups
ldap machine suffix = ou=hosts
ldap passwd sync = Yes
ldap suffix = dc=redcor,dc=ch
ldap ssl = start tls
ldap user suffix = ou=users
cups options = raw
# By default run with minimal logging.  However, if you need to debug
# 5 is a fairly verbose logging level.
log level = 5
log file = /var/log/samba/log.redcor

-

include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
#include/etc/openldap/schema/rfc2307bis.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/yast.schema

# Define global ACLs to disable default read access.
include acl.conf
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args

# Load dynamic backend modules:
modulepath  /usr/lib/openldap/modules
# moduleloadback_ldap.la
# moduleloadback_meta.la
# moduleloadback_monitor.la
# moduleloadback_perl.la

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#   Allow self write access to user password
#   Allow anonymous users to authenticate
#   Allow read access to everything else
#   Directives needed to implement policy:
access to dn.base=""
by * read

access to dn.base="cn=Subschema"
by * read

access to attrs=userPassword,userPKCS12
by self write
by * auth

access to attrs=shadowLastChange
by self write
by * read

access to *
by * read

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

# equivalent to TLS_CACERT
TLSCertificateFile  /etc/ssl/ldapcert.pem
# selbst-signiertes Zertifikat
# equivalent to TLS_KEY
TLSCertificateKeyFile   /etc/ssl/ldapkey.pem
# privater Schluessel
# equivalent to TLS_CERT
TLSCACertificateFile/etc/ssl/demoCA/cacert.pem
# Certificate Authority
# this is equivalent to TLS_REQCERT
#TLSVerifyClient allow
#TLSVerifyClienttry
#TLSVerifyClientdemand
#Verfahrensweise

TLSCipherSuiteHIGH:MEDIUM:+SSLv2

###
# BDB database definitions
###

databasebdb
suffix  "dc=redcor,dc=ch"
checkpoint  10245
cachesize   1
rootdn  "cn=Administrator,"dc=redcor,dc=ch"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw  blablabla
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/ldap
# Indices to maintain
index   objectClass eq
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] problems using auth_ntlm_winbind_module

[robert rottermann]

Hi there,
I am trying to setup up an intranet where I would like to use
auth_ntlm_winbind_module to create a an environment where windows user
are automatically logged into the intranet.

winbind seems to work fine.
at least when I issue
wbinfo -i USER I get a correct answer


my problem is, that when I try to access the intranet I get a "The page
cannot be displayed" error from apache.

however, when I remove the ntlm authentication accessing the intranet
works fine.

any pointer where to start to look for a solution would be greatly
appreciated.

robert

this is the virtual host part of apache config

NameVirtualHost *:80

#DocumentRoot /srv/www
ServerAdmin [EMAIL PROTECTED]
ServerName intranettest.zehndergroup.com
CustomLog /var/log/httpd/intranet-access.log combined
ErrorLog  /var/log/httpd/intranet-error.log
LogLevel debug

RewriteLog "/var/log/httpd/rewrite_log"
RewriteLogLevel 2


AuthName "NTLM Authentication thingy"
NTLMAuth on
NTLMAuthHelper "/usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp -d10 -l/root"
NTLMBasicAuthoritative on
AuthType NTLM
require valid-user

LogLevel debug
RewriteEngine On

# Add to virtual host block for testintranet.zehndergroup.com:80
RewriteRule /(.*)/$
http://127.0.0.1:8080/VirtualHostBase/http/intranettest.zehndergroup.com:80/zehnderi/zehnderi/VirtualHostRoot/$1
[L,P]
RewriteRule ^/(.*)
http://127.0.0.1:8080/VirtualHostBase/http/intranettest.zehndergroup.com:80/zehnderi/zehnderi/VirtualHostRoot/$1
[L,P]


-

this is what I get from apaches error log:

[2007/12/11 07:10:46, 10] utils/ntlm_auth.c:manage_squid_request(2081)
  Got 'YR TlRMTVNTUAABB4IAogAFAJMID2==' from
squid (length: 59).
[2007/12/11 07:10:46, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(763)
  got NTLMSSP packet:
[2007/12/11 07:10:46, 10] lib/util.c:dump_data(2283)
  [000] 4E 54 4C 4D 53 53 50 00  01 00 00 00 07 82 00 A2  NTLMSSP. 
  [010] 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   
  [020] 05 00 93 08 00 00 00 0F   
[2007/12/11 07:10:46, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0xa2008207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
[2007/12/11 07:10:46, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(773)
  NTLMSSP challenge

-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba