[Samba] Re: auth samba+squid+ntlm

[Kevin Kobb]

Xavier Callejas wrote:
Hi.
I need to use the ntlm_auth module to auth. users so a group can use Internet 
and other not, using squid. The users that belong to Internet group may use 
Internet.

I've being looking for info. about this but there is no much info. in google.
Until now this is the only info. that I had found:
for squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of=dominio+Internet

the dominio+internet: I made proof of dominio\internet , 
dominio\\internet and always there is an error like this:

[2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
  Winbindd lookupname failed to resolve dominio+Internet into a SID!
so I tried the SID:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp 
--require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005

and:
[2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
  Got 'ibcinc+xavier acacadac' from squid (length: 22).
[2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
  NT_STATUS_OK: Success (0x0)
OK
But, even doing this (putting the SID) the users can't be authenticated by the 
server. Squid and the smb PDC are the same box, is this possible???

this the error from log when a user run its web browser and ask for a 
user/password:

Is your winbind separator = + in the smb.conf file? By the first 
example you gave, I believe it should be.

On my box to get the --require-membership-of=domain.group to work, I 
had to tack on --username=%LOGIN as well. After that, it works like a 
champ.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: auth samba+squid+ntlm

[Andrew Bartlett]

On Tue, 2005-01-18 at 15:20 -0500, Kevin Kobb wrote:

 On my box to get the --require-membership-of=domain.group to work, I 
 had to tack on --username=%LOGIN as well. After that, it works like a 
 champ.

I'm really not sure what you are doing there, but I can't see how --
username=%LOGON does anything...

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: auth samba+squid+ntlm

[Kevin Kobb]

Andrew Bartlett wrote:
On Tue, 2005-01-18 at 15:20 -0500, Kevin Kobb wrote:

On my box to get the --require-membership-of=domain.group to work, I 
had to tack on --username=%LOGIN as well. After that, it works like a 
champ.

I'm really not sure what you are doing there, but I can't see how --
username=%LOGON does anything...
Andrew Bartlett

Well silly me. I swear at one time without this I couldn't get squid to 
work by AD group membership. However, I took it out and can indeed still 
get out with squid.

I have updated my OS and Samba since I set this config up many months 
ago, so maybe it was a problem, or perhaps I was just being foolish, 
which is probably much more likely ;-)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba