Matt Doran
2004-Sep-07 13:08 UTC
[Samba] Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6
Hi there, I'm trying to configure Squid to use a windows domain for authentication, and all goes well until I add the "--require-membership-of" option on ntlm_auth. I need to restrict access based on group membership, however ntlm_auth does not seem to be behaving correctly. I'm using Samba 3.0.6 on Debian and I'm using a Windows 2000 (SP4) Domain Controller. I configured winbind as discussed here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 ntlm_auth seems to report the membership of some groups correctly, but incorrectly for others. Checking the group membership using getent, shows that the user "matt" belongs to the "Domain Admins", "Domain Users" and "TestGroup" groups. ~$ getent group -s winbind | grep matt VM-DOMAIN\Domain Admins:x:10002:VM-DOMAIN\Administrator,VM-DOMAIN\matt VM-DOMAIN\Domain Users:x:10000:VM-DOMAIN\Administrator, <snip....>, VM-DOMAIN\matt VM-DOMAIN\TestGroup:x:10022:VM-DOMAIN\Administrator,VM-DOMAIN\matt Then using ntlm_auth to check for membership to the "Domain Users" or "Domain Admins" groups works as expected. ~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Users' --username=matt --password=XXXX NT_STATUS_OK: Success (0x0) ~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Admins' --username=matt --password=XXXX NT_STATUS_OK: Success (0x0) But when I check for membership of the "TestGroup" (which is a Global group just like Domain Admins) it fails: ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt --password=XXXX NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d) So the getent output above, shows that "matt" is a member of the "TestGroup" group, but ntlm_auth seems to produce the incorrect output. It appears to know that the group and user exists and the password is valid because varying these params gives different error messages: ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup2' --username=matt --password=XXXX [2004/09/07 22:48:18, 0] utils/ntlm_auth.c:get_require_membership_sid(237) Winbindd lookupname failed to resolve VM-DOMAIN\TestGroup2 into a SID! ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt2 --password=XXXX NT_STATUS_NO_SUCH_USER: No such user (0xc0000064) ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=matt --password=WRONG_PWD NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Now for the really weird part. If I test to see if the "Administrator" user belongs to this group (which it does ... see the getent output above) then it succeeds: ~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup' --username=Administrator --password=password NT_STATUS_OK: Success (0x0) The logs don't produce anything that looks relevant. I'm stumped. I've tried many different things, but I can't figure out the pattern as to why these are failing. Something to do with user defined groups/users. Could there be something wrong missing from the windows user/group setup? The domain controller is a clean install of W2K SP4, which was then activated as a domain controller. Any ideas would be greatly appreciated! Regards, -- Matt Doran PaperCut Software Pty. Ltd. Web: http://www.papercut.biz Blog: http://blogs.papercutsoftware.com/matt.doran/
Andrew Bartlett
2004-Sep-08 13:15 UTC
[Samba] Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6
On Tue, 2004-09-07 at 23:08, Matt Doran wrote:> Hi there, > > I'm trying to configure Squid to use a windows domain for > authentication, and all goes well until I add the > "--require-membership-of" option on ntlm_auth. I need to restrict > access based on group membership, however ntlm_auth does not seem to be > behaving correctly. I'm using Samba 3.0.6 on Debian and I'm using a > Windows 2000 (SP4) Domain Controller. I configured winbind as discussed > here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 > > ntlm_auth seems to report the membership of some groups correctly, but > incorrectly for others.You are actually lucky it didn't segfault. There are a number of logic bugs, the fixes for which I think didn't make 3.0.6. Try current SVN, but I suspect we might need some extra code to correctly pick up the universal groups. (We know how to do it, so it's a simple matter of programming - bug #1562.) Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040908/225e937f/attachment.bin
Maybe Matching Threads
- samba 3.4 and 3.5 bug or misconfig: why is idmap uid and idmap gid needed for an AD only idmap config?
- Using group membership to access a symlink directory
- Re: Request for sample qmailGroup ldif: LDAP attribute is not given b ut mandatory. (#5.3.5) error
- file permissions with inherit permission + ACL's
- group membership inconsistency on AD domain member