This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP Auth with ActiveDirectory

Hi there,

we upgraded our ASL 5 last weekend and everything works fine. The ASL 6 is very nice and much faster than the older one.
BUT: One of the features we wanted to use after upgrading was the HTTP authentification by querying the AD. It is not working properly.
We put the users into a new group called "http_access" as mentioned in the online-help and in some reasons it works, and in some reasons it asks the user for their credentials.

What is going wrong? Is there any fix or workaround?

Greets
Marcel

This thread was automatically locked due to age.

0 maygyver over 20 years ago

Just Try this.

Product Version: 5.023 and later

Task:
The basic concept to get NTLM-Authentification with Active Directory / NT-Domainmembership working with Surf-Profiles
Steps:
For Active Directory /NT Domain Membership Authentication to work you need a group http_access in your ADS. In this group all users allowed for authentification have to be members of.

In the second step you can define additional groups in ADS and with the same profile-name in the Astaro of THAT group to divide users by profiles in the Surf-Protection. The users have to belong to that group also!

Do NOT create a profile http_access on the Astaro since in that group all users must be members of so this would match on anybody and there would not be any separation by profiles possible.

One example to make this clear:

Active Directory Server:

group http_access - members user_A, user_B, user_C

group profile_A group profile_B group profile_C

Astaro Security Linux:

profile profile_A (user_A is allowed to use this)
profile profile_B (user_B is allowed to use this)
profile profile_C (user_C is allowed to use this)

Astaro user since 2001 - Astaro/Sophos Partner since 2008
Cancel
Vote Up 0 Vote Down

Cancel

0 Rune over 20 years ago

Hi Marcel.

I think I have the same problem. I have contacted the local partner, and was told it was a known issue that should be solwed in fix 6.004. However not for me. I have a 6.004 and a 5.006 running that are both members of our domain (win2003). When I log in on them and run wb_ntlmauth -d I get different results.
This is from 5.006
Code:

 
host:/root # wb_ntlmauth -d
wb_ntlmauth[1675](wb_ntlm_auth.c:528): ntlm winbindd auth helper build Sep 10 2004, 11:58:22 starting up...
wb_ntlmauth[1675](wb_ntlm_auth.c:439): target domain is UNV
RG unv\rune
wb_ntlmauth[1675](wb_ntlm_auth.c:368): Got 'RG unv\rune' from squid.
wb_ntlmauth[1675](wb_ntlm_auth.c:85): sending 'GS Domain Users' to squid
GS Domain Users
wb_ntlmauth[1675](wb_ntlm_auth.c:85): sending 'GS http_access' to squid
GS http_access
wb_ntlmauth[1675](wb_ntlm_auth.c:85): sending 'GS Domain Admins' to squid
GS Domain Admins
wb_ntlmauth[1675](wb_ntlm_auth.c:85): sending 'GS Lokal_admin' to squid
GS Lokal_admin
wb_ntlmauth[1675](wb_ntlm_auth.c:85): sending 'GS IT-Afdeling' to squid
GS IT-Afdeling

and this is from 6.004
Code:


webfilter:/root # wb_ntlmauth -d
wb_ntlmauth[25633](wb_ntlm_auth.c:528): ntlm winbindd auth helper build Jun  9 2005, 17:50:49 starting up...
wb_ntlmauth[25633](wb_ntlm_auth.c:439): target domain is UNV
RG unv\rune
wb_ntlmauth[25633](wb_ntlm_auth.c:368): Got 'RG unv\rune' from squid.
wb_ntlmauth[25633](wb_ntlm_auth.c:78): sending 'BH No such user' to squid
BH No such user

strange....

0 Rune over 20 years ago in reply to Rune

Ahh.. Sorry. I can se now, that your problem isn't the same as mine. I'll make a new post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sammoe over 20 years ago in reply to Rune

@rune

Create a lmhosts File in the Directory /etc/samba.

The lmhosts Content is:

192.168.0.10 ASDOM

hope this helps...
Cancel
Vote Up 0 Vote Down

Cancel