|Current version||: 0.05|
|Released on||: 28 September 1999|
|Author||: Richard Huveneers|
|License||: GNU GPL|
smb_auth is a proxy authentication module. With smb_auth you can authenticate proxy users against an SMB server like Windows NT or Samba.
Highlights of new features:
Note to Samba 2.0 users: The -E option of smbclient does not work properly in Samba 2.0.3 and earlier, which breaks smb_auth. This has been fixed in Samba 2.0.4, so make sure you are using Samba 2.0.4 or later (the command "smbclient -h" shows the version number). If you prefer not to upgrade to Samba 2.0.4, you can apply this patch which fixes the bug.
authenticate_program /usr/local/bin/smb_auth -W MEDIA@VANTAGE acl domainusers proxy_auth REQUIRED http_access allow domainusers
smb_auth has several options. Most people will call smb_auth like this:
smb_auth -W domainname
where domainname is the name of your domain. By default, smb_auth tries to find a domain controller by broadcasting on the primary network interface. If you want to broadcast on another interface (for instance, if you have two ethernet interfaces installed), use:
smb_auth -W domainname -B <broadcast IP address>
If you really want to specify the IP address of a domain controller yourself, use:
smb_auth -W domainname -U <IP address>
This might even work with a WINS server (untested, feedback appreciated). If you have several domains from which you want to allow access to your proxy, just add them:
smb_auth -W domain1 -W domain2 -W domain3 ...
in this case all users (except those of domain1) have to specify their username as domainname\username when authenticating. If your users are lazy, you can abbreviate the domainnames like this:
smb_auth -W domain1 -W domain2 -w d2 -W domain3 -w d3 ..
then users of domain2 can authenticate with d2\username instead of domain2\username. You can also specify different broadcast addresses etc. per domain. Note that you don't need an abbreviation for the first domain since omitting a domainname implies authenticating against the first domain.
If you want to authenticate users of domain1 against a domain controller of domain2 (you must have a trust relationship between domain1 and domain2) then you can use the -P option. This is called pass-through authentication and is useful to manage access from multiple domains to the proxy server centrally (using a single proxyauth file):
smb_auth -W domain1 -P domain2 -W domain2 ..
If you want to change the location of the proxyauth file (for instance because your NETLOGON share is located on a FAT filesystem) then you can use the -S option to specify a different share (make sure you are replicating this share to the backup domain controllers):
smb_auth -W domain -S share
You can also change the name of the proxyauth file and store it in a sub-directory of the share by appending the full pathname of the proxyauth file to the sharename. You may use both forward slashes and backslashes to separate directories and you may (not required) prepend a (back)slash to the sharename:
smb_auth -W domain -S /share/path/to/proxyauth
You need to feed one username and password (separated by a space character) to smb_auth's standard input. After authenticating this username and password, smb_auth will continue accepting such username/password combinations until you close it's standard input by pressing Ctrl-D.
Here's the output of a succesful authentication, so you know how the output should look like:
# smb_auth -W MEDIA@VANTAGE -d richard xxxxxxxx Domain name: MEDIA@VANTAGE Pass-through authentication: no Query address options: Domain controller IP address: 192.168.1.2 Domain controller NETBIOS name: VEGA Contents of //VEGA/NETLOGON/proxyauth: allow OK
If you use special characters (like German umlauts) in your usernames or passwords, then you might need to set the "character set" and "client code page" options in your smb.conf file. Please refer to the Samba documentation for more details. Thanks to Markus Fuhrmann for this information (added "character set = ISO8859-1" and "client code page = 850" to smb.conf and everything works fine).