RE: [squid-users] Squid/Samba authenication with wrong username

From: Leach, Shane - MIS Laptop <mis@dont-contact.us>
Date: Thu, 13 Mar 2008 08:58:17 -0500

Joop,

My smb.conf is as follows (constructed based on some walkthroughs
available on Internet):

[global]
         
workgroup = DOMAIN
server string = Linux Samba Server
netbios name = ntproxy
realm = DOMAIN.COM
security = ADS
encrypt passwords = Yes
password server = 10.1.0.207, 10.1.0.203
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.1.0.207
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
 

log file = /var/log/samba/log.%m
max log size = 50
 
 
load printers = yes
cups options = raw
 
 
[homes]
comment = Home Directories
browseable = no
writable = yes

         
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

I notice that when I attempt "kinit [username]@[domain]" an interesting
thing happens. If is set it as username@DOMAIN it returns no errors...
But if I use username@domain (lowercase) I receive an error that "Cannot
find KDC for requested realm while getting initial credentials". Could
this be part of the problem?

The other kinit commands return success.

I could not get the ntlm_auth command to work, as written... Still
trying to figure out exactly what should be changed.

Any recommendations?

Thanks for the help.

Shane

-----Original Message-----
From: J Beris [mailto:J.Beris@nederweert.nl]
Sent: Thursday, March 13, 2008 3:21 AM
To: Leach, Shane - MIS Laptop
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid/Samba authenication with wrong username

> It occurs to me that the actual user that is logged into XP is
> "DOMAIN\USERNAME" rather than the other... is there a way to have
Samba
> recognize this? I am wanting to get rid of the login required.

Hi Shane,

We have this setup running here, and it runs fine 99.9% of the time. The
only time when we have issues is when a user has recently changed
his/her password and this hasn't been synched to the proxy yet. This
resolves itself quickly enough, so not really a problem.

It seems to me that you have not set up Samba properly for
authentication. I have the following set up in /etc/smb.conf:

[global]
        workgroup = [OURDOMAIN]
        netbios name = [NETBIOS NAME OF OUR SERVER]
        server string = openSUSE 10.2 proxy server
        security = ads <--- tells Samba you are using Active Directory
to authenticate against
        encrypt passwords = yes
        password server = [COMMA SEPARATED LIST OF OUR DOMAIN
CONTROLLERS]
        log file = /var/log/samba/%m.log
        max log size = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        # The settings below ensure Samba doesn't
        # become the master browser for this domain
        # Samba tends to be faster than our DC's
        preferred master = False
        local master = no
        domain master = False
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000

Also, take a look at your Kerberos configuration, to see if you have set
that up properly and if the proxy machine has been added to the domain
properly. Check the output of the following commands:

# kinit [username]@[domain] (without the brackets) This should prompt
you for the password for the specified user

After this, try the following:
# klist -e
This will show any cached Kerberos tickets on your server

# net ads testjoin
This will test if your join to the domain is valid

# wbinfo -t
Checks the machine trust account

# wbinfo -u
List domain users

If any of these commands give you errors, verify your configuration.

Last, but not least, test if you can authenticate with ntlm_auth:

# /path/to/ntlm_auth --username=[user]
This should give you a password prompt.

Hope that helps!

Regards,

Joop

------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke inhoud door
MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT
Received on Thu Mar 13 2008 - 07:58:18 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT