Hi.
I need to use the ntlm_auth module to auth. users so a group can use Internet
and other not, using squid. The users that belong to "Internet" group
may use
Internet.
I've being looking for info. about this but there is no much info. in
google.
Until now this is the only info. that I had found:
for squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--require-membership-of="dominio+Internet"
the "dominio+internet": I made proof of "dominio\internet" ,
"dominio\\internet" and always there is an error like this:
[2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve dominio+Internet into a SID!
so I tried the SID:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005
and:
[2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610)
Got 'ibcinc+xavier acacadac' from squid (length: 22).
[2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292)
NT_STATUS_OK: Success (0x0)
OK
But, even doing this (putting the SID) the users can't be authenticated by
the
server. Squid and the smb PDC are the same box, is this possible???
this the error from log when a user run its web browser and ask for a
user/password:
Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc: denied
{ getattr } for pid=17126 exe=/usr/bin/ntlm_auth path=/var/run/winbindd/pipe
dev=hda7 ino=108681 scontext=root:system_r:squid_t
tcontext=root:object_r:var_run_t tclass=sock_file
this are the permissions on the /var/cache/samba:
-rw------- 1 root root 8192 ene 13 00:02 account_policy.tdb
-rw-r--r-- 1 root root 8192 ene 17 08:52 brlock.tdb
-rw-r--r-- 1 root root 695 ene 18 12:13 browse.dat
-rw-r--r-- 1 root root 16384 ene 14 08:00 connections.tdb
-rw-r--r-- 1 root root 8192 ene 13 00:10 gencache.tdb
-rw------- 1 root root 8192 ene 13 00:02 group_mapping.tdb
-rw-r--r-- 1 root root 16384 ene 17 08:52 locking.tdb
-rw------- 1 root root 16384 ene 14 08:56 messages.tdb
-rw-r--r-- 1 root root 11438 ene 16 04:02 namelist.debug
-rw------- 1 root root 8192 ene 13 03:50 netsamlogon_cache.tdb
-rw------- 1 root root 8192 ene 13 00:02 ntdrivers.tdb
-rw------- 1 root root 696 ene 13 00:02 ntforms.tdb
-rw------- 1 root root 8192 ene 13 00:02 ntprinters.tdb
drwxr-xr-x 2 root root 4096 ene 13 00:02 printing
-rw------- 1 root root 8192 ene 13 00:02 registry.tdb
-rw-r--r-- 1 root root 24576 ene 14 08:00 sessionid.tdb
-rw------- 1 root root 8192 ene 13 00:02 share_info.tdb
-rw-r--r-- 1 root root 8192 ene 13 19:08 unexpected.tdb
-rw------- 1 root root 20172 ene 14 14:15 winbindd_cache.tdb
-rw-r--r-- 1 root root 8192 ene 13 00:21 winbindd_idmap.tdb
drwxr-x--- 2 root squid 4096 ene 14 14:15 winbindd_privileged
-rw-r--r-- 1 root root 1523 ene 18 12:12 wins.dat
What can I do???
thanks!
--
Xavier Callejas
E-Mail + MSN: xcallejas at ibcinc.com.sv
ICQ: 33336224
------------------------------------------
Open your Mind, use Open Source.
Xavier Callejas wrote:> Hi. > > I need to use the ntlm_auth module to auth. users so a group can use Internet > and other not, using squid. The users that belong to "Internet" group may use > Internet. > > I've being looking for info. about this but there is no much info. in google. > > Until now this is the only info. that I had found: > > for squid.conf: > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > --require-membership-of="dominio+Internet" > > the "dominio+internet": I made proof of "dominio\internet" , > "dominio\\internet" and always there is an error like this: > > [2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237) > Winbindd lookupname failed to resolve dominio+Internet into a SID! > > so I tried the SID: > > auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005 > > and: > > [2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610) > Got 'ibcinc+xavier acacadac' from squid (length: 22). > [2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292) > NT_STATUS_OK: Success (0x0) > OK > > But, even doing this (putting the SID) the users can't be authenticated by the > server. Squid and the smb PDC are the same box, is this possible??? > > this the error from log when a user run its web browser and ask for a > user/password: >Is your "winbind separator = +" in the smb.conf file? By the first example you gave, I believe it should be. On my box to get the "--require-membership-of=domain.group" to work, I had to tack on "--username=%LOGIN" as well. After that, it works like a champ.
El Mar 18 Ene 2005 12:09, Xavier Callejas escribi?: I'm answering my self: the problem use to be that I don't realize that I've running selinux in my fc3, it was blocking access to the /var mounted partition. but, I still have the problem with wbinfo -u since fedora core 2, I can't see a list of users with that command. Please help me.> Hi. > > I need to use the ntlm_auth module to auth. users so a group can use > Internet and other not, using squid. The users that belong to "Internet" > group may use Internet. > > I've being looking for info. about this but there is no much info. in > google. > > Until now this is the only info. that I had found: > > for squid.conf: > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of="dominio+Internet" > > the "dominio+internet": I made proof of "dominio\internet" , > "dominio\\internet" and always there is an error like this: > > [2005/01/18 11:58:23, 0] utils/ntlm_auth.c:get_require_membership_sid(237) > Winbindd lookupname failed to resolve dominio+Internet into a SID! > > so I tried the SID: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=S-1-5-21-2357639956-1676252757-504000632-2005 > > and: > > [2005/01/18 11:59:20, 10] utils/ntlm_auth.c:manage_squid_request(1610) > Got 'ibcinc+xavier acacadac' from squid (length: 22). > [2005/01/18 11:59:21, 3] utils/ntlm_auth.c:check_plaintext_auth(292) > NT_STATUS_OK: Success (0x0) > OK > > But, even doing this (putting the SID) the users can't be authenticated by > the server. Squid and the smb PDC are the same box, is this possible??? > > this the error from log when a user run its web browser and ask for a > user/password: > > Jan 18 12:12:16 brain kernel: audit(1106071936.271:0): avc: denied > { getattr } for pid=17126 exe=/usr/bin/ntlm_auth > path=/var/run/winbindd/pipe dev=hda7 ino=108681 > scontext=root:system_r:squid_t > tcontext=root:object_r:var_run_t tclass=sock_file > > this are the permissions on the /var/cache/samba: > -rw------- 1 root root 8192 ene 13 00:02 account_policy.tdb > -rw-r--r-- 1 root root 8192 ene 17 08:52 brlock.tdb > -rw-r--r-- 1 root root 695 ene 18 12:13 browse.dat > -rw-r--r-- 1 root root 16384 ene 14 08:00 connections.tdb > -rw-r--r-- 1 root root 8192 ene 13 00:10 gencache.tdb > -rw------- 1 root root 8192 ene 13 00:02 group_mapping.tdb > -rw-r--r-- 1 root root 16384 ene 17 08:52 locking.tdb > -rw------- 1 root root 16384 ene 14 08:56 messages.tdb > -rw-r--r-- 1 root root 11438 ene 16 04:02 namelist.debug > -rw------- 1 root root 8192 ene 13 03:50 netsamlogon_cache.tdb > -rw------- 1 root root 8192 ene 13 00:02 ntdrivers.tdb > -rw------- 1 root root 696 ene 13 00:02 ntforms.tdb > -rw------- 1 root root 8192 ene 13 00:02 ntprinters.tdb > drwxr-xr-x 2 root root 4096 ene 13 00:02 printing > -rw------- 1 root root 8192 ene 13 00:02 registry.tdb > -rw-r--r-- 1 root root 24576 ene 14 08:00 sessionid.tdb > -rw------- 1 root root 8192 ene 13 00:02 share_info.tdb > -rw-r--r-- 1 root root 8192 ene 13 19:08 unexpected.tdb > -rw------- 1 root root 20172 ene 14 14:15 winbindd_cache.tdb > -rw-r--r-- 1 root root 8192 ene 13 00:21 winbindd_idmap.tdb > drwxr-x--- 2 root squid 4096 ene 14 14:15 winbindd_privileged > -rw-r--r-- 1 root root 1523 ene 18 12:12 wins.dat > > What can I do??? > > thanks! > > -- > Xavier Callejas > > E-Mail + MSN: xcallejas at ibcinc.com.sv > ICQ: 33336224 > ------------------------------------------ > Open your Mind, use Open Source.-- Xavier Callejas IT Manager International Bonded Couriers El Salvador E-Mail + MSN: xcallejas at ibcinc.com.sv ICQ: 33336224 ------------------------------------------ Open your Mind, use Open Source.