+ Post New Thread
Results 1 to 12 of 12
*nix Thread, Smoothwall Authentication for Non-Domain Computers in Technical; We have a mixed environment of domain based and non domain based computers. Our thin clients now have the ability ...
  1. #1


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Smoothwall Authentication for Non-Domain Computers

    We have a mixed environment of domain based and non domain based computers.

    Our thin clients now have the ability to PXE boot directly into a browser session, thus using less terminal server resources for web-based and VLE apps.
    These thin 'browsers' are not joined to our windows domain and do not have the ability to do so.

    We also have a number of students and teachers who bring in their own laptops that are not added to our windows domain.


    Traditionally we set up Smoothwall (SG 2008) to authenticate using NTLM in TS compatibility mode.
    This is fine and transparent for domain computers, but non domain computers need to authenticate using "DOMAIN\username". Adding the DOMAIN prefix is too complicated for our users.

    If we change the authentication to "proxy authentication" (TS compatibility) we solve the problem for the non-domain computers needing to prefix DOMAIN\username. but this now removes the transparent authentication for all the domain computers.

    Is there a solution to this ?

    Ideally we would like the NTLM to automatically prefix the DOMAIN (as in samba
    Code:
    winbind use default domain = yes

  2. Thanks to CyberNerd from:

    cookie_monster (10th February 2010)

  3. #2

    rob_f's Avatar
    Join Date
    May 2008
    Location
    Leeds
    Posts
    224
    Thank Post
    15
    Thanked 73 Times in 56 Posts
    Rep Power
    25
    FYI, PMed a solution which CN confirms works.. If anyone else needs this please let me know.


    Rob.

  4. 2 Thanks to rob_f:

    cookie_monster (10th February 2010), CyberNerd (4th August 2009)

  5. #3

    Join Date
    Feb 2010
    Location
    Sydney, NSW, AU
    Posts
    20
    Thank Post
    3
    Thanked 3 Times in 2 Posts
    Rep Power
    10
    Hi Rob,
    I'd be interested in the same. We're currently running Network Guardian 2008. I wasn't sure if this is now a built-in feature (that I've missed) or whether it needs to be done manually.

    Thanks,
    Daniel

  6. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Hi Rob

    We have also come up against this issue recently and I was going to ring support for a chat, if you could PM me the solution when you get time that would be great.

    Thanks.

  7. #5


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    Guys,
    Unfortunately RobF is on the train to "that london" today, and I'm working from home this morning. If you guys were to email him, he will hopefully have a table and have his laptop out. CC me though and I will check this aft - I know I have the answer hidden someplace in my lair.. uh.. office.
    RF is rob.faulkner@smoothwall.net.

  8. Thanks to tom_newton from:

    cookie_monster (10th February 2010)

  9. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    No rush for me thanks Tom I can wait untill he's back in the office.

  10. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    unofficially (and potentially unsupportedly) the fix is to add
    Code:
    winbind use default domain = yes
    to

    Code:
    /modules/guardian/usr/bin/smoothwall/writesmb.pl
    (after backing up the old file first etc)

  11. #8


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    This is slated to be fixed (perhaps an interface option, maybe the problem just goes away, I havent played with it just yet) in Auth3 which is out in April.

    CyberNerd's fix looks about right - but it is important exactly where you put that extra line. If any of you want me to hack the file so it looks right this afternoon and send it across, I will.

  12. #9
    badders's Avatar
    Join Date
    Apr 2007
    Location
    Cumbria
    Posts
    170
    Thank Post
    44
    Thanked 11 Times in 10 Posts
    Rep Power
    21
    We could also use the solution as we're about to provide access for some non-domain PC's.

    Thanks.

  13. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,196
    Thank Post
    392
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Quote Originally Posted by tom_newton View Post
    This is slated to be fixed (perhaps an interface option, maybe the problem just goes away, I havent played with it just yet) in Auth3 which is out in April.

    CyberNerd's fix looks about right - but it is important exactly where you put that extra line. If any of you want me to hack the file so it looks right this afternoon and send it across, I will.


    That would be excellent

  14. #11

    Join Date
    Feb 2010
    Location
    Sydney, NSW, AU
    Posts
    20
    Thank Post
    3
    Thanked 3 Times in 2 Posts
    Rep Power
    10
    For those guys that have implemented this fix, does it cause any problems if the user does include "domain\" in front of their username when authenticating?

  15. #12


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,462
    Thank Post
    866
    Thanked 845 Times in 667 Posts
    Rep Power
    195
    OK.. put that in between lines 61 & 62.
    Should look like:

    Code:
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    EOF
    As far as I know it does not cause problems if you specify a domain name.

    Make sure you back up the file first! If in doubt call support and ask them to do it for you.

  16. Thanks to tom_newton from:

    dgordon (11th February 2010)

SHARE:
+ Post New Thread

Similar Threads

  1. Smoothwall VPN Problems TLS/Auth error after authentication changes
    By Tom in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 4th August 2009, 11:20 AM
  2. Smoothwall - Mac's NTLM Authentication
    By linkazoid in forum Mac
    Replies: 7
    Last Post: 20th May 2009, 09:54 AM
  3. Can't connect new computers to my domain?
    By Blind in forum Windows
    Replies: 14
    Last Post: 2nd August 2007, 10:42 PM
  4. Goodbye Smoothwall Hello Smoothwall
    By Simcfc73 in forum Wireless Networks
    Replies: 2
    Last Post: 30th June 2006, 06:55 AM
  5. Refusing Non domain Computers
    By BKGarry in forum Wireless Networks
    Replies: 8
    Last Post: 30th March 2006, 05:47 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •