[squid-users] Re: Incompatibilities between Samba and Squid from Norman Zhang on 2004-06-11 (squid-users)

From: Norman Zhang <norman.zhang@dont-contact.us>
Date: Fri, 11 Jun 2004 09:41:22 -0700

Hi,

Thanks for your reply. winbind seems to be fine and I can browse the net
from the Squid box.

[root@proxy root]# wbinfo -t
checking the trust secret via RPC calls succeeded
[root@proxy root]# wbinfo -a nzhang%testing123
plaintext password authentication succeeded
challenge/response password authentication succeeded

but when trying to connect to Internet through Squid, I see the
following in /var/log/syslog

Jun 11 09:37:10 proxy winbindd[1354]: process_loop: Invalid request
size from pid 6485: 1304 bytes sent, should be 1568
Jun 11 09:37:10 proxy winbindd[1354]: This usually means that you are
running old wbinfo, pam_winbind or libnss_winbind clients
Jun 11 09:37:10 proxy winbindd[1354]: [2004/06/11 09:37:10, 0]
nsswitch/winbindd.c:process_loop(726)

Any ideas?

Regards,
Norman

SXB6300 Mailing wrote:
> what are the results of samba tools check :
> wbinfo -t
> wbinfo -a user%password
>
> Also, check http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>
> -----Message d'origine-----
> De : news [mailto:news@sea.gmane.org]De la part de Norman Zhang
>
> After making the changes I still cannot get through. /var/log/syslog
> shows the following,
>
> Jun 10 10:14:20 proxy (squid): authenticateNTLMHandleReply: called with
> no result string
> Jun 10 10:14:20 proxy squid[2229]: Squid Parent: child process 2273
> exited due to signal 6
> Jun 10 10:14:23 proxy squid[2229]: Squid Parent: child process 2288 started
> Jun 10 10:14:23 proxy winbindd[1354]: [2004/06/10 10:14:23, 0]
> nsswitch/winbindd.c:process_loop(726)
> Jun 10 10:14:23 proxy winbindd[1354]: process_loop: Invalid request
> size from pid 2295: 1304 bytes sent, should be 1568
> Jun 10 10:14:23 proxy winbindd[1354]: This usually means that you are
> running old wbinfo, pam_winbind or libnss_winbind clients
>
> /var/log/squid/access.log displays.
>
> 1086887660.896 41 192.168.22.7 TCP_DENIED/407 1691 GET
> http://www.cbc.ca/ - NONE/- text/html
>
> May I ask is there other ways to solve this?
>
> SXB6300 Mailing wrote:
>>You should use the ntlm helper shipped with samba. wb_ntlmauth are the old helpers
>>of squid 2.4x versions. For squid 2.5, it's highly recommended to use samba
>>helpers : replace wb_ntlmauth by ntlm_auth (usually in /usr/bin) in squid .conf
>>Regards,
>>
>>-----Message d'origine-----
>>De : news [mailto:news@sea.gmane.org]De la part de Norman Zhang
>>Envoyé : jeudi 10 juin 2004 02:21
>>
>>I'm running Squid-2.5.STABLE4-1.100mdk with samba-server-3.0.2a-3mdk.
>>When I tried to go the internet, I see the following in
>>
>>/var/log/syslog
>>Jun 9 17:06:07 proxy (squid): authenticateNTLMHandleReply: called with
>>no result string
>>Jun 9 17:06:07 proxy squid[1571]: Squid Parent: child process 2617
>>exited due to signal 6
>>
>>/var/log/squid/access.log
>>1086825967.398 31 192.168.22.7 TCP_DENIED/407 1706 GET
>>http://www.mozilla.org/ - NONE/- text/html
>>
>>Searching through the archives seems to indicate a bug with Samba's NTLM
>>helper? May I ask is there a fix for this?
>>
>>cache_mgr web.master@arkonnetworks.com
>>hierarchy_stoplist cgi-bin ?
>>acl QUERY urlpath_regex cgi-bin \?
>>no_cache deny QUERY
>>cache_mem 16 MB
>>cache_dir ufs /var/spool/squid 200 16 256
>>cache_peer 127.0.0.1 parent 80 7 default no-query
>>acl binaries urlpath_regex -i \.exe$ \.zip$ \.vbs$ \.gz$
>>cache_peer_access 127.0.0.1 allow binaries
>>never_direct allow binaries
>>
>>ftp_user squid@test.com
>>auth_param ntlm program /usr/lib/squid/wb_ntlmauth
>>auth_param ntlm children 5
>>auth_param ntlm max_challenge_reuses 0
>>auth_param ntlm max_challenge_lifetime 2 minutes
>>
>>external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
>>
>>acl ProxyUsers external NT_global_group ProxyUsers
>>acl authusrs proxy_auth REQUIRED
>>acl all src 0.0.0.0/0.0.0.0
>>acl manager proto cache_object
>>acl localhost src 127.0.0.1/255.255.255.255
>>acl SSL_ports port 443 563
>>acl Safe_ports port 80 # http
>>acl Safe_ports port 21 # ftp
>>acl Safe_ports port 443 563 # https, snews
>>acl Safe_ports port 70 # gopher
>>acl Safe_ports port 210 # wais
>>acl Safe_ports port 1025-65535 # unregistered ports
>>acl Safe_ports port 280 # http-mgmt
>>acl Safe_ports port 488 # gss-http
>>acl Safe_ports port 591 # filemaker
>>acl Safe_ports port 777 # multiling http
>>acl webmin port 10000 20000 # webmin, usermin
>>acl CONNECT method CONNECT
>>acl localnet dst 192.168.11.0/26 192.168.22.0/25
>>acl arkonweb dst 207.34.136.4 207.34.136.5 207.34.136.7
>>acl pdfgrab browser WebCapture
>>acl realplay browser RealMedia
>>acl ssread browser SSDOWNLOAD
>>acl ssread browser SSREADER
>>
>>http_access allow manager localhost
>>http_access deny manager
>>http_access allow CONNECT webmin
>>http_access deny !Safe_ports
>>http_access deny CONNECT !SSL_ports
>>http_access allow localnet
>>http_access allow arkonweb
>>http_access allow pdfgrab
>>http_access allow realplay
>>http_access allow ssread
>>http_access allow authusrs ProxyUsers
>>http_access allow localhost
>>http_access deny all
>>
>>icp_access allow all
Received on Fri Jun 11 2004 - 10:41:28 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:02 MDT