cookie_monster (10th February 2010)
We have a mixed environment of domain based and non domain based computers.
Our thin clients now have the ability to PXE boot directly into a browser session, thus using less terminal server resources for web-based and VLE apps.
These thin 'browsers' are not joined to our windows domain and do not have the ability to do so.
We also have a number of students and teachers who bring in their own laptops that are not added to our windows domain.
Traditionally we set up Smoothwall (SG 2008) to authenticate using NTLM in TS compatibility mode.
This is fine and transparent for domain computers, but non domain computers need to authenticate using "DOMAIN\username". Adding the DOMAIN prefix is too complicated for our users.
If we change the authentication to "proxy authentication" (TS compatibility) we solve the problem for the non-domain computers needing to prefix DOMAIN\username. but this now removes the transparent authentication for all the domain computers.
Is there a solution to this ?
Ideally we would like the NTLM to automatically prefix the DOMAIN (as in sambaCode:winbind use default domain = yes
FYI, PMed a solution which CN confirms works.. If anyone else needs this please let me know.
I'd be interested in the same. We're currently running Network Guardian 2008. I wasn't sure if this is now a built-in feature (that I've missed) or whether it needs to be done manually.
We have also come up against this issue recently and I was going to ring support for a chat, if you could PM me the solution when you get time that would be great.
Unfortunately RobF is on the train to "that london" today, and I'm working from home this morning. If you guys were to email him, he will hopefully have a table and have his laptop out. CC me though and I will check this aft - I know I have the answer hidden someplace in my lair.. uh.. office.
RF is email@example.com.
No rush for me thanks Tom I can wait untill he's back in the office.
unofficially (and potentially unsupportedly) the fix is to add
toCode:winbind use default domain = yes
(after backing up the old file first etc)Code:/modules/guardian/usr/bin/smoothwall/writesmb.pl
This is slated to be fixed (perhaps an interface option, maybe the problem just goes away, I havent played with it just yet) in Auth3 which is out in April.
CyberNerd's fix looks about right - but it is important exactly where you put that extra line. If any of you want me to hack the file so it looks right this afternoon and send it across, I will.
We could also use the solution as we're about to provide access for some non-domain PC's.
For those guys that have implemented this fix, does it cause any problems if the user does include "domain\" in front of their username when authenticating?
OK.. put that in between lines 61 & 62.
Should look like:
As far as I know it does not cause problems if you specify a domain name.Code:winbind enum users = yes winbind enum groups = yes winbind use default domain = yes EOF
Make sure you back up the file first! If in doubt call support and ask them to do it for you.
dgordon (11th February 2010)
There are currently 1 users browsing this thread. (0 members and 1 guests)