I know, I know, this again :)
The company I work for would like to use squid for proxy authentication purposes using NTLM, using a Windows 2008 R2 server as a DC. I've managed to setup samba/winbind to use ads and successfully joined the domain. Configured nsswitch.conf to lookup winbind entities (however I didn't touch PAM configuration, as I don't actually want the users to be able to login to the linux machine). wbinfo -t reports a successful check of trust. wbinfo -u / wbinfo -g work as intended, e.g. dump a list of domain users / groups. I can authenticate using wbinfo -a (both plaintext and challenge-response) and wbinfo -K. nsswitch.conf: > passwd: compat winbind > group: compat winbind As far as I can tell, nsswitch.conf is also configured properly, since `getent passwd` dumps local users, waits about .2 seconds, and dumps domain users: > sasa.sokolova:*:10283:10001:Sasa > Sokolova:/home/LIONSK/sasa.sokolova:/bin/false > adam.szabados:*:10284:10001:Adam > Szabados:/home/LIONSK/adam.szabados:/bin/false (All domain users are members of group '10001', is this normal?) However, `getent group` lists only local groups. No waiting time, it just dumps local groups and exits. Likewise, when attempting to `wbinfo -r <domainuser>`, the command fails with 'Could not get groups for <domainuser>'. I've run strace on `getent group` (which, incidentally, shows a timeout, but none is perceived), the result can hopefully be viewed here: http://halka.yw.sk/ext/strace_getent_group.txt A widely suggested fix for this was to delete /var/lib/samba/winbindd_idmap.tdb (for Samba versions up to 3.2.x?), but the problems persist even after clearing the cache. This is the point at which I'm stumped, since management wants to apply different squid ACLs based on domain user's group. The funny (or not) thing is, when authenticating using domain group restriction, e.g.: > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > --require-membership-of=DOMAIN\\it ...works as intended (allows only member of the group 'it' to authenticate successfully), but that's about as far as I can get. I'm using samba 3.5.8 as provided by, cough, Ubuntu (10.08) packages. I've previously tried a similar solution on Debian lenny. Now, this is a virtual server which only holds samba and squid, so I have no qualms about reinstalling, using various pre-alpha versions or anything, so wild ideas like this are not unwelcome. I've linked my configuration files below, since I'm not yet sure about proper attachment etiquette in mailing lists: http://halka.yw.sk/ext/krb5.conf http://halka.yw.sk/ext/smb.conf http://halka.yw.sk/ext/nsswitch.conf Any help is of course greatly appreciated. -- Ľubomír Brindza xmpp: [email protected] Your eyes are weary from staring at the CRT. You feel sleepy. Notice how restful it is to watch the cursor blink. Close your eyes. The opinions stated above are yours. You cannot imagine why you ever felt otherwise. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
