Smoothwall Authentication for Non-Domain Computers

[CyberNerd]

We have a mixed environment of domain based and non domain based computers.

Our thin clients now have the ability to PXE boot directly into a browser session, thus using less terminal server resources for web-based and VLE apps.
These thin 'browsers' are not joined to our windows domain and do not have the ability to do so.

We also have a number of students and teachers who bring in their own laptops that are not added to our windows domain.


Traditionally we set up Smoothwall (SG 2008) to authenticate using NTLM in TS compatibility mode.
This is fine and transparent for domain computers, but non domain computers need to authenticate using "DOMAIN\username". Adding the DOMAIN prefix is too complicated for our users.

If we change the authentication to "proxy authentication" (TS compatibility) we solve the problem for the non-domain computers needing to prefix DOMAIN\username. but this now removes the transparent authentication for all the domain computers.

Is there a solution to this ?

Ideally we would like the NTLM to automatically prefix the DOMAIN (as in samba

Code:

winbind use default domain = yes

[rob_f]

FYI, PMed a solution which CN confirms works.. If anyone else needs this please let me know.


Rob.

[dgordon]

Hi Rob,
I'd be interested in the same. We're currently running Network Guardian 2008. I wasn't sure if this is now a built-in feature (that I've missed) or whether it needs to be done manually.

Thanks,
Daniel

[cookie_monster]

Hi Rob

We have also come up against this issue recently and I was going to ring support for a chat, if you could PM me the solution when you get time that would be great.

Thanks.

[tom_newton]

Guys,
Unfortunately RobF is on the train to "that london" today, and I'm working from home this morning. If you guys were to email him, he will hopefully have a table and have his laptop out. CC me though and I will check this aft - I know I have the answer hidden someplace in my lair.. uh.. office.
RF is rob.faulkner@smoothwall.net.

[cookie_monster]

No rush for me thanks Tom I can wait untill he's back in the office.

[CyberNerd]

unofficially (and potentially unsupportedly) the fix is to add

Code:

winbind use default domain = yes

to

Code:

/modules/guardian/usr/bin/smoothwall/writesmb.pl

(after backing up the old file first etc)

[tom_newton]

This is slated to be fixed (perhaps an interface option, maybe the problem just goes away, I havent played with it just yet) in Auth3 which is out in April.

CyberNerd's fix looks about right - but it is important exactly where you put that extra line. If any of you want me to hack the file so it looks right this afternoon and send it across, I will.

[badders]

We could also use the solution as we're about to provide access for some non-domain PC's.

Thanks.

[cookie_monster]

This is slated to be fixed (perhaps an interface option, maybe the problem just goes away, I havent played with it just yet) in Auth3 which is out in April.

CyberNerd's fix looks about right - but it is important exactly where you put that extra line. If any of you want me to hack the file so it looks right this afternoon and send it across, I will.

That would be excellent

[dgordon]

For those guys that have implemented this fix, does it cause any problems if the user does include "domain\" in front of their username when authenticating?

[tom_newton]

OK.. put that in between lines 61 & 62.
Should look like:

Code:

winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
EOF

As far as I know it does not cause problems if you specify a domain name.

Make sure you back up the file first! If in doubt call support and ask them to do it for you.