Bug 569 - ntlm_auth doesn't guess the default domain in squid helper mode
ntlm_auth doesn't guess the default domain in squid helper mode
Product: Samba 3.0
Classification: Unclassified
Component: ntlm_auth tool
All All
: P3 minor
: none
Assigned To: Andrew Bartlett
Depends on:
  Show dependency treegraph
Reported: 2003-10-05 10:35 UTC by Sergei V. Rozinov
Modified: 2005-02-09 03:02 UTC (History)
1 user (show)

See Also:

The patch fixing #569 (1000 bytes, patch)
2003-10-05 10:36 UTC, Sergei V. Rozinov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei V. Rozinov 2003-10-05 10:35:20 UTC
When using ntlm_auth with --username option, it
guesses what current domain is and authenticates user successfully.
But specifying --helper-protocol=squid-2.x-basic option, the program
doesn't make guess anymore and the authetication fails if a user is
specified without domain.
This is because --helper-protocol processing code is located before the
code for --domain option. Below is the patch proposed to fix this issue.

Sergei V. Rozinov
Senior RISC systems engineer
Sibron Ltd, RUSSIA
Comment 1 Sergei V. Rozinov 2003-10-05 10:36:19 UTC
Created attachment 178 [details]
The patch fixing #569
Comment 2 Tim Potter 2003-10-06 04:07:14 UTC
another one for bartlett
Comment 3 Andrew Bartlett 2003-12-31 18:40:44 UTC
This would imply that Squid would register a different username to the one that
winbind is given.  Is there any reason the 'winbind use default domain' option
cannot satisfy this need?
Comment 4 Sergei V. Rozinov 2004-01-01 03:16:11 UTC
The 'winbind use default domain' option cannot be used because
I want both UNIX and WINDOWS users to be accessible,
for example, UNIX uids I use for "force user/group", and
WINDOWS uids - for "valid users".
Furthermore, I want to aviod any username intersections between
UNIX and WINDOWS user sets, for administrative and security reasons;
using WINDOWS usernames of type "DOMAIN\USER" is a guarantee of this.
Comment 5 Andrew Bartlett 2004-01-01 04:31:09 UTC
Then why shouldn't your users specify the name fully qualified as per pam_winbind?

Windows users many then login as DOMAIN\username

Andrew Bartlett
Comment 6 Sergei V. Rozinov 2004-01-01 06:32:38 UTC
*** Happy New Year, over there! ***

There are several reasons.
1. On some workstations we use identd and other programmatic agents,
   which report plain username instead of DOMAIN\username. Fixing
   code at one point (ntlm_auth) is preferable then fixing all the progs.
2. Some people use browsers different from Internet Explorer, so
   they need to authenticate themselves for internet access (using basic
   auth scheme). Entering DOMAIN\username several times a day is a discomfort.
3. Adding suggested functionality doesn't break backward compatibility nor
   conceptual samba model. More functionality = more benefit :-)

Sergei V. Rozinov
Senior RISC systems engineer
Comment 7 Gerald (Jerry) Carter 2005-02-08 21:26:27 UTC
andrew, please mark this on a wont fix or later or something. Thanks.
Comment 8 Andrew Bartlett 2005-02-09 03:02:13 UTC
(In reply to comment #7)
> andrew, please mark this on a wont fix or later or something. Thanks.

I'll make it WONTFIX then.  I don't want the usernames in ntlm_auth to differ
from system usernames (as seen by pam_winbind, nss_winbind etc)