MRBS + NTLM Authentication

[Frazer]

Just been going through a test install of MRBS on linux (debian sarge, 2.4 kernel) and im having trouble getting MRBS to recognise the windows users.
Doing wbinfo -g and -u gives the users/groups of our domain (i had trouble getting it to list the correct domain - it kept listing our admin domain and wouldnt list our curriculum - but its working now - no idea why )
Anyway, when i book out a room for one period and then go back into the booking and see who is under 'Created by' its blank!
What have i missed?
Ive changed the config as suggested in the docs.
$auth["session"] = "nt"
$auth["type"] = "none"

[ChrisH]

oops was getting the parameters mixed up ops: ignore if you read before :P

Thats the config I use but im using a windows box for MRBS.

[webman]

Have you tried wbinfo -a username%password where username and password is a valid account? If that succeeds then it may be an MRBS and/or PHP configuration issue.

[Frazer]

hhlinux:~# wbinfo -a stafftest%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user stafftest%R0ther with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
error messsage was: No trusted SAM account
Could not authenticate user stafftest with challenge/response

hhlinux:~# wbinfo -u | grep stafftest
HHDOMAIN\stafftest

[webman]

What is your smb.conf's "winbind use default domain"? It should be set to 'yes'.

[Frazer]

That wasnt in the smb.conf - it is now and still the same error.
Annoying!

[webman]

That wasnt in the smb.conf - it is now and still the same error.
Annoying!

Have you restarted all the sambe daemons (winbindd, smbd, nmbd)?

[Frazer]

Yeh did all that. Im not in now till jan 6th but if you can think of anything else please post

[linuxgirlie]

I have mine authing with samba, but problems at the moment include everyone can login not just staff, I know its an add-on problem, but if anyone knows a way for apache to pick up the samba groups that would be great.

Jo

[Geoff]

here's the relevent snippet from the config.inc.php

Code:

###############################################
# Authentication settings - read AUTHENTICATION
###############################################
$auth["session"] = "http"; # How to get and keep the user ID. One of
                          # "http" "php" "cookie" "ip" "host" "nt" "omni".
$auth["type"] = "ext"; # How to validate the user/password. One of "none"
                          # "config" "db" "pop3" "imap" "ldap" "nis" "nw" "ext".

# 'session_http' configuration settings
$auth["realm"]  = "mrbs";

# 'auth_ext' configuration settings
$auth["prog"]   = "/usr/bin/ntlm_auth";
$auth["params"] = "--username=#USERNAME# --password=#PASSWORD# --require-membership-of=MRBSUsers";

The important bit being that last line.

[CyberNerd]

@linuxgirlie

Not necessarily related to mrbs (not used it) but you can authenticate apache to any LDAP server (inc Active Directory or an LDAP backend to samba) to do group authentication.
see mod_auth_ldap for details

[Joedetic]

I've set up MRBS to ask for the wibind auth as above.

It's doing it...it's all setup and asking for authentication.

I try to authenticate but it falls over.

My questions are:

1/ What do i need to do to the samba users configuration stuff
2/ How do i set access levels of users in AD
3/ Do i need to specify the OUs etc as per the LDAP config in the config.inc.php?

Thanks,
Joe (with head in hands having hoped to have this done today)

[Geoff]

1) Nothing.
2) Users in the named group can create bookings. Others cannot.
3) No

Your authentication is likely failing because the machines time is too far off the time set on the domain. Use an NTP daemon to keep it in sync.

[Joedetic]

We've decided to go with the MS exchange option because i've got myself a paid job (finally) and it needs to be something that the other techies can manage efficiently.

The job is data entry for Carillion in Birmingham for a week so i need to go in tommorow and this wont be finished in time. But they said the contract will lead to other jobs possibly in 1st line ICT support...which is what i'm used to so that'll be nice