squid - winbind - wb_group: could not fetch trust account password
Hello List, I am just using the NTLM Authentication of an AD-Domain with wb_group for Squid. All Users in the group WWW_Benutzer are allowed to surf, others not. I have therefore successfully configured samba to use winbindd and winbind bound to the Domain (via smb.conf). At least it seems so: wbinfo -u gives me all Usernames of the Domain, wbinfo -g the group names. Squid-2.5 (self-compiled with <configure –-enable-auth=“ntlm,basic“ --enable-basic-auth-helpers=“winbind“ --enable-ntlm-auth-helpers=“winbind“>) starts without errors, with a squid.conf where, following the readme.txt from .../squid.../helpers/external_auth/winbind_group/ an acl and more is defined for the WWW_Benutzer O.K, but it doesn't work: I always get the error: ----------- Feb 7 19:35:15 netapp01 winbindd[762]: [2003/02/07 19:35:15, 0] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(181) Feb 7 19:35:15 netapp01 winbindd[762]: winbindd_pam_auth: could not fetch trust account password for domain R-ERMER ------------ in my /var/log/messages, when an authorized User (of the group WWW_Benutzer) wants to access the proxy, and he won't be allowed to log in. Besides that, wbinfo -t tells me, " Secret is bad" Does that have anything to do with the error above? Thanks a lot! -- Mit freundlichen Grüßen Markus Feilner May you always grok in fullness! Beachten Sie bitte unsere neue Email-Adresse! ------------------------------------------------------------------------------------------------- Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
I always get the error: ----------- Feb 7 19:35:15 netapp01 winbindd[762]: [2003/02/07 19:35:15, 0] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(181) Feb 7 19:35:15 netapp01 winbindd[762]: winbindd_pam_auth: could not fetch trust account password for domain R-ERMER ------------ in my /var/log/messages, when an authorized User (of the group WWW_Benutzer) wants to access the proxy, and he won't be allowed to log in.
Besides that, wbinfo -t tells me, " Secret is bad" Does that have anything to do with the error above?
Hm, I had some trouble with winbind, too. There must be something be changed in the /etc/nsswitch.conf as well as in the /etc/pam.d/samba. My /etc/pam.d/samba look like this: auth requisite pam_nologin.so auth required pam_unix.so account required pam_unix.so password requisite pam_cracklib.so retry=3 password requisite pam_unix.so shadow md5 use_authtok try_first_pass password required pam_smbpass.so nullok use_authtok try_first_pass session required pam_unix.so My /etc/nsswitch.conf looks like this: <snip> passwd: files winbind group: files winbind <snip> The new /etc/pam.d/samba improves security of samba and allows change of passwd over smb. I think there must be something changed within the config for squid as well. The changes in nsswitch.conf are needed for winbind (you find something about this in the samba-documentation). Look for winbind in the /usr/share/doc/packages/samba. I think some settings had to be changed for winbind as well. And next I use a newer version of sasmba, than the one equipped with SuSE (I use v 2.2.6 with LDAP-Support). Philippe
participants (2)
-
Markus Feilner -
Philippe Vogel