Victor Medina wrote:> Hi Guys!
>
>
> Probably this is not the best place to ask, I'll try anyway... =)
>
> I've been trying to configure a Samba PDC and a Squid Porxy server
> with NTLM auth on the same machine but NTML_AUTH keeps complaining
> about: NT_STATUS_INVALID_HANDLE.... I have others machines running
> Squid and Authenticating against a Samba Server but on different
> machines, this is the first time a try both on the same machine.
>
> Can I use Squid+NTLM Auth and Samba configured as PDC on the same
> machine? Is there any winbind issue with this kind of configuration?
>
> I'm using SLES10+SP2
> Samba version as reported by rpm is 3.0.32-0.8
> Squid version as reported by rpm is 2.5.STABLE12-18.13
>
> -------------------------------------------------
> This is my smb.conf
>
> [global]
> dos charset = 850
> unix charset = ISO8859-1
> workgroup = C1.SV
> netbios name = PDCSRVC1SV
> server string > interfaces = eth0
> bind interfaces only = Yes
> map to guest = Bad Password
> passdb backend = ldapsam:ldap://127.0.0.1
> guest account = Invitado
> time server = Yes
> deadtime = 20
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = cups
> logon path > logon home > domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Administrador,o=Ferreteria EPA
> ldap delete dn = Yes
> ldap group suffix = ou=group
> ldap machine suffix = ou=people
> ldap passwd sync = Yes
> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
> ldap user suffix = ou=people
> idmap domains = DEFAULT
> idmap alloc backend = ldap
> idmap alloc config:range = 10000-100000
> idmap alloc config:ldap_url = ldap://127.0.0.1
> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
> idmap config DEFAULT:range = 10000-100000
> idmap config DEFAULT:ldap_url = ldap://127.0.0.1
> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
> idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
> idmap config DEFAULT:default = yes
> idmap config DEFAULT:readonly = no
> idmap config DEFAULT:backend = ldap
> ldapsam:editposix = yes
> ldapsam:trusted = yes
> create mask = 0640
> force create mode = 0640
> directory mask = 0750
> force directory mode = 0750
> case sensitive = No
> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>
> My relevant squid.conf lines...
>
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV
> auth_param ntlm children 100
> auth_param basic children 100
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
>
>
>
> The pdc works as expected, machine join works like charm, users and
> groups management works equally right, all accounts are placed in the
> LDAP, getent passwd, groups and shadow shows the ldap accounts
>
> I also did a few tests with wbinfo
>
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u
> invitado
> usuarioprueba
> e01ggen
> e01glogis
> e01gcont
> e01jcomp1
> e01jcomp2
> e01jcomp3
> e01jcomp4
> e01jrepo
> e01jreclu
> e01rrece
> e01gcom
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g
> BUILTIN
> BUILTIN
> domain users
> domain admins
> domain guests
> grupoprueba
> gcentralsv
> gcompras
> gcontrol
> ggerencia
> glogistica
> gmercadeo
> gpersonal
> gventas
> gjefecompras
> gjefecontrol
> gjefelogistica
> gjefepersonal
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains
> C1.SV
>
>
> I also made sure squid users can read /var/lib/samba/winbindd_privileged
>
>
> I also noted this error:
>
> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
> --authenticate=administrator%12345678
> plaintext password authentication failed
> error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
> error messsage was: No such user
> Could not authenticate user administrator%12345678 with plaintext password
> winbind separator was NULL!
> challenge/response password authentication failed
> error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
> error messsage was: Invalid handle
> Could not authenticate user administrator with challenge/response
>
> Does someone have any idea of could go wrong? When I use squid and
> samba on different machines i usually join the squid machine to the
> domain using a net join, is this necesary when the pdc and squid are
> on the same machine?
>
> Victor Medina
>
> Samuel Goldwyn - "I don't think anyone should write their
> autobiography until after they're dead."
>
I think you should add lo to the interfaces listed in smb.conf
Best regards, David Wells.