Question: Winbind on samba PDC?
Posted by merlimax on Thu 22 Dec 2005 at 15:11
I'm trying to get a transparent user authentication on Squid (which is running on the same machine as a samba PDC) based on user domain access of windows clients.
I'm trying to configure winbind, but i don't have success in obtaining a good answer from "wbinfo -u".
I added the workstation account to the samba domain and joined the client to the domain, obtainining a "Joined domain -domainname-" response.
Nevertheless, "wbinfo -u" answers: "Error looking up domain users", while "wbinfo -g" gives the group lists of BUILTIN (?) domain:
BUILTIN system operators, BUILTIN replicators, BUILTIN guests, etc.
Can somebody give me any advice on how to get this working?
[ Parent | Reply to this comment ]
It seems it is possible...
from http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
----Quote
23.5 How do I use the Winbind authenticators?
by Jerry Murdock
Winbind is a recent addition to Samba providing some impressive capabilities for NT based user accounts. From Squid's perspective winbind provides a robust and efficient engine for both basic and NTLM challenge/response authentication against an NT domain controller.
The winbind authenticators have been used successfully under Linux, FreeBSD and Solaris.
----Quote END
I think it is possible also on Samba PDC, isn't it?
Bye, Max.
See also: http://www.flatmtn.com/computer/Linux-SquidNT.html
[ Parent | Reply to this comment ]
It is possible as I do it at work and it ticks along nicely.
Our Squid box is a domain member though, not a DC.
[ Parent | Reply to this comment ]
Once you got PAM working with Squid, just use the pam_winbind module in the Squid PAM file and that's it.
Of course, winbind itself should be working fine for this. wbinfo -u has to show you the domain controller users. Have a look at the winbind logs to see what the problem is.
However, if you have the Samba PDC on the same machine as Squid, why do you need to use winbind? Is your Samba PDC authenticating against another Windows based domain controller?
[ Parent | Reply to this comment ]
I thought to use winbind 'cause the autentication with Windows PDC is fully documented and supported... so, i have samba as PDC and I supposed that also in my situation winbind would be the solution!
So, if there is a simplest method, i'd appreciate to know it... :-)
Regards!
Max
[ Parent | Reply to this comment ]
I also had to setup krb.conf but I think thats related to the fact I'm running squid with transparent Auth against Active Directory.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
1. Samba PDC
2. Winbind + Squid
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Is it correct?
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: compat winbind
group: compat winbind
shadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
[ Parent | Reply to this comment ]
You must also have a look at PAM configuration.
But, I think that your real problem is that your winbind/samba database has become corrupt. To rebuild it:
1) Stop the daemons
/etc/init.d/winbind stop
/etc/init.d/samba stop
2) Backup the samba databases
mkdir -p /var/lib/samba/backup
mv /var/lib/samba/* /var/lib/samba/backup
3) Join the machine to active directory again (if you use "net join ads" make sure samba is properly configured and you have obtained a valid Kerberos ticket with kinit)
> kinit Administrator@YOURDOMAIN.COM
> net ads join YOURDOMAIN.COM -UAdministrator%'YourPassword'
4) Restart samba and windbind
/etc/init.d/samba start
/etc/init.d/winbind start
5) Set winbind authentication:
wbinfo --set-auth-user=Administrator%'YourPassword'
6) Test it
wbinfo -g
wbinfo -u
Repeat this steps until you get it working, and read the Samba Official Book for troubleshooting.
[ Parent | Reply to this comment ]
Thank you.
[ Parent | Reply to this comment ]
Thanks for the above information.Even i have the same setup samba and squid on the same machine. Its running on a Ubuntu 8.04 server 64-bit edition. Samba is configured as PDC and there is NO other Windows NT server on the network. I have winXP clients that login to the samba domain. I am trying to make winbind work so that i could control domain users access to internet through http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
After making the changes in /etc/nsswitch.conf file, here's what is happening..
wbinfo -t
checking the trust secret via RPC calls succeeded
I don't get the output the 'secret is good'
what is happening is, after i reboot the server, none of the wbinfo command works, it says access is denied. it worked after i again joined the machine to the domain using net join command.
How do i solve this?
Thanks
Avinash
[ Parent | Reply to this comment ]