Re: [squid-users] Repost: wb_group locks my 2k domain users

Because the problem is in the NTLM authentication. NTLM is pretty much
relayed directly via Squid, wbntlm_auth and winbind between your browser
and the domain controller. When there is mismatches in NTLM
authentication your domain controller counts this as a invalid login,
and when above the threshold for bad login attempts set in your domain
your account will be locked.

If things works fine except if you wait for a long time (more than an
hour) then the problem is most likely in how your client station manages
the user credentials from when you logged on to the domain. For Squid,
winbind, wbntlm_auth or wb_group there is no difference if you wait 1
nanosecond or many years, the exact same actions take place with the
exact same data.

wb_group is not the cause. In fact, it is almost certainly not even
involved on the requests causing the lockout as wb_group is only called
once the authentication has completed successfully and does not do any
authentication.

It is possible that this is a bug in Samba winbindd and how it connects
to the domain, but then the only way to fix the problem should be to
refresh the Samba domain membership, not by unlocking the account.

Have you configured Samba to periodically refresh the computer account
to prevent it from expiring?

Note: The NTLM authentication takes place on each new TCP connection
made by your browser, so this is a very frequent operation. On each new
TCP connection there is first two TCP_DENIED logged by Squid, and on the
third request IE provides user credentials which will be verified with
the domain.

The best way to identify where the error is is to test using a Microsoft
IIS server as described below. If the same problem appears then you know
for sure it is not a Squid or Samba problem. If the problem does not
appear then it may be a Squid or Samba problem and the next step is then
to analyze the NTLM exchanges in detail (Squid debug logs and access to
your domain password is required for this analysis).

Regards
Henrik

tor 2003-04-03 klockan 16.41 skrev Federico Lombardo:
> I don't want to be pedantic.
>
> Henrik could you gently tell me "why" do you think is a 2k Domain issue and
> not a squid one ?
>
> As I can see wb_group doesn't authenticate users into the domain, it only
> make a biunivoc corrispondence between Domain User and Group and send OK or
> ERR to squid, so why it can lock the user ?
>
> maybe is "only" samba issue?
>
> Is correct what I've said about wb_group auth ?
>
>
>
> ----- Original Message -----
> From: "Henrik Nordstrom" <hno@squid-cache.org>
> To: "Federico Lombardo" <egopfe@hotmail.com>
> Cc: <squid-users@squid-cache.org>
> Sent: Thursday, April 03, 2003 2:01 PM
> Subject: Re: [squid-users] Repost: wb_group locks my 2k domain users
>
>
> > Sounds like a domain problem..
> >
> > How long have you been logged on to this client station?
> >
> > Are you also logging on from some other stations?
> >
> >
> > One possible way to verify where the problem may be is to have a ISS
> > server locally in the domain which requires NTLM authentication. Then
> > access this server to see if the symptoms are the same..
> >
> > Regards
> > Henrik
> >
> >
> >
> > tor 2003-04-03 klockan 12.15 skrev Federico Lombardo:
> >
> > > I open my IE (most version from 5.5 SP2 to 6 SP1) and I navigate some
> sites
> > > for two weeks.
> > > The third hypothetical week I open my IE, navigate and I found that my
> > > account is locked on the Domain Controller.
> > > I de-lock my user, reopen IE, navigate, and my account is locked again.
> > >
> > > I've controlled squid logs but, exception made for two three
> ACCESS_DENIED
> > > before IE gives squid correct credential, all are ok and the SAME as
> correct
> > > navigation.

-- 
Free Squid-users support provided by Henrik Nordström <hno@squid-cache.org>
PayPal donations welcome if you consider my Free Squid support helpful.
https://www.paypal.com/xclick/business=hno%40squid-cache.org&cn=Comment
If you need commercial Squid support or cost effective Squid and
firewall appliances please refer to MARA Systems AB, Sweden
http://www.marasystems.com/, info@marasystems.com