Re: [squid-users] Squid, Samba3 and winbind with NTLM authentication

well it worked by replacing in source/utils/ntlm_auth.c

    fstrcpy(request.data.auth_crap.domain, domain);
by:
    domain= lp_workgroup();

thanks,
Samer

On 10/30/07, David Gameau <David.Gameau@unisa.edu.au> wrote:
> > On 10/26/07, samer khalil <samerk1@gmail.com> wrote:
> > > I am using Squid, Samba3 and winbind with NTLM authentication with a
> > > proper configuration for samba, krb5.conf and squid.conf as follows:
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 5
> > > auth_param ntlm max_challenge_reuses 0
> > > auth_param ntlm max_challenge_lifetime 2 minutes
> > >
> > > The solution works great for computers who are joined to Active
> > > Directory domain however i have a couple of questions regarding
> > > clients that are NOT joined:
> > >
> > > 1- a NON-joined client using IE will have to logon using
> > > realm/username and passwd. Is there a way to make him authenticate
> > > with only his username and passwd ?
> > > NB:It works fine with other browsers such as Firefox.
> >
> > MAYBE the Winbindd default domain can help. YMMV tho. This is an
> > intentional design decision by Microsoft.
> >
> We've run into the same problem in our environment. Our solution
> (which only works if you have a single domain), was to modify
> the Samba code to always use the domain specified in the smb.conf,
> regardless of what the user provided (or didn't).
>
> Not a neat solution (nor neat coding), but it works.
>
> lpx> diff -u samba-3.0.25a/source/nsswitch/winbindd_pam.c
> ../customised_files/winbindd_pam.c
> --- samba-3.0.25a/source/nsswitch/winbindd_pam.c Thu May 24
> 00:59:16 2007
> +++ ../customised_files/winbindd_pam.c Thu May 31 15:27:42 2007
> @@ -1,3 +1,6 @@
> +// UNISA CUSTOMISATION
> +// - Always use lp_workgroup() for the domain.
> +// This will let us deploy NTLM authentication to machines not
> logged into the domain.
> /*
> Unix SMB/CIFS implementation.
>
> @@ -1734,16 +1737,19 @@
>
> name_user = state->request.data.auth_crap.user;
>
> - if (*state->request.data.auth_crap.domain) {
> - name_domain = state->request.data.auth_crap.domain;
> - } else if (lp_winbind_use_default_domain()) {
> - name_domain = lp_workgroup();
> - } else {
> - DEBUG(5,("no domain specified with username (%s) -
> failing auth\n",
> - name_user));
> - result = NT_STATUS_NO_SUCH_USER;
> - goto done;
> - }
> +// BEGIN UNISA CUSTOMISATION
> +// if (*state->request.data.auth_crap.domain) {
> +// name_domain = state->request.data.auth_crap.domain;
> +// } else if (lp_winbind_use_default_domain()) {
> +// name_domain = lp_workgroup();
> +// } else {
> +// DEBUG(5,("no domain specified with username (%s) -
> failing auth\n",
> +// name_user));
> +// result = NT_STATUS_NO_SUCH_USER;
> +// goto done;
> +// }
> + name_domain = lp_workgroup();
> +// END UNISA CUSTOMISATION
>
> DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n",
> (unsigned long)state->pid,
> name_domain, name_user));
>
> __
>
> David Gameau
> ISTS - Systems Infrastructure
> University of South Australia
>
> email: David.Gameau@UniSA.edu.au
> phone: +61 8 302 3533
> fax: +61 8 302 5800
>
> Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daoih
>
Received on Tue Oct 30 2007 - 10:49:35 MDT