TEST: SMB auth with NT groups from Richard Huveneers on 1998-12-05 (squid-users)

From: Richard Huveneers <richard@dont-contact.us>
Date: Sat, 05 Dec 1998 18:37:30 +0100

A lot of people have expressed interest in using NT groups
when authenticating with my smb_auth module. Attached is
a test version of a script which implements my current
view how this should be done.

To be clear: this script will be called by the new smb_auth
module, so for now the only way to test this script is by
executing it manually on the commandline and viewing the
output.

Before executing this script, you must set the following
environment variables (this will be done by smb_auth):

- SAMBAPREFIX: the location of your Samba installation, for
  instance, /usr/local/samba (did I mention you need Samba
  instead of the pam_smb module? this should improve platform
  support dramatically)
- DOMAINNAME: the name of the NT domain against which you
  want to authenticate. Note that the script tries to find
  a working domain controller itself, so you don't need to
  specify a PDC or BDC anymore. I know, if the proxy is on
  a different network segment as the NT machine this doesn't
  work, that will be solved in a future release.
- BROADCAST: the broadcast IP address of the network on which
  the NT server is, for instance: 192.168.1.255
- USERNAME: the username you want to authenticate
- PASSWORD: the password you want to authenticate

You need to do one more thing: on the NETLOGON share of your
PDC (usually \winnt\system32\repl\import\scripts) create
a new file named "proxyauth" and put the one word "allow"
into this new file.

The script tries to read this file, so by assigning "Read"
permissions to the appropriate users and groups you can
restrict access to the proxy.

If all goes well, the output of the script should look like:

  Domain name: MEDIA@VANTAGE
  Broadcast IP address: 192.168.1.255
  Domain controller IP address: 192.168.1.2
  Domain controller NETBIOS name: VEGA
  Contents of //VEGA/NETLOGON/proxyauth: allow

So now I need _your_ input on this script: does it work for
you at all (success reports are welcome!). If not, please
send me the output you get.

More importantly: comments about the way NT group membership
is checked are more than welcome. I have been giving this good
thought, but there might well be a much better way to do this
(try to say this nicely though :))

Richard.

application/x-sh attachment: smb_auth.sh

Received on Sat Dec 05 1998 - 10:42:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:33 MST