[Samba] Winbind/ntlm_auth issues
Hi, I'm struggling to get squid+ntlm_auth working correctly. I have successfully joined the domain, and I am able to successfully enumerate groups and users using wbinfo. I can also successfully run wbinfo -a. However, once I configure Squid to use ntlm_auth per: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response auth_param ntlm children 5 auth_param ntlm keep_alive on .. Squid does not authenticate and prompts me for credentials. My domain credentials do not work, and this is displayed in Samba/WB's log: [2012/07/19 09:58:14, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767) winbindd_pam_auth_crap: invalid password length 24/336 Does anyone have any ideas on what is causing this? I apologize that this message is Squid-related, but I can't seem to find any answers elsewhere. Thanks, Josh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind/ntlm_auth issues
Andrew, I think you nailed it. I was running 3.0 from RHEL5. I'm seeing much more promising results so far with 3.6. Thanks, Josh From: Andrew Bartlett [abart...@samba.org] Sent: Thursday, July 19, 2012 5:25 PM To: Baird, Josh Cc: samba@lists.samba.org Subject: Re: [Samba] Winbind/ntlm_auth issues On Thu, 2012-07-19 at 15:11 +, Baird, Josh wrote: Hi, I'm struggling to get squid+ntlm_auth working correctly. I have successfully joined the domain, and I am able to successfully enumerate groups and users using wbinfo. I can also successfully run wbinfo -a. However, once I configure Squid to use ntlm_auth per: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10 --nt-response auth_param ntlm children 5 auth_param ntlm keep_alive on .. Squid does not authenticate and prompts me for credentials. My domain credentials do not work, and this is displayed in Samba/WB's log: [2012/07/19 09:58:14, 0] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1767) winbindd_pam_auth_crap: invalid password length 24/336 Does anyone have any ideas on what is causing this? I apologize that this message is Squid-related, but I can't seem to find any answers elsewhere. This looks like a Samba issue to me. Try a much more recent version of Samba. I see code in current master for a BIG_NTLMV2_BLOB that smells exactly like what you have here. Long domain names are padding out one of the response values (the 336) and going over an internal arbitrary limit that shouldn't have been there. The fix is in: commit 9264f4891484b0316e8e574e256ca0b0a5e9f007 Author: Günther Deschner g...@samba.org Date: Tue Sep 1 11:58:05 2009 +0200 wbclient: Fix Bug #6680: always activate handling of large ( 256 byte) ntlmv2 blobs in wbcAuthenticateUserEx(). Guenther Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5 w/ Active Directory Share Authentication
Hi, I'm attempting to configure Samba 3.5 to authenticate share access via Active Directory. I do not wish to authenticate system users against AD, only Samba shares. I have successfully joined the server to the AD domain, with a few errors: $ net join -W buildel664 -U jbadmin Enter jbadmin's password: Using short domain name -- NA Joined 'BUILDEL664' to realm 'na.blah.lan' [2012/10/16 14:50:36.636201, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password BUILDEL664$@NA.FOLLETT.LAN failed: Client not found in Kerberos database DNS Update for buildel664.corp.xxx.com failed: ERROR_DNS_GSS_ERROR DNS update failed! I can't seem to figure out what is causing these errors, but the domain join is successful. I am able to successfully enumerate groups and users using wbinfo -g and wbinfo -u, although getent passwd only returns local users. I am not sure if this is a problem or not. While wbinfo -g does work, it does not return a listing that includes smb.conf's winbind separator. According to docs that I have found, wbinfo should output this separator. When I try to assign domain users/groups to a samba share I get an error in Samba's logs that the user is not valid. My smb.conf: workgroup = NA realm = NA.XXX.LAN security = ads template shell = /bin/false winbind use default domain = yes winbind offline logon = false winbind enum users = yes winbind enum groups = yes winbind separator = + idmap uid = 1000-5000 # increased for larger AD environments idmap gid = 1000-5000 # increased for larger AD environments encrypt passwords = yes server string = Samba Server Version %v # logs split per machine log file = /var/log/samba/%m.log # max 50KB per log file, then rotate max log size = 500 os level = 20 preferred master = no dns proxy = no load printers = no cups options = raw [adauth] comment = Testing path=/adauth create mask = 0660 directory mask = 770 writeable = yes browseable = yes valid users = +NA+jbadmin guest ok = no Any ideas how to further troubleshoot? Thanks, Josh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] grant windows group share permission
It's easiest to tell samba to allow everyone access to the share, and use ACL's on the Linux filesystem to restrict access. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of lst_ho...@kwsoft.de Sent: Friday, November 16, 2012 8:55 AM To: samba@lists.samba.org Subject: [Samba] grant windows group share permission Hello i like to give a windows group (W2K3-AD) permissions to use a share read/write on a Samba domain member server. Therefore if have added the Samba server to the domain without problem and created a share like this: [bild] comment = Some Comment path = /data/bild admin users = root force user = smbuser force group = sambashare valid users = DOMAIN\w-user1 @DOMAIN\w-group1 guest ok = no read only = no writeable = yes browseable = yes The windows domain user w-user1 work as it should, but no member of the windows group w-group1 can access the share. If have also tried mapping the windows group to the Unix group sambashare with username map but always get access denied eg. asked for a windows user. Can please someone give a hint how to grant access for a windows group without adding/removing the members to a Unix group? Many Thanks Andi -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Permissions
Hi, I have a case where I only want to restrict access to SMB shares via filesystem permissions (and POSIX ACLs). Therefore, I do not want Samba to verify security in any way at the SMB level. If the filesystem/ACL permissions allow access to the shared directory, so should Samba. If the filesystem does not allow access to the filesystem, Samba should deny as well. I thought I had this working correctly, but sometimes it randomly breaks. Here is an example of a share's configuration: [testshare] comment = Test Share path = /test/testshare writeable = yes create mask = 770 directory mask = 770 if the share's directory has the following permissions: drwxrwx--- 2 root DOMAIN\testgroup 4096 Dec 7 14:54 testshare Then, anyone in the DOMAIN\testgroup should have read/write access to the share, correct? Instead, when I try to access the share, I get prompted for credentials, and then get denied. The following error is displayed in SMB logs: == /var/log/samba/___172.26.103.175.log == [2012/12/07 14:57:18.622794, 1] auth/auth_util.c:848(create_token_from_username) lookup_name_smbconf for DOMAIN\testuser failed DOMAIN\testuser is a member of DOMAIN\testgroup. Any help would be greatly appreciated! Thanks, Josh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Permissions
Sorry for the top post. If I only wanted to use ACLs to control access, and not Samba as indicated in my OP, should I use security = share mode? Thanks. -Original Message- From: TAKAHASHI Motonobu [mailto:mo...@monyo.com] Sent: Sunday, December 09, 2012 2:20 AM To: Baird, Josh Cc: samba@lists.samba.org Subject: Re: [Samba] Samba Permissions From: Baird, Josh jba...@follett.com Date: Fri, 7 Dec 2012 20:58:22 + I thought I had this working correctly, but sometimes it randomly breaks. Here is an example of a share's configuration: [testshare] comment = Test Share path = /test/testshare writeable = yes create mask = 770 directory mask = 770 You may want to add force group = DOMAIN\testgroup. if the share's directory has the following permissions: drwxrwx--- 2 root DOMAIN\testgroup 4096 Dec 7 14:54 testshare Then, anyone in the DOMAIN\testgroup should have read/write access to the share, correct? Basically yes. In my env, those settings work correctly. DOMAIN\testuser, a member of DOMAIN\testgroup can write to the share. The owner group of written file is DOMAIN\domain users, testuser's primary group. --- TAKAHASHI Motononu mo...@monyo.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
