Question: Winbind on samba PDC?

Posted by merlimax on Thu 22 Dec 2005 at 15:11

Tags: ,

I'm trying to get a transparent user authentication on Squid (which is running on the same machine as a samba PDC) based on user domain access of windows clients.

I'm trying to configure winbind, but i don't have success in obtaining a good answer from "wbinfo -u".

I added the workstation account to the samba domain and joined the client to the domain, obtainining a "Joined domain -domainname-" response.

Nevertheless, "wbinfo -u" answers: "Error looking up domain users", while "wbinfo -g" gives the group lists of BUILTIN (?) domain:

BUILTIN system operators,
BUILTIN replicators,
BUILTIN guests,

Can somebody give me any advice on how to get this working?



Posted by Anonymous (82.82.xx.xx) on Thu 22 Dec 2005 at 17:02
Authentication on transparent squid is not possible.

[ Parent | Reply to this comment ]

Posted by merlimax (217.133.xx.xx) on Thu 22 Dec 2005 at 17:27
[ View Weblogs ]
Uhm... sure?
It seems it is possible...


23.5 How do I use the Winbind authenticators?

by Jerry Murdock

Winbind is a recent addition to Samba providing some impressive capabilities for NT based user accounts. From Squid's perspective winbind provides a robust and efficient engine for both basic and NTLM challenge/response authentication against an NT domain controller.
The winbind authenticators have been used successfully under Linux, FreeBSD and Solaris.
----Quote END

I think it is possible also on Samba PDC, isn't it?

Bye, Max.

See also:

[ Parent | Reply to this comment ]

Posted by Anonymous (193.195.xx.xx) on Fri 23 Dec 2005 at 08:18
No, he's taking about transparent Auth, not transparent proxying.

It is possible as I do it at work and it ticks along nicely.

Our Squid box is a domain member though, not a DC.

[ Parent | Reply to this comment ]

Posted by abhas (61.95.xx.xx) on Fri 23 Dec 2005 at 04:11
You can try one more thing. Squid support PAM authentication. Use the Squid PAM authenticator to authenticate user. First, ensure that authentication works against your system password file (using pam_unix through your Squid PAM file).

Once you got PAM working with Squid, just use the pam_winbind module in the Squid PAM file and that's it.

Of course, winbind itself should be working fine for this. wbinfo -u has to show you the domain controller users. Have a look at the winbind logs to see what the problem is.

However, if you have the Samba PDC on the same machine as Squid, why do you need to use winbind? Is your Samba PDC authenticating against another Windows based domain controller?

[ Parent | Reply to this comment ]

Posted by merlimax (217.133.xx.xx) on Fri 23 Dec 2005 at 07:58
[ View Weblogs ]
No, there isn't any other PDC in the LAN!

I thought to use winbind 'cause the autentication with Windows PDC is fully documented and supported... so, i have samba as PDC and I supposed that also in my situation winbind would be the solution!

So, if there is a simplest method, i'd appreciate to know it... :-)



[ Parent | Reply to this comment ]

Posted by Anonymous (193.195.xx.xx) on Fri 23 Dec 2005 at 08:23
Have you set appropriate options for winbind in your smb.conf file?

I also had to setup krb.conf but I think thats related to the fact I'm running squid with transparent Auth against Active Directory.

[ Parent | Reply to this comment ]

Posted by Anonymous (222.166.xx.xx) on Sat 24 Dec 2005 at 10:32
This is one of the most confusing thing about winbind IMO. winbind somehow is not supposed to serve the accounts on the same machine(PDC) it runs on. I have scratched my head for a while when I first tried to do similar thing.

[ Parent | Reply to this comment ]

Posted by Anonymous (194.226.xx.xx) on Wed 28 Dec 2005 at 13:57
My english isn't good , but i my Samba-PDC users have access to internet(transparent auth) with SQUID+Winbind. I use two machine
1. Samba PDC
2. Winbind + Squid

[ Parent | Reply to this comment ]

Posted by Anonymous (200.175.xx.xx) on Wed 18 Jan 2006 at 10:51
did you include winbind parameter at /etc/nssswitch.conf ???

[ Parent | Reply to this comment ]

Posted by Anonymous (217.133.xx.xx) on Wed 18 Jan 2006 at 11:04
Yes... here is my nsswitch.conf!
Is it correct?

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat winbind
group: compat winbind
shadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

[ Parent | Reply to this comment ]

Posted by Anonymous (81.44.xx.xx) on Tue 21 Feb 2006 at 12:51
It is correct. It almost works for me...

You must also have a look at PAM configuration.

But, I think that your real problem is that your winbind/samba database has become corrupt. To rebuild it:

1) Stop the daemons
/etc/init.d/winbind stop
/etc/init.d/samba stop
2) Backup the samba databases
mkdir -p /var/lib/samba/backup
mv /var/lib/samba/* /var/lib/samba/backup
3) Join the machine to active directory again (if you use "net join ads" make sure samba is properly configured and you have obtained a valid Kerberos ticket with kinit)

> kinit Administrator@YOURDOMAIN.COM
> net ads join YOURDOMAIN.COM -UAdministrator%'YourPassword'

4) Restart samba and windbind
/etc/init.d/samba start
/etc/init.d/winbind start

5) Set winbind authentication:

wbinfo --set-auth-user=Administrator%'YourPassword'

6) Test it

wbinfo -g
wbinfo -u

Repeat this steps until you get it working, and read the Samba Official Book for troubleshooting.

[ Parent | Reply to this comment ]

Posted by Anonymous (62.90.xx.xx) on Thu 23 Feb 2006 at 12:45
I had the same problem. It works for me.
Thank you.

[ Parent | Reply to this comment ]

Posted by Avinash_Rao (59.92.xx.xx) on Tue 18 Aug 2009 at 06:22

Thanks for the above information.Even i have the same setup samba and squid on the same machine. Its running on a Ubuntu 8.04 server 64-bit edition. Samba is configured as PDC and there is NO other Windows NT server on the network. I have winXP clients that login to the samba domain. I am trying to make winbind work so that i could control domain users access to internet through

After making the changes in /etc/nsswitch.conf file, here's what is happening..

wbinfo -t
checking the trust secret via RPC calls succeeded
I don't get the output the 'secret is good'

what is happening is, after i reboot the server, none of the wbinfo command works, it says access is denied. it worked after i again joined the machine to the domain using net join command.

How do i solve this?


[ Parent | Reply to this comment ]

Sign In







Current Poll

Will you stick to systemd as the default in Debian?

( 47 votes ~ 1 comments )