RE: [squid-users] Squid/Samba authenication with wrong username

> It occurs to me that the actual user that is logged into XP is
> "DOMAIN\USERNAME" rather than the other... is there a way to have
Samba
> recognize this? I am wanting to get rid of the login required.

Hi Shane,

We have this setup running here, and it runs fine 99.9% of the time. The
only time when we have issues is when a user has recently changed
his/her password and this hasn't been synched to the proxy yet. This
resolves itself quickly enough, so not really a problem.

It seems to me that you have not set up Samba properly for
authentication. I have the following set up in /etc/smb.conf:

[global]
        workgroup = [OURDOMAIN]
        netbios name = [NETBIOS NAME OF OUR SERVER]
        server string = openSUSE 10.2 proxy server
        security = ads <--- tells Samba you are using Active Directory
to authenticate against
        encrypt passwords = yes
        password server = [COMMA SEPARATED LIST OF OUR DOMAIN
CONTROLLERS]
        log file = /var/log/samba/%m.log
        max log size = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        # The settings below ensure Samba doesn't
        # become the master browser for this domain
        # Samba tends to be faster than our DC's
        preferred master = False
        local master = no
        domain master = False
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000

Also, take a look at your Kerberos configuration, to see if you have set
that up properly and if the proxy machine has been added to the domain
properly. Check the output of the following commands:

# kinit [username]@[domain] (without the brackets)
This should prompt you for the password for the specified user

After this, try the following:
# klist -e
This will show any cached Kerberos tickets on your server

# net ads testjoin
This will test if your join to the domain is valid

# wbinfo -t
Checks the machine trust account

# wbinfo -u
List domain users

If any of these commands give you errors, verify your configuration.

Last, but not least, test if you can authenticate with ntlm_auth:

# /path/to/ntlm_auth --username=[user]
This should give you a password prompt.

Hope that helps!

Regards,

Joop

------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke
inhoud door MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT
Received on Thu Mar 13 2008 - 02:21:21 MDT