RE: [squid-users] Squid, Samba3 and winbind with NTLM authentication

> On 10/26/07, samer khalil <samerk1@gmail.com> wrote:
> > I am using Squid, Samba3 and winbind with NTLM authentication with a
> > proper configuration for samba, krb5.conf and squid.conf as follows:
> > auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 5
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > The solution works great for computers who are joined to Active
> > Directory domain however i have a couple of questions regarding
> > clients that are NOT joined:
> >
> > 1- a NON-joined client using IE will have to logon using
> > realm/username and passwd. Is there a way to make him authenticate
> > with only his username and passwd ?
> > NB:It works fine with other browsers such as Firefox.
>
> MAYBE the Winbindd default domain can help. YMMV tho. This is an
> intentional design decision by Microsoft.
>
We've run into the same problem in our environment. Our solution
(which only works if you have a single domain), was to modify
the Samba code to always use the domain specified in the smb.conf,
regardless of what the user provided (or didn't).

Not a neat solution (nor neat coding), but it works.

lpx> diff -u samba-3.0.25a/source/nsswitch/winbindd_pam.c
../customised_files/winbindd_pam.c
--- samba-3.0.25a/source/nsswitch/winbindd_pam.c Thu May 24
00:59:16 2007
+++ ../customised_files/winbindd_pam.c Thu May 31 15:27:42 2007
@@ -1,3 +1,6 @@
+// UNISA CUSTOMISATION
+// - Always use lp_workgroup() for the domain.
+// This will let us deploy NTLM authentication to machines not
logged into the domain.
 /*
    Unix SMB/CIFS implementation.
 
@@ -1734,16 +1737,19 @@
 
        name_user = state->request.data.auth_crap.user;
 
- if (*state->request.data.auth_crap.domain) {
- name_domain = state->request.data.auth_crap.domain;
- } else if (lp_winbind_use_default_domain()) {
- name_domain = lp_workgroup();
- } else {
- DEBUG(5,("no domain specified with username (%s) -
failing auth\n",
- name_user));
- result = NT_STATUS_NO_SUCH_USER;
- goto done;
- }
+// BEGIN UNISA CUSTOMISATION
+// if (*state->request.data.auth_crap.domain) {
+// name_domain = state->request.data.auth_crap.domain;
+// } else if (lp_winbind_use_default_domain()) {
+// name_domain = lp_workgroup();
+// } else {
+// DEBUG(5,("no domain specified with username (%s) -
failing auth\n",
+// name_user));
+// result = NT_STATUS_NO_SUCH_USER;
+// goto done;
+// }
+ name_domain = lp_workgroup();
+// END UNISA CUSTOMISATION
 
        DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
(unsigned long)state->pid,
                  name_domain, name_user));

__

David Gameau
ISTS - Systems Infrastructure
University of South Australia

email: David.Gameau@UniSA.edu.au
phone: +61 8 302 3533
fax: +61 8 302 5800

Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daoih
Received on Mon Oct 29 2007 - 23:24:37 MDT