[Samba] squid, ntlm_auth, winbind problem
in [Samba]
|
Prev: [Samba] smbd panic due to negative exclusive oplock count
Next: [Samba] regarding pdbbackend tdbsam and LDAP
From: Frank Matthieß on 13 Feb 2010 12:20 Hi all, please cc me, i'm not on the list. Second: All google findable information about problems setting up ntlm_auth for squid with winbind are read and checked more than three times. After breaking a running setup under debian squeeze, i go back to debian lenny to circumvent the actual MIT kerberos problem[1]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977#57 Now i face the problem, that no ntlm_auth version[2] authenticate against the running w2k3 ad. The winbind runs correct. wbinfo -g|-u|-t runs quite well. [2] samba-* 2:3.4.3-1~bpo50+2 sernet-* 3.4.5-27 To get the most stable samba version, i get them from www.backports.org including the 2.6.30 kernel package. The used configuration is copied from the formerly running machine. Doing this on the shell will get this result: ~# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer' SWB\user mypassword [2010/02/11 08:51:14, 1] utils/ntlm_auth.c:802(manage_squid_ntlmssp_request) BH NTLMSSP query invalid Here a list of information about the system with the problem: debian_version 5.0.4 with linux-image form backpots.org with sernet-samba packages from http://ftp.sernet.de/pub/samba/experimental/debian ii sernet-libwbclient0 3.4.5-27 client library for interfacing with winbind service ii sernet-samba 3.4.5-27 a LanManager-like file and printer server for Unix ii sernet-samba-common 3.4.5-27 Samba common files used by both the server and the ii sernet-samba-keyring 1.1 GnuPG archive keys of the SerNet Samba archive ii sernet-winbind 3.4.5-27 service to resolve user and group information from ii squid 2.7.STABLE7-1~bpo50+1 Internet object cache (WWW proxy cache) ii squid-common 2.7.STABLE7-1~bpo50+1 Internet object cache (WWW proxy cache) - co ii squid-langpack 20090921-2~bpo50+1 Localized error pages for Squid ii linux-image-2.6.30-bpo.2-686 2.6.30-8~bpo50+2 Linux 2.6.30 image on PPro/Celeron/PII/PIII/ getent passwd: proxy:x:13:13:proxy:/bin:/bin/sh getent group: proxy:x:13: winbindd_priv:x:104:proxy ls -ld /var/lib/samba/winbindd_privileged drwxr-x--- 2 root winbindd_priv 4096 10. Feb 14:55 /var/lib/samba/winbindd_privileged ls -ld /var/lib/samba/winbindd_privileged/* srwxrwxrwx 1 root root 0 10. Feb 14:55 /var/lib/samba/winbindd_privileged/pipe squid.conf: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer' auth_param ntlm children 5 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of='SWB+Internetbenutzer' auth_param basic children 5 auth_param basic realm "SWB Internetfreigabe-Anmeldung" auth_param basic credentialsttl 4 hours auth_param basic casesensitive off wbinfo --seperator: + net ads testjoin: Join is OK [global] workgroup = SWB netbiosname = PROXY-TEST server string = Proxyserver Test realm = SWB.LAN encrypt passwords = true security = ADS password server = hauptserver.swb.lan log level = 3 log file = /var/log/samba/%m.log max log size = 50 syslog = yes prefered master = no dns proxy = no ldap ssl = no idmap uid = 10000 - 20000 idmap gid = 10000 - 20000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind expand groups = 3 ;template homedir = /home/%D/%U ;template shell = /bin/bash ; ; ; winbind separator = + ; name resolve order = lmhosts host wins bcast interfaces = 127.0.0.0/8 eth0 bind interfaces only = yes panic action = /usr/share/samba/panic-action %d passdb backend = tdbsam obey pam restrictions = yes [hier-gibt-es-nix-zu-sehen] path = /tmp comment = Hier gibt es nix zu sehen guest ok = no read only = yes wbinfo -n 'SWB+Internetbenutzer' S-1-5-21-1063980897-116165429-615769971-1201 Domain Group (2) wbinfo -s S-1-5-21-1063980897-116165429-615769971-1201 SWB+internetbenutzer 2 /var/log/squid&/cache.log: [2010/02/10 14:37:18, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xa2088207 [2010/02/10 14:37:18, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[fmat] domain=[SWB] workstation=[TS1] len1=24 len2=24 [2010/02/10 14:37:18, 0] utils/ntlm_auth.c:271(get_require_membership_sid) Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID! ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Failed lookup at the first access to ntlm_auth [2010/02/10 14:37:18, 3] utils/ntlm_auth.c:558(winbind_pw_check) Login for user [SWB]\[fmat]@[TS1] failed due to [unknown error (NULL)] [2010/02/10 14:37:22, 3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0x00088207 [2010/02/10 14:37:22, 3] libsmb/ntlmssp.c:745(ntlmssp_server_auth) Got user=[fmat] domain=[] workstation=[ts1] len1=24 len2=24 [2010/02/10 14:37:22, 0] utils/ntlm_auth.c:271(get_require_membership_sid) Winbindd lookupname failed to resolve 'SWB+Internetbenutzer' into a SID! [2010/02/10 14:37:22, 3] utils/ntlm_auth.c:558(winbind_pw_check) Login for user []\[fmat]@[ts1] failed due to [unknown error (NULL)] |