When using ntlm_auth with --username option, it guesses what current domain is and authenticates user successfully. But specifying --helper-protocol=squid-2.x-basic option, the program doesn't make guess anymore and the authetication fails if a user is specified without domain. This is because --helper-protocol processing code is located before the code for --domain option. Below is the patch proposed to fix this issue. Sincerely, Sergei V. Rozinov Senior RISC systems engineer Sibron Ltd, RUSSIA
Created attachment 178 [details] The patch fixing #569
another one for bartlett
This would imply that Squid would register a different username to the one that winbind is given. Is there any reason the 'winbind use default domain' option cannot satisfy this need?
The 'winbind use default domain' option cannot be used because I want both UNIX and WINDOWS users to be accessible, for example, UNIX uids I use for "force user/group", and WINDOWS uids - for "valid users". Furthermore, I want to aviod any username intersections between UNIX and WINDOWS user sets, for administrative and security reasons; using WINDOWS usernames of type "DOMAIN\USER" is a guarantee of this.
Then why shouldn't your users specify the name fully qualified as per pam_winbind? Windows users many then login as DOMAIN\username Andrew Bartlett
*** Happy New Year, over there! *** There are several reasons. 1. On some workstations we use identd and other programmatic agents, which report plain username instead of DOMAIN\username. Fixing code at one point (ntlm_auth) is preferable then fixing all the progs. 2. Some people use browsers different from Internet Explorer, so they need to authenticate themselves for internet access (using basic auth scheme). Entering DOMAIN\username several times a day is a discomfort. 3. Adding suggested functionality doesn't break backward compatibility nor conceptual samba model. More functionality = more benefit :-) Sincerely, Sergei V. Rozinov Senior RISC systems engineer
andrew, please mark this on a wont fix or later or something. Thanks.
(In reply to comment #7) > andrew, please mark this on a wont fix or later or something. Thanks. I'll make it WONTFIX then. I don't want the usernames in ntlm_auth to differ from system usernames (as seen by pam_winbind, nss_winbind etc)