Marco Gaiarin
2018-Sep-27 10:11 UTC
[Samba] [OT?] passing group name with spaces to ntlm_auth...
I've not clear if is a squid or a samba/ntlm_auth trouble... indeed... In Squid i've added: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG --require-membership-of='LNFFVG\Domain Users' auth_param ntlm children 5 but in 'cache.log' i got: Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! I've tried some escape tecniques for the space character, but with no luck. Leaving simply: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG works. There's some hint? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
L.P.H. van Belle
2018-Sep-27 10:27 UTC
[Samba] [OT?] passing group name with spaces to ntlm_auth...
Hai marco, More info on squid config might help here and no smb.conf.. Ahead of things... And you better use something like this, change to negotiate auth. ( and use SSO ). auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1.internal.domain.tld at REALM \ #Or if you dont have the SPN set. --kerberos /usr/lib/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME \ --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego --domain=NTDOM And use ldap for the groups. Amos explain these thing better then me ;-) Google this : [squid-users] external_acl_type LDAP for acl NOT related to auth And Re: [squid-users] Any suggestions or comments about my configuration? squid 3.5.20 And you have a good group example ;-), 2 resent answered questions with some very good group examples. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: donderdag 27 september 2018 12:12 > Aan: samba at lists.samba.org > Onderwerp: [Samba] [OT?] passing group name with spaces to > ntlm_auth... > > > I've not clear if is a squid or a samba/ntlm_auth trouble... indeed... > > In Squid i've added: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG > --require-membership-of='LNFFVG\Domain Users' > auth_param ntlm children 5 > > but in 'cache.log' i got: > > Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! > Winbindd lookupname failed to resolve 'LNFFVG\Domain into a SID! > > I've tried some escape tecniques for the space character, but > with no luck. Leaving simply: > > auth_param ntlm program /usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG > > works. > > > There's some hint? Thanks. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Andrew Bartlett
2018-Sep-27 18:30 UTC
[Samba] [OT?] passing group name with spaces to ntlm_auth...
On Thu, 2018-09-27 at 12:27 +0200, L.P.H. van Belle via samba wrote:> Hai marco, > > More info on squid config might help here and no smb.conf.. > Ahead of things... > > And you better use something like this, change to negotiate auth. ( > and use SSO ). > > auth_param negotiate program /usr/lib/squid/negotiate_wrapper_auth \ > --kerberos /usr/lib/squid/negotiate_kerberos_auth -s HTTP/proxy1. > internal.domain.tld at REALM \ > #Or if you dont have the SPN set. --kerberos > /usr/lib/squid/negotiate_kerberos_auth -r -i -s GSS_C_NO_NAME \ > --ntlm /usr/bin/ntlm_auth --helper-protocol=gss-spnego -- > domain=NTDOM > > And use ldap for the groups. Amos explain these thing better then me > ;-) > Google this : [squid-users] external_acl_type LDAP for acl NOT > related to auth > And Re: [squid-users] Any suggestions or comments about my > configuration? squid 3.5.20 > And you have a good group example ;-), 2 resent answered questions > with some very good group examples.ntlm_auth can also do negotiate (which is much more efficient if Kerberos is selected, I agree), however it looks like --require- membership-of isn't hooked up to that (drat). The easiest way past the escaping issue is to pass the SID as S-x-y-z. The reason --require-membership-of was implemented is that it can be much more efficient, as at this point Samba knows the group memberships so can look them up from the authentication reply, rather than starting new LDAP traffic. Andrew Bartlett> > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Marco Gaiarin via samba > > Verzonden: donderdag 27 september 2018 12:12 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] [OT?] passing group name with spaces to > > ntlm_auth... > > > > > > I've not clear if is a squid or a samba/ntlm_auth trouble... > > indeed... > > > > In Squid i've added: > > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG > > --require-membership-of='LNFFVG\Domain Users' > > auth_param ntlm children 5 > > > > but in 'cache.log' i got: > > > > Winbindd lookupname failed to resolve 'LNFFVG\Domain into a > > SID! > > Winbindd lookupname failed to resolve 'LNFFVG\Domain into a > > SID! > > > > I've tried some escape tecniques for the space character, but > > with no luck. Leaving simply: > > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp --domain=LNFFVG > > > > works. > > > > > > There's some hint? Thanks. > > > > -- > > dott. Marco Gaiarin GNUPG > > Key ID: 240A3D66 > > Associazione ``La Nostra Famiglia'' > > http://www.lanostrafamiglia.it/ > > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > > Tagliamento (PN) > > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > > f +39-0434-842797 > > > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > >-- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba