Matt Doran
2004-Sep-07 13:08 UTC
[Samba] Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6
Hi there,
I'm trying to configure Squid to use a windows domain for
authentication, and all goes well until I add the
"--require-membership-of" option on ntlm_auth. I need to restrict
access based on group membership, however ntlm_auth does not seem to be
behaving correctly. I'm using Samba 3.0.6 on Debian and I'm using a
Windows 2000 (SP4) Domain Controller. I configured winbind as discussed
here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
ntlm_auth seems to report the membership of some groups correctly, but
incorrectly for others.
Checking the group membership using getent, shows that the user "matt"
belongs to the "Domain Admins", "Domain Users" and
"TestGroup" groups.
~$ getent group -s winbind | grep matt
VM-DOMAIN\Domain Admins:x:10002:VM-DOMAIN\Administrator,VM-DOMAIN\matt
VM-DOMAIN\Domain Users:x:10000:VM-DOMAIN\Administrator, <snip....>,
VM-DOMAIN\matt
VM-DOMAIN\TestGroup:x:10022:VM-DOMAIN\Administrator,VM-DOMAIN\matt
Then using ntlm_auth to check for membership to the "Domain Users" or
"Domain Admins" groups works as expected.
~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Users'
--username=matt --password=XXXX
NT_STATUS_OK: Success (0x0)
~$ ntlm_auth --require-membership-of='VM-DOMAIN\Domain Admins'
--username=matt --password=XXXX
NT_STATUS_OK: Success (0x0)
But when I check for membership of the "TestGroup" (which is a Global
group just like Domain Admins) it fails:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
--username=matt --password=XXXX
NT_STATUS_LOGON_FAILURE: Logon failure (0xc000006d)
So the getent output above, shows that "matt" is a member of the
"TestGroup" group, but ntlm_auth seems to produce the incorrect
output.
It appears to know that the group and user exists and the password is
valid because varying these params gives different error messages:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup2'
--username=matt --password=XXXX
[2004/09/07 22:48:18, 0]
utils/ntlm_auth.c:get_require_membership_sid(237)
Winbindd lookupname failed to resolve VM-DOMAIN\TestGroup2 into a SID!
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
--username=matt2 --password=XXXX
NT_STATUS_NO_SUCH_USER: No such user (0xc0000064)
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
--username=matt --password=WRONG_PWD
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Now for the really weird part. If I test to see if the
"Administrator"
user belongs to this group (which it does ... see the getent output
above) then it succeeds:
~$ ntlm_auth --require-membership-of='VM-DOMAIN\TestGroup'
--username=Administrator --password=password
NT_STATUS_OK: Success (0x0)
The logs don't produce anything that looks relevant. I'm stumped.
I've
tried many different things, but I can't figure out the pattern as to
why these are failing. Something to do with user defined
groups/users. Could there be something wrong missing from the windows
user/group setup? The domain controller is a clean install of W2K
SP4, which was then activated as a domain controller.
Any ideas would be greatly appreciated!
Regards,
--
Matt Doran
PaperCut Software Pty. Ltd.
Web: http://www.papercut.biz
Blog: http://blogs.papercutsoftware.com/matt.doran/
Andrew Bartlett
2004-Sep-08 13:15 UTC
[Samba] Problems with 'ntlm_auth --require-membership-of' using Samba 3.0.6
On Tue, 2004-09-07 at 23:08, Matt Doran wrote:> Hi there, > > I'm trying to configure Squid to use a windows domain for > authentication, and all goes well until I add the > "--require-membership-of" option on ntlm_auth. I need to restrict > access based on group membership, however ntlm_auth does not seem to be > behaving correctly. I'm using Samba 3.0.6 on Debian and I'm using a > Windows 2000 (SP4) Domain Controller. I configured winbind as discussed > here: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 > > ntlm_auth seems to report the membership of some groups correctly, but > incorrectly for others.You are actually lucky it didn't segfault. There are a number of logic bugs, the fixes for which I think didn't make 3.0.6. Try current SVN, but I suspect we might need some extra code to correctly pick up the universal groups. (We know how to do it, so it's a simple matter of programming - bug #1562.) Andrew Bartlett -- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040908/225e937f/attachment.bin
Maybe Matching Threads
- samba 3.4 and 3.5 bug or misconfig: why is idmap uid and idmap gid needed for an AD only idmap config?
- Using group membership to access a symlink directory
- Re: Request for sample qmailGroup ldif: LDAP attribute is not given b ut mandatory. (#5.3.5) error
- file permissions with inherit permission + ACL's
- group membership inconsistency on AD domain member