RE: [squid-users] Re: One step away from getting winbind authentication working...

Dear Adam and Rob,

I also faced the same obstacle when authenticating with winbind. Till
now, I haven't got the solution yet. Here is my thread :

However Adam, I have read the FAQ about the winbind_privileged pipe
(chgrp squid /path/to/winbind_privileged) but I can't find the directory
both on samba or squid directory. Where does the directory reside ?

--------------------------
Dear all,

My squid version is : squid-2.5.STABLE5
The winbind I am using is : samba-3.0.4

Basically I already can authenticate using Samba :

[root@mx logs]# /usr/local/samba/bin/wbinfo -t checking the trust secret
via RPC calls succeeded [root@mx logs]# /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
mydomain+myuser mypassword
OK

Here is the configuration of my squid.conf :
auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param
basic realm Squid proxy-caching web server auth_param basic
credentialsttl 2 hours acl fool proxy_auth REQUIRED acl all src 0/0
http_access allow fool http_access deny all

When I browse using IE 6.0, I got the authentication windows, I type
MYDomain\myuser and password, but I always got denied :

ERROR
Cache Access Denied

------------------------------------------------------------------------
--------

While trying to retrieve the URL: http://www.google.com/

The following error was encountered:

Cache Access Denied.

Sorry, you are not currently allowed to request:

    http://www.google.com/from this cache until you have authenticated
yourself.

You need to use Netscape version 2.0 or greater, or Microsoft Internet
Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please
contact the cache administrator if you have difficulties authenticating
yourself or change your default password.

------------------------------------------------------------------------
--------

Generated Tue, 22 Jun 2004 02:02:06 GMT by squid/2.5.STABLE5

In access.log :

1087869178.580 502 10.32.4.45 TCP_DENIED/407 1714 GET
http://www.google.com/
MyDomain\myuser NONE/- text/html
1087869182.556 969 10.32.4.45 TCP_DENIED/407 1714 GET
http://www.google.com/
MyDomain\myuser NONE/- text/html

Any one can help me ???

Thank you.

Regards,

Herman

> -----Original Message-----
> From: Adam Aube [mailto:aaube01@baker.edu]
> Sent: 07 Juni 2004 1:48
> To: squid-users@squid-cache.org
> Subject: [squid-users] Re: Winbind authentication
>
> Herman (ISTD) wrote:
>
> > I am using winbind authentication with squid. So far, windbind
> > authentication to single Domain has no problem. But in our
environment,
> > the users using squid are distributed on two different domains, so I

> > need winbind to be able to authenticate to two different Domains.
> >
> > Does anyone ever try this before? I would appreciate very much if
you
> > can share your experiences with me.
>
> If you can link Samba correctly to all the domains, then the Winbind
> helper will work fine. Since this is really a Samba issue, the best
> sources
of
> help will be the Samba docs and the Samba list.
>
> Adam

> -----Original Message-----
> From: Adam Aube [mailto:aaube01@baker.edu]
> Sent: 08 Juli 2004 7:55
> To: squid-users@squid-cache.org
> Subject: [squid-users] Re: One step away from getting winbind
> authentication working...
>
> lists@dedicated-web.net wrote:
>
> > I have followed the instructions in section 23.5 on
> > http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
>
> > I configured Samba Version 3.0.4 --with-winbind
> > I have smbd, nmbd, and winbindd running and have tested winbindd
user
> > authentication successfully
>
> > I built squid:
> > Squid Cache: Version 2.5.STABLE5-20040707
> > configure options: --enable-auth=ntlm,basic
> > --enable-external-acl-helpers=wbinfo_group
>
> > and tested it without authentication - works fine.
>
> > I tested the Test the Samba-3.x helper - works fine
>
> > I added the relevant auth_param's and adjusted the acls in
squid.conf -
> no
> > go :(
>
> > I use IE6.0 and it pops up a username/password prompt.
> > I enter in my credentials - no go.
> > I enter in my credentials with domain\username - no go.
>
> Did you try the "wbinfo -a username%password" test? Did both plaintext
and
> challenge-response authentication succeed? Did make sure the
> winbind_privileged pipe is accessible by the user Squid runs as?
>
> Both of these are in the FAQ, but you made no mention of them.
>
> Adam
Received on Tue Jul 13 2004 - 18:15:29 MDT