I have a working setup with samba & squid on one machine. However it
seems that ntlm_auth is not doing what I expected.
As an unprivilegd user I am able to test succesfull password:
ute at alix:~$ ntlm_auth -V
Version 3.5.6
ute at alix:~$ ntlm_auth --username=hans --password=keins
NT_STATUS_OK: Success (0x0)
Surely I know this password.
Now the same with diagnostics on:
ute at alix:~$ ntlm_auth --diagnostics --username=hans --password=keins
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.107135, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test LM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.108233, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test LM and NTLM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.108713, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.108951, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLM in LM failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.109218, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLM in both failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.109478, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.109611, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLMv2 and LMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.109742, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test LMv2 failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.109871, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLMv2 and LMv2, LMv2 broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.110300, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test NTLM and LM, LM broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.110751, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test Plaintext failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.110874, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test Plaintext LM broken failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.111192, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test Plaintext NT only failed!
winbind client not authorized to use winbindd_pam_auth_crap. Ensure
permissions on /var/run/samba/winbindd_privileged are set correctly.
(0xc0000022)
[2011/10/01 14:56:15.111303, 1]
utils/ntlm_auth_diagnostics.c:601(diagnose_ntlm_auth)
Test Plaintext LM only failed!
This time the password test failed.
Here is the relevant config:
# ls -la /var/run/samba/winbindd_privileged/
insgesamt 8
drwxr-x--- 2 root winbindd_priv 4096 1. Okt 14:33 .
drwxr-xr-x 3 root root 4096 1. Okt 14:33 ..
srwxrwxrwx 1 root root 0 1. Okt 14:33 pipe
# getent group winbindd_priv
winbindd_priv:x:121:proxy
# id ute
uid=10003(ute) gid=1002(students)
Gruppen=1002(students),1006(online),1016(neu2)
# md5sum
/var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb
0d0d2535622eaf154889587fdc81e0b2
/var/cache/apt/archives/winbind_2%3a3.5.6~dfsg-3squeeze5_amd64.deb
# testparm --section-name=global -s
[global]
unix charset = UTF8
workgroup = SCHULE
server string = Schulserver %h
interfaces = lo, 10.100.0.1/16
obey pam restrictions = Yes
passdb backend = ldapsam
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully*
log level = 0 auth:3 sam:3 winbind:3
log file = /var/log/samba/log.%m
smb ports = 139
announce version = 6.5
name resolve order = wins host bcast
time server = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = %a.bat
logon path = \\%L\profile\%G\%U\%a
logon drive = U:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=admin,dc=delixs-schule,dc=de
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=machines,ou=accounts
ldap passwd sync = yes
ldap suffix = dc=delixs-schule,dc=de
ldap ssl = no
ldap user suffix = ou=people,ou=accounts
idmap backend = ldap
idmap alloc backend = ldap
idmap uid = 1000000-1999999
idmap gid = 1000000-1999999
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap alloc config : ldap_user_dn = cn=admin,dc=delixs-
schule,dc=de
idmap alloc config : ldap_base_dn = ou=Idmap,dc=delixs-
schule,dc=de
idmap alloc config : ldap_url = ldap://127.0.0.1/
veto files = /*.eml/*.nws/riched20.dll/autorun.inf/
# egrep -v '^$|^#' /etc/samba/winbind.conf
include = /etc/samba/smb.conf
[global]
security = domain
domain logons = no
Gruss
Harry Jede
