Search squid archive

RE: Squid/Samba authenication with wrong username

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Joop,

My smb.conf is as follows (constructed based on some walkthroughs
available on Internet):


[global] 
	 
workgroup = DOMAIN 
server string = Linux Samba Server 
netbios name = ntproxy 
realm = DOMAIN.COM 
security = ADS 
encrypt passwords = Yes 
password server = 10.1.0.207, 10.1.0.203 
preferred master = False 
local master = No 
domain master = False 
dns proxy = No 
wins server = 10.1.0.207 
winbind separator = / 
winbind enum users = yes 
winbind enum groups = yes 
winbind use default domain = yes 
idmap uid = 10000-20000 
idmap gid = 10000-20000 
 

log file = /var/log/samba/log.%m 
max log size = 50 
 
 
load printers = yes 
cups options = raw 
 
 
[homes] 
comment = Home Directories 
browseable = no 
writable = yes 

	 
[printers] 
comment = All Printers 
path = /var/spool/samba 
browseable = no 
guest ok = no 
writable = no 
printable = yes 


I notice that when I attempt "kinit [username]@[domain]" an interesting
thing happens.  If is set it as username@DOMAIN it returns no errors...
But if I use username@domain (lowercase) I receive an error that "Cannot
find KDC for requested realm while getting initial credentials".  Could
this be part of the problem?

The other kinit commands return success.

I could not get the ntlm_auth command to work, as written... Still
trying to figure out exactly what should be changed.

Any recommendations?   

Thanks for the help.

Shane

-----Original Message-----
From: J Beris [mailto:J.Beris@xxxxxxxxxxxxx] 
Sent: Thursday, March 13, 2008 3:21 AM
To: Leach, Shane - MIS Laptop
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: RE:  Squid/Samba authenication with wrong username

> It occurs to me that the actual user that is logged into XP is 
> "DOMAIN\USERNAME" rather than the other... is there a way to have
Samba
> recognize this?  I am wanting to get rid of the login required.

Hi Shane,

We have this setup running here, and it runs fine 99.9% of the time. The
only time when we have issues is when a user has recently changed
his/her password and this hasn't been synched to the proxy yet. This
resolves itself quickly enough, so not really a problem.

It seems to me that you have not set up Samba properly for
authentication. I have the following set up in /etc/smb.conf:

[global]
        workgroup = [OURDOMAIN]
        netbios name = [NETBIOS NAME OF OUR SERVER]
        server string = openSUSE 10.2 proxy server
        security = ads <--- tells Samba you are using Active Directory
to authenticate against
        encrypt passwords = yes
        password server = [COMMA SEPARATED LIST OF OUR DOMAIN
CONTROLLERS]
        log file = /var/log/samba/%m.log
        max log size = 0
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        # The settings below ensure Samba doesn't
        # become the master browser for this domain
        # Samba tends to be faster than our DC's
        preferred master = False
        local master = no
        domain master = False
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000

Also, take a look at your Kerberos configuration, to see if you have set
that up properly and if the proxy machine has been added to the domain
properly. Check the output of the following commands:

# kinit [username]@[domain] (without the brackets) This should prompt
you for the password for the specified user

After this, try the following:
# klist -e
This will show any cached Kerberos tickets on your server

# net ads testjoin
This will test if your join to the domain is valid

# wbinfo -t
Checks the machine trust account

# wbinfo -u
List domain users

If any of these commands give you errors, verify your configuration.

Last, but not least, test if you can authenticate with ntlm_auth:

# /path/to/ntlm_auth --username=[user]
This should give you a password prompt.

Hope that helps!

Regards,

Joop


------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke inhoud door
MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux