[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: [Samba] NTLM Problems
From: "Ian Barnes" <ian () opteqint ! net>
Date: 2005-10-31 19:48:52
Message-ID: 20051031194912.84207162C52 () lists ! samba ! org
[Download RAW message or body]
Hi,
I am running squid and samba to auth users against a 2003 domain. My squid
setup is something like this:
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm children 2
auth_param basic program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 2
auth_param basic realm Cache NTLM Authentication
auth_param basic credentialsttl 2 hours
I then join the domain as follows:
Net join -S server -w Domain -U username%password
Once that has succeeded I then run winbindd and nmbd. Once that is done, if
I do a wbinfo -u or -g I can see the users and groups of the users I am
authenticating. All seems fine, but when a user tries to auth, the following
error occurs:
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
[2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
If I run a wbinfo -a Proxy2%Password_1 (A valid user and password), I get
this:
[root@cont] ~ # wbinfo -a Proxy2%Password_1
plaintext password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2%Password_1 with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
error messsage was: Access denied
Could not authenticate user Proxy2 with challenge/response
[root@cont] ~ #
The user that I am joining the domain with (in net join) has the following
set:
* The account is a local administrator on the device, specified within AD
* The account has full read access to all user information, it was delegated
to me.
Something else that's strange is that I saw this error a while ago, and
while trying to debug it, it just stopped occurring, and my users could auth
fine. The domain im authing to has over 1000 users (in the lab where we are
testing) and over 2000 groups.
Could anyone provide some more insight as to why this is happening?
Cheers
Ian
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic