Hello Victor,
did you try supplying the domain name along with the username? Like "DOMAIN\administrator". Or adding "winbind use default domain = yes" to your samba configuration. Regards, -sd 2009/3/31 Victor Medina <[email protected]>: > David, it did not work. > > Any suggestion? > > Victor Medina > > Samuel Goldwyn - "I don't think anyone should write their > autobiography until after they're dead." > > > On Wed, Apr 1, 2009 at 12:13 PM, David Wells <[email protected]> wrote: >> Victor Medina wrote: >>> >>> Hi Guys! >>> >>> >>> Probably this is not the best place to ask, I'll try anyway... =) >>> >>> I've been trying to configure a Samba PDC and a Squid Porxy server >>> with NTLM auth on the same machine but NTML_AUTH keeps complaining >>> about: NT_STATUS_INVALID_HANDLE.... I have others machines running >>> Squid and Authenticating against a Samba Server but on different >>> machines, this is the first time a try both on the same machine. >>> >>> Can I use Squid+NTLM Auth and Samba configured as PDC on the same >>> machine? Is there any winbind issue with this kind of configuration? >>> >>> I'm using SLES10+SP2 >>> Samba version as reported by rpm is 3.0.32-0.8 >>> Squid version as reported by rpm is 2.5.STABLE12-18.13 >>> >>> ------------------------------------------------- >>> This is my smb.conf >>> >>> [global] >>> dos charset = 850 >>> unix charset = ISO8859-1 >>> workgroup = C1.SV >>> netbios name = PDCSRVC1SV >>> server string = >>> interfaces = eth0 >>> bind interfaces only = Yes >>> map to guest = Bad Password >>> passdb backend = ldapsam:ldap://127.0.0.1 >>> guest account = Invitado >>> time server = Yes >>> deadtime = 20 >>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 >>> printcap name = cups >>> logon path = >>> logon home = >>> domain logons = Yes >>> os level = 65 >>> preferred master = Yes >>> domain master = Yes >>> wins support = Yes >>> ldap admin dn = cn=Administrador,o=Ferreteria EPA >>> ldap delete dn = Yes >>> ldap group suffix = ou=group >>> ldap machine suffix = ou=people >>> ldap passwd sync = Yes >>> ldap suffix = ou=c1,c=sv,o=Ferreteria EPA >>> ldap user suffix = ou=people >>> idmap domains = DEFAULT >>> idmap alloc backend = ldap >>> idmap alloc config:range = 10000-100000 >>> idmap alloc config:ldap_url = ldap://127.0.0.1 >>> idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA >>> idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria >>> EPA >>> idmap config DEFAULT:range = 10000-100000 >>> idmap config DEFAULT:ldap_url = ldap://127.0.0.1 >>> idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria >>> EPA >>> idmap config DEFAULT:ldap_base_dn = >>> ou=idmap,ou=c1,c=sv,o=Ferreteria EPA >>> idmap config DEFAULT:default = yes >>> idmap config DEFAULT:readonly = no >>> idmap config DEFAULT:backend = ldap >>> ldapsam:editposix = yes >>> ldapsam:trusted = yes >>> create mask = 0640 >>> force create mode = 0640 >>> directory mask = 0750 >>> force directory mode = 0750 >>> case sensitive = No >>> dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd >>> >>> My relevant squid.conf lines... >>> >>> auth_param ntlm program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV >>> auth_param basic program /usr/bin/ntlm_auth >>> --helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV >>> auth_param ntlm children 100 >>> auth_param basic children 100 >>> auth_param basic realm Squid proxy-caching web server >>> auth_param basic credentialsttl 2 hours >>> >>> >>> >>> >>> The pdc works as expected, machine join works like charm, users and >>> groups management works equally right, all accounts are placed in the >>> LDAP, getent passwd, groups and shadow shows the ldap accounts >>> >>> I also did a few tests with wbinfo >>> >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u >>> invitado >>> usuarioprueba >>> e01ggen >>> e01glogis >>> e01gcont >>> e01jcomp1 >>> e01jcomp2 >>> e01jcomp3 >>> e01jcomp4 >>> e01jrepo >>> e01jreclu >>> e01rrece >>> e01gcom >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g >>> BUILTIN >>> BUILTIN >>> domain users >>> domain admins >>> domain guests >>> grupoprueba >>> gcentralsv >>> gcompras >>> gcontrol >>> ggerencia >>> glogistica >>> gmercadeo >>> gpersonal >>> gventas >>> gjefecompras >>> gjefecontrol >>> gjefelogistica >>> gjefepersonal >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains >>> C1.SV >>> >>> >>> I also made sure squid users can read /var/lib/samba/winbindd_privileged >>> >>> >>> I also noted this error: >>> >>> e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo >>> --authenticate=administrator%12345678 >>> plaintext password authentication failed >>> error code was NT_STATUS_NO_SUCH_USER (0xc0000064) >>> error messsage was: No such user >>> Could not authenticate user administrator%12345678 with plaintext password >>> winbind separator was NULL! >>> challenge/response password authentication failed >>> error code was NT_STATUS_INVALID_HANDLE (0xc0000008) >>> error messsage was: Invalid handle >>> Could not authenticate user administrator with challenge/response >>> >>> Does someone have any idea of could go wrong? When I use squid and >>> samba on different machines i usually join the squid machine to the >>> domain using a net join, is this necesary when the pdc and squid are >>> on the same machine? >>> >>> Victor Medina >>> >>> Samuel Goldwyn - "I don't think anyone should write their >>> autobiography until after they're dead." >>> >> >> I think you should add lo to the interfaces listed in smb.conf >> >> Best regards, David Wells. >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- The box said Windows Vista or better. So I bought a Mac. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
