Re: [Samba] Re: winbindd + mod_ntlm_winbind, why do we need net join ... ?
On Thu, 2006-09-21 at 18:00 +0200, Juan Rodriguez wrote: On 9/21/06, Juan Rodriguez [EMAIL PROTECTED] wrote: Hello, I would like to use NTLM authentication on my Apache2 server, and I've found out this link which works very well for me, http://download.samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind I'm newbie to samba, and to make this stuff work, I had to execute net join -S DC -U Admin, because winbindd complained about did we join ?... (all of this can be found on man winbindd). I've managed to avoid this message using: net rpc getsid, but then I get the following error when I try to authenticate through mod_auth_winbind: (this is the output of winbindd) ... process_request: request fn AUTH_CRAP [11189]: pam auth crap domain: mydomain user: myuser is_myname(mydomain) returns 0 secrets_fetch failed! get_trust_pw: could not fetch trust account password for domain mydomain could not open handle to NETLOGON pipe (error: NT_STATUS_CANT_ACCESS_DOMAIN_INFO) You must join. Samba supports no other mode for mod_ntlm_winbindd. It is more secure, as we gain some assurance that the DC is real, and more reliable, as the DC communication is stateless. This is identical to how windows member servers operate. Other hacks often work, then fail (which is why ntlm_auth was created, to allow squid admins to use NTLM without these occasional failures) Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: winbindd + mod_ntlm_winbind, why do we need net join ... ?
On 9/22/06, Andrew Bartlett [EMAIL PROTECTED] wrote: [snipped] You must join. Samba supports no other mode for mod_ntlm_winbindd. It is more secure, as we gain some assurance that the DC is real, and more reliable, as the DC communication is stateless. This is identical to how windows member servers operate. Other hacks often work, then fail (which is why ntlm_auth was created, to allow squid admins to use NTLM without these occasional failures) Ok, I can guess this is the right way of doing this. But I can't ask for the DC Administrator's password to join the domain. Is there an easy way to hack the source code and avoid this limitation ? As far as I can understand, this is a Samba restriction, not a windows one. (correct me if I am wrong). Thank you ver much for you help. -- JFRH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: winbindd + mod_ntlm_winbind, why do we need net join ... ?
On 9/21/06, Juan Rodriguez [EMAIL PROTECTED] wrote: Hello, I would like to use NTLM authentication on my Apache2 server, and I've found out this link which works very well for me, http://download.samba.org/ftp/unpacked/lorikeet/mod_ntlm_winbind I'm newbie to samba, and to make this stuff work, I had to execute net join -S DC -U Admin, because winbindd complained about did we join ?... (all of this can be found on man winbindd). I've managed to avoid this message using: net rpc getsid, but then I get the following error when I try to authenticate through mod_auth_winbind: (this is the output of winbindd) ... process_request: request fn AUTH_CRAP [11189]: pam auth crap domain: mydomain user: myuser is_myname(mydomain) returns 0 secrets_fetch failed! get_trust_pw: could not fetch trust account password for domain mydomain could not open handle to NETLOGON pipe (error: NT_STATUS_CANT_ACCESS_DOMAIN_INFO) -- JFRH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba