Re: [squid-users] Squid, Samba3 and winbind with NTLM authentication

From: samer khalil <samerk1@dont-contact.us>
Date: Tue, 4 Dec 2007 14:18:55 +0200

Hello Guys,
The modifications below to winbindd_pam.c solved the issue of non
joined computers expect for clients using Internet Explorer (tested
with IE7) only on Vista HOME edition!
It worked fine on all other versions of widows win2k, Window$ XP,
Vista premium, etc.

Did you guys face this?

Thanks,
Samer

On Oct 30, 2007 7:24 AM, David Gameau <David.Gameau@unisa.edu.au> wrote:
> > On 10/26/07, samer khalil <samerk1@gmail.com> wrote:
> > > I am using Squid, Samba3 and winbind with NTLM authentication with a
> > > proper configuration for samba, krb5.conf and squid.conf as follows:
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 5
> > > auth_param ntlm max_challenge_reuses 0
> > > auth_param ntlm max_challenge_lifetime 2 minutes
> > >
> > > The solution works great for computers who are joined to Active
> > > Directory domain however i have a couple of questions regarding
> > > clients that are NOT joined:
> > >
> > > 1- a NON-joined client using IE will have to logon using
> > > realm/username and passwd. Is there a way to make him authenticate
> > > with only his username and passwd ?
> > > NB:It works fine with other browsers such as Firefox.
> >
> > MAYBE the Winbindd default domain can help. YMMV tho. This is an
> > intentional design decision by Microsoft.
> >
> We've run into the same problem in our environment. Our solution
> (which only works if you have a single domain), was to modify
> the Samba code to always use the domain specified in the smb.conf,
> regardless of what the user provided (or didn't).
>
> Not a neat solution (nor neat coding), but it works.
>
> lpx> diff -u samba-3.0.25a/source/nsswitch/winbindd_pam.c
> ../customised_files/winbindd_pam.c
> --- samba-3.0.25a/source/nsswitch/winbindd_pam.c Thu May 24
> 00:59:16 2007
> +++ ../customised_files/winbindd_pam.c Thu May 31 15:27:42 2007
> @@ -1,3 +1,6 @@
> +// UNISA CUSTOMISATION
> +// - Always use lp_workgroup() for the domain.
> +// This will let us deploy NTLM authentication to machines not
> logged into the domain.
> /*
> Unix SMB/CIFS implementation.
>
> @@ -1734,16 +1737,19 @@
>
> name_user = state->request.data.auth_crap.user;
>
> - if (*state->request.data.auth_crap.domain) {
> - name_domain = state->request.data.auth_crap.domain;
> - } else if (lp_winbind_use_default_domain()) {
> - name_domain = lp_workgroup();
> - } else {
> - DEBUG(5,("no domain specified with username (%s) -
> failing auth\n",
> - name_user));
> - result = NT_STATUS_NO_SUCH_USER;
> - goto done;
> - }
> +// BEGIN UNISA CUSTOMISATION
> +// if (*state->request.data.auth_crap.domain) {
> +// name_domain = state->request.data.auth_crap.domain;
> +// } else if (lp_winbind_use_default_domain()) {
> +// name_domain = lp_workgroup();
> +// } else {
> +// DEBUG(5,("no domain specified with username (%s) -
> failing auth\n",
> +// name_user));
> +// result = NT_STATUS_NO_SUCH_USER;
> +// goto done;
> +// }
> + name_domain = lp_workgroup();
> +// END UNISA CUSTOMISATION
>
> DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
> (unsigned long)state->pid,
> name_domain, name_user));
>
> __
>
> David Gameau
> ISTS - Systems Infrastructure
> University of South Australia
>
> email: David.Gameau@UniSA.edu.au
> phone: +61 8 302 3533
> fax: +61 8 302 5800
>
> Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daoih
>
Received on Tue Dec 04 2007 - 05:19:05 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:01 MST