[squid-users] Re: winbindd authentication (integration with debug)

 I've inserted the -d options to
 auth_param ntlm program /home/squid/squid25/libexec/wb_ntlmauth -d

 And now my cache.log says:

 wb_ntlmauth)[307](wb_ntlm_auth.c:285): Got 'YR' from squid.

 (wb_ntlmauth)[307](wb_ntlm_auth.c:74): sending 'TT

TlRMTVNTUAACAAAADwAPACgAAACCgkEAWIlrT7VlJpUAAAAAAAAAAEdSQU5ESV9TVEFaSU9OSQ==
 ' to squid

 on every IE6 hammering.

 cheers, Federico.

 ----- Original Message -----
 From: Federico Lombardo
 To: squid-users@squid-cache.org
 Sent: Wednesday, June 26, 2002 5:30 PM
 Subject: winbindd authentication

>
> For first I'm a little bit ashamed of the helpers documentation problems.
> For a begginer is impossible to make NT authentication work only with
squid
> user guides or FAQs, expecially for latests helpers.
>
> After that I think that another big problem for beginners, is tha no
helper
> program has the simple --help or -? or -h semantic to make possible to see
> wich arg can be passed to the program.
>
> I'm wanna write tutorials and documentation to set up these kind of
> authentication, also samba integration... naturally if someone tell me
what
> to do...
>
>
> After these constructive polemics I start my problem:
>
> I'm using slackware 8.1 running kernel 2.4.18 and squid 2.5.PRE7 today
> snapshot.
>
> I wanna use winbindd to authenticate my squid users...
>
> Ok, I've installed samba with the winbindd, correctly changed
nsswitch.conf
> to make possible to auth users with nss_winbind.
> I've correctly configured my smb.conf, these are the most important
> configuration:
>
> ;*******************section global*****************
> [global]
> password server = MASTER BDC
> ; password server = *
> wins server = 192.168.5.1 192.168.0.1
> update encrypted = Yes
> security = domain
> encrypt passwords = Yes
> workgroup = MYDOMAIN
> preferred master = no
> ;*********** winbindd **********
> ; winbind separator = \
> template homedir = /home/%D/%U
> template shell = /bin/bash
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> Ok I've correctly joined my domain, winbindd is running and i can see my
> domain users and my domain groups by wbinfo.
>
> After that here my salient squid.conf configuration:
>
> auth_param ntlm program /home/squid/squid25/libexec/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> acl federico proxy_auth REQUIRED
> http_access allow federico
> http_access deny all
>
> Ok now I start squid by doing "squid -D -N -d 5" , and I can see this from
> cache.log:
>
> 2002/06/26 18:20:28| Starting Squid Cache version 2.5.PRE7-20020625 for
> i686-pc-linux-gnu...
> 2002/06/26 18:20:28| Process ID 173
> 2002/06/26 18:20:28| With 1024 file descriptors available
> 2002/06/26 18:20:28| DNS Socket created at 0.0.0.0, port 32771, FD 5
> 2002/06/26 18:20:28| Adding nameserver 192.168.5.1 from /etc/resolv.conf
> 2002/06/26 18:20:28| helperStatefulOpenServers: Starting 5 'wb_ntlmauth'
> processes
> (wb_ntlmauth)[174](wb_ntlm_auth.c:348): target domain is MYDOMAIN
> (wb_ntlmauth)[175](wb_ntlm_auth.c:348): target domain is MYDOMAIN
> (wb_ntlmauth)[176](wb_ntlm_auth.c:348): target domain is MYDOMAIN
> (wb_ntlmauth)[178](wb_ntlm_auth.c:348): target domain is MYDOMAIN
> (wb_ntlmauth)[177](wb_ntlm_auth.c:348): target domain is MYDOMAIN
> 2002/06/26 18:20:28| Unlinkd pipe opened on FD 15
> 2002/06/26 18:20:28| Swap maxSize 102400 KB, estimated 7876 objects
> 2002/06/26 18:20:28| Target number of buckets: 393
> 2002/06/26 18:20:28| Using 8192 Store buckets
> 2002/06/26 18:20:28| Max Mem size: 8192 KB
> 2002/06/26 18:20:28| Max Swap size: 102400 KB
> 2002/06/26 18:20:28| Rebuilding storage in /home/squid/squid25//var/cache
> (CLEAN)
> 2002/06/26 18:20:28| Using Least Load store dir selection
> 2002/06/26 18:20:28| Set Current Directory to
/home/squid/squid25//var/cache
> 2002/06/26 18:20:28| Loaded Icons.
> 2002/06/26 18:20:28| Accepting HTTP connections at 0.0.0.0, port 8080, FD
> 17.
> 2002/06/26 18:20:28| Accepting ICP messages at 0.0.0.0, port 3130, FD 18.
> 2002/06/26 18:20:28| Accepting SNMP messages on port 3401, FD 19.
> 2002/06/26 18:20:28| WCCP Disabled.
> 2002/06/26 18:20:28| Pinger socket opened on FD 21
> 2002/06/26 18:20:28| Ready to serve requests.
> 2002/06/26 18:20:28| Done reading /home/squid/squid25//var/cache swaplog
(58
> entries)
> 2002/06/26 18:20:28| Finished rebuilding storage from disk.
> 2002/06/26 18:20:28| 58 Entries scanned
> 2002/06/26 18:20:28| 0 Invalid entries.
> 2002/06/26 18:20:28| 0 With invalid flags.
> 2002/06/26 18:20:28| 58 Objects loaded.
> 2002/06/26 18:20:28| 0 Objects expired.
> 2002/06/26 18:20:28| 0 Objects cancelled.
> 2002/06/26 18:20:28| 0 Duplicate URLs purged.
> 2002/06/26 18:20:28| 0 Swapfile clashes avoided.
> 2002/06/26 18:20:28| Took 0.3 seconds ( 187.0 objects/sec).
> 2002/06/26 18:20:28| Beginning Validation Procedure
> 2002/06/26 18:20:28| Completed Validation Procedure
> 2002/06/26 18:20:28| Validated 58 Entries
> 2002/06/26 18:20:28| store_swap_size = 388k
> 2002/06/26 18:20:29| storeLateRelease: released 0 objects
>
> Now I open my IE6 configured for NTLM native authentication and I point my
> proxy asking a site, here what I can see from my access.log
> 1025108432.785 1 192.168.5.12 TCP_DENIED/407 1313 GET
> http://freshmeat.net/ - NONE/- text/html
> No other log problem, from tcpdump, strace and other I can see that all
> seems ok. But I can't understand where is the problem.
> Other authentication, such as smb_auth msnt_auth or work correctly. I need
> winbindd to make awful password prompt to not pop-up on user connections.
> any help will be apreciated.
> Cheers, Federico.
>
> - Nemo me impune lacessit -
> Ego^pFe @*NET
>
Received on Thu Jun 27 2002 - 01:35:01 MDT