RE: [squid-users] NTLM authentication error when using wb_group

Hi,

I'm using samba 2.2.7

Regards

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Jueves, 16 de Enero de 2003 05:47 p.m.
To: Jairo.Castañeda
Cc: 'DUBOST "Gaetan (DSIT-XA/I)'"; Squid List (E-mail)
Subject: RE: [squid-users] NTLM authentication error when using wb_group

Which version of Samba are you using?

See the Squid FAQ entry on using winbind for details.. wb_group is a bit
sensitive to changes in the Samba sources from version to version..

Regards
Henrik

tor 2003-01-16 klockan 19.55 skrev Jairo.Castañeda:
> Hi,
>
> That's already done. I followed to the letter FAQ's section 23. Right now
> authenticated users are allowed to surf the web, users not authenticated
get
> the popup window asking for the user/password/domain and in my access.log
I
> get the username/domain what means my traffic is really being authorized.
>
> The problem is when I try to use wb_group... :
> if I test the connection I should get something like this (according to a
> FAQ I read):
> usr/local/squid/libexex/squid/wb_group -d
> /wb_group[617](wb_check_group.c:250): External ACL winbindd group helper
> build Dec 17 2002, 14:27:05 starting up...
> DOMAINNAME\\User GroupName
> /wb_group[617](wb_check_group.c:269): Got 'DOMAINNAME\\User GroupName'
from
> Squid (length: 8192).
> /wb_group[617](wb_check_group.c:172): SID:
> S-1-5-21-1836190980-1428173729-311576647-513
> /wb_group[617](wb_check_group.c:175): Windows group: Domain Users, Squid
> group: GroupName
> /wb_group[617](wb_check_group.c:172): SID:
> S-1-5-21-1836190980-1428173729-311576647-1168
> /wb_group[617](wb_check_group.c:175): Windows group: HelpDesk, Squid
group:
> GroupName
> /wb_group[617](wb_check_group.c:172): SID:
> S-1-5-21-1836190980-1428173729-311576647-512
> /wb_group[617](wb_check_group.c:175): Windows group: Domain Admins, Squid
> group: GroupName
> /wb_group[617](wb_check_group.c:172): SID:
> S-1-5-21-1836190980-1428173729-311576647-1510
> /wb_group[617](wb_check_group.c:175): Windows group: HelpDesk, Squid
group:
> GroupName
> OK
>
> instead I get:
> /wb_group[617](wb_check_group.c:265): External ACL winbindd group helper
> build Dec 17 2002, 14:27:05 starting up...
> DOMAINNAME\\User GroupName
> /wb_group[617](wb_check_group.c:285): Got 'DOMAINNAME\\User GroupName'
from
> Squid (length: 8192).
> ERR
>
> It seems like there is no communication between my proxy and the PDC????
> then How NTLM authentication is working?
>
> Any ideas?
>
> Thanks,
>
> -----Original Message-----
> From: DUBOST Gaetan (DSIT-XA/I) [mailto:Gaetan.DUBOST@sncf.fr]
> Sent: Jueves, 16 de Enero de 2003 11:37 a.m.
> To: Jairo.Castañeda
> Subject: RE: [squid-users] NTLM authentication error when using wb_group
>
>
> Hi,
>
> remember that you need to use winbind and to register your server on your
NT
> domain, see the FAQ :
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>
> -----Message d'origine-----
> De : Jairo.Castañeda [mailto:Jairo.Castaneda@siemens.com]
> Envoyé : jeudi 16 janvier 2003 17:31
> À : 'Mohsin Khan'
> Cc : Squid List (E-mail)
> Objet : RE: [squid-users] NTLM authentication error when using wb_group
>
>
> That would be ok if my network were small. However that's not the
> case....There are 1400 users so I need to use filters based on NT groups.
>
> -----Original Message-----
> From: Mohsin Khan [mailto:aaghaz00@yahoo.com]
> Sent: Miércoles, 15 de Enero de 2003 11:04 p.m.
> To: Jairo.Castañeda
> Subject: Re: [squid-users] NTLM authentication error when using wb_group
>
>
> A-o-a
>
> Well if you are using NTLM and you want specific users
> to surf internet, just put the users names in a file
> and make a ACL accordingly.
>
> --- Jairo.Castañeda <Jairo.Castaneda@siemens.com>
> wrote:
> > I've got a Linux RH 7.2 box running squid 2.5stable1
> > with NTLM
> > authentication implemented as well which is working
> > fine. So far so good...
> >
> > However, I want to allow web access only to users
> > belonging to a NT group
> > (called internet). In an earlier e-mail I was told
> > to use the wb-group
> > external_acl helper which I did so I added the
> > following lines to the
> > squid.conf file:
> >
> > -- external_acl_type NT_global_group %LOGIN
> > /usr/local/squid/libexec/wb_group
> > -- acl ProxyUsers external NT_global_group internet
> > -- acl AuthorizedUsers proxy_auth REQUIRED
> >
> > My rules look like this:
> > http_access allow AuthorizedUsers ProxyUsers
> > http_access deny all
> >
> > With this setup every time I tried to surf I get the
> > following error:
> > "Access Denied.
> > Access control configuration prevents your request
> > from being allowed at
> > this time. Please contact your service provider if
> > you feel this is
> > incorrect."
> >
> > From the access.log
> > "1042667330.327 10 xxx.xxx.148.xxx
> > TCP_DENIED/407 1762 GET
> > http://www.cromos.com.co/ - NONE/- text/html
> > 1042667330.367 16 xxx.xxx.148.xxx TCP_DENIED/407
> > 1770 GET
> > http://www.cromos.com.co/ - NONE/- text/html
> > 1042667330.394 25 xxx.xxx.148.xxx TCP_DENIED/403
> > 1407 GET
> > http://www.cromos.com.co/ vebogx101a\castanedaj
> > NONE/- text/html"
> >
> > If I remove "ProxyUsers" from the http_access rule
> > my NTLM scheme works
> > again.(only authenticated users can surf the web)
> >
> > What could be missing? Any ideas?
> >
> > Jairo Castañeda
>
>
> =====
> Regards,
> Mohsin Khan
> CCNA ( Cisco Certified Network Associate 2.0 )
>
> >>>Happy is the who can smile<<<
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden