Well, maybe it's not the "best" or the "most elegant"
solution - I've never tried to tweak this -, but it
works:
- Insert the following lines on your PDC's smb.conf:
winbind enum groups = yes
winbind enum users = yes
winbind trusted domains only = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/false
- Start Winbind.
- Join the PDC to its own domain (net rpc join)
- Check if it was successful (net rpc testjoin)
- Check if the shared secrets of Winbind are OK
(wbinfo -t)
- Test if you can authenticate a user via winbind
(wbinfo -a user%password)
- Test if you can use ntlm_auth with basic schema
(ntlm_auth --helper-protocol=squid-2.5-basic)
If all else works, then you can set up your squid.conf
to use NTLM and the ntlm_auth helper.
Note: for a reason that is unknown for me, wbinfo -g
and wbinfo -u doesn't work at all. Answers are
welcome.
Hope that it helps.
Daniel
> > De: Matt Skerritt <matt.skerritt@agrav.net>
> Assunto: [Samba] ntlm authentication
> Data: Fri, 1 Dec 2006 15:43:12 +1100
> Para: samba@lists.samba.org
>
> Heyho.
>
> I have a NT Domain which is run by my samba server
> (v3.0.22-r3 on
> Gentoo Linux). Everything works well, and the
> backend database is an
> ldap directory which is also the authentication
> directory for my 3
> odd linux servers. All users have a posix account as
> well as a samba
> account, however in most cases the posix account is
> disabled (homedir
> is /dev/null, shell is /bin/false and null
> password), and is only
> there because samba requires it. As I said - this
> setup has worked
> really well for about 2 or 3 years now. I also have
> a kerberos domain
> running from a MIT Kerberos server. Passwords are
> not automatically
> synced between the two realms - but tickets are
> automatically gotten
> at login on the Windows clients (all XP) if the
> passwords happen to
> be the same between the samba domain and the
> kerberos domain - this
> also works fairly well. Password synchronisation is
> somehting I'll
> look into later and isn't in the scope of this
> email.
>
> What I am trying to do is to get my squid proxy to
> start
> authenticating users so I can keep better track at
> who's doing what
> web-wise. Now since the users don't have an a posix
> password, I can't
> do an ldap lookup for this. Further than this, I'd
> really like the
> cache authentication to be done transparently by the
> browsers. So
> this leaves me with either NTLM authentication, or
> negotiated gssapi
> authentication. The latter is my preferred method
> but seems to be out
> of the question at the moment (unforunately) because
> Internet
> Explorer doesn't see the kerberos tickets gotten by
> the MIT Kerberos
> for windows tickets (although Firefox - the default
> browser on the
> network does), and because there doesn't seem to be
> a helper program
> for squid that does gssapi authehntication to a
> non-microsoft
> kerberos domain. However, that's a squid problem and
> not a samba
> problem, so is not really relevant here apart from
> background.
>
> So this brings me to NTLM authentication. All the
> documentation I've
> found so far is based around the idea that one uses
> the ntlm_auth
> program that comes with samba. The ntlm_auth manpage
> states that
> winbindd must be running for ntlm_auth to work. And
> winbindd seems
> to be used for joining a unix machine to a NT PDC.
> My problem (or
> maybe confusion) is that my linux machine *is* my
> PDC. So it seems
> that I would need to connect samba to itself, and
> would potentially
> have multiple UID's for the same user - one from
> their legitimate
> posix account, and one from the idmap they get for
> their DOMAIN/user
> account from winbind.
>
> So is there any way to do ntlm authentication in a
> way similar to
> "ntlm_auth --helper-protocol=squid-2.5-ntlmssp"
> against the samba
> backend database (instead of going to another PDC).
> Is there an
> ntlm_auth option that I missed that let's me do
> this? Or do I just
> have to use "net rpc join" to join winbind to the
> samba domain
> running on the same machine?
>
> I suppose I could use the code from apache
> mod_kerberos to write a
> helper app for the negotiated gssapi case, but I'd
> like to get
> something intermediate happening sooner than that.
> Can somebody help
> here please? I imagine I'm not the first person with
> this setup.
>
> --
> Matt Skerritt
> matt.skerritt@agrav.net
>
>
>
>
_______________________________________________________
O Yahoo! est? de cara nova. Venha conferir!
http://br.yahoo.com
