RE: [squid-users] Re: One step away from getting winbind authentication working...

From: Herman \(ISTD\) <herman_ang@dont-contact.us>
Date: Thu, 15 Jul 2004 07:27:59 +0700

Thank's Rob,

I have located the winbind pipe directory, will try it later for winbind
authentication. However actually what is the function of the pipe ? I
think I cannot find this information on squid FAQ.

Regards,

herman

> -----Original Message-----
> From: lists@dedicated-web.net [mailto:lists@dedicated-web.net]
> Sent: 14 Juli 2004 7:56
> To: Herman (ISTD)
> Subject: RE: [squid-users] Re: One step away from getting winbind
> authentication working...
>
> Herman,
>
> I can't remember it's location, but I found the winbind_privileged
> directory by
> doing a
>
> #locate pipe
>
> When I set the permissions correctly on the winbind_privileged
directory
> squid
> authenitation worked perfectly.
>
> I have since rolled back to using samba-2.2.9 because I found that the
> external
> acl helpers didn't work with samba-3 because they where still based
upon
> samba-2 code. Now using Samba 2.2.9 I can authenticate users to the
NT4
> PDC, and
> create acls based upon the NT user groups.
>
> Regards,
> Rob Hadfield
>
> Quoting "Herman (ISTD)" <herman_ang@toyota.co.id>:
>
> > Dear Adam and Rob,
> >
> > I also faced the same obstacle when authenticating with winbind.
Till
> > now, I haven't got the solution yet. Here is my thread :
> >
> > However Adam, I have read the FAQ about the winbind_privileged pipe
> > (chgrp squid /path/to/winbind_privileged) but I can't find the
directory
> > both on samba or squid directory. Where does the directory reside ?
> >
> >
> > --------------------------
> > Dear all,
> >
> > My squid version is : squid-2.5.STABLE5
> > The winbind I am using is : samba-3.0.4
> >
> > Basically I already can authenticate using Samba :
> >
> > [root@mx logs]# /usr/local/samba/bin/wbinfo -t checking the trust
secret
> > via RPC calls succeeded [root@mx logs]#
/usr/local/samba/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > mydomain+myuser mypassword
> > OK
> >
> > Here is the configuration of my squid.conf :
> > auth_param basic program /usr/local/samba/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic auth_param basic children 5
auth_param
> > basic realm Squid proxy-caching web server auth_param basic
> > credentialsttl 2 hours acl fool proxy_auth REQUIRED acl all src 0/0
> > http_access allow fool http_access deny all
> >
> > When I browse using IE 6.0, I got the authentication windows, I type
> > MYDomain\myuser and password, but I always got denied :
> >
> > ERROR
> > Cache Access Denied
> >
> >
------------------------------------------------------------------------
> > --------
> >
> > While trying to retrieve the URL: http://www.google.com/
> >
> > The following error was encountered:
> >
> > Cache Access Denied.
> >
> > Sorry, you are not currently allowed to request:
> >
> > http://www.google.com/from this cache until you have
authenticated
> > yourself.
> >
> > You need to use Netscape version 2.0 or greater, or Microsoft
Internet
> > Explorer 3.0, or an HTTP/1.1 compliant browser for this to work.
Please
> > contact the cache administrator if you have difficulties
authenticating
> > yourself or change your default password.
> >
> >
> >
> >
------------------------------------------------------------------------
> > --------
> >
> > Generated Tue, 22 Jun 2004 02:02:06 GMT by squid/2.5.STABLE5
> >
> > In access.log :
> >
> > 1087869178.580 502 10.32.4.45 TCP_DENIED/407 1714 GET
> > http://www.google.com/
> > MyDomain\myuser NONE/- text/html
> > 1087869182.556 969 10.32.4.45 TCP_DENIED/407 1714 GET
> > http://www.google.com/
> > MyDomain\myuser NONE/- text/html
> >
> > Any one can help me ???
> >
> > Thank you.
> >
> > Regards,
> >
> > Herman
> >
> >
> >
> >
> > > -----Original Message-----
> > > From: Adam Aube [mailto:aaube01@baker.edu]
> > > Sent: 07 Juni 2004 1:48
> > > To: squid-users@squid-cache.org
> > > Subject: [squid-users] Re: Winbind authentication
> > >
> > > Herman (ISTD) wrote:
> > >
> > > > I am using winbind authentication with squid. So far, windbind
> > > > authentication to single Domain has no problem. But in our
> > environment,
> > > > the users using squid are distributed on two different domains,
so I
> >
> > > > need winbind to be able to authenticate to two different
Domains.
> > > >
> > > > Does anyone ever try this before? I would appreciate very much
if
> > you
> > > > can share your experiences with me.
> > >
> > > If you can link Samba correctly to all the domains, then the
Winbind
> > > helper will work fine. Since this is really a Samba issue, the
best
> > > sources
> > of
> > > help will be the Samba docs and the Samba list.
> > >
> > > Adam
> >
> >
> > > -----Original Message-----
> > > From: Adam Aube [mailto:aaube01@baker.edu]
> > > Sent: 08 Juli 2004 7:55
> > > To: squid-users@squid-cache.org
> > > Subject: [squid-users] Re: One step away from getting winbind
> > > authentication working...
> > >
> > > lists@dedicated-web.net wrote:
> > >
> > > > I have followed the instructions in section 23.5 on
> > > > http://www.squid-cache.org/Doc/FAQ/FAQ-23.html
> > >
> > > > I configured Samba Version 3.0.4 --with-winbind
> > > > I have smbd, nmbd, and winbindd running and have tested winbindd
> > user
> > > > authentication successfully
> > >
> > > > I built squid:
> > > > Squid Cache: Version 2.5.STABLE5-20040707
> > > > configure options: --enable-auth=ntlm,basic
> > > > --enable-external-acl-helpers=wbinfo_group
> > >
> > > > and tested it without authentication - works fine.
> > >
> > > > I tested the Test the Samba-3.x helper - works fine
> > >
> > > > I added the relevant auth_param's and adjusted the acls in
> > squid.conf -
> > > no
> > > > go :(
> > >
> > > > I use IE6.0 and it pops up a username/password prompt.
> > > > I enter in my credentials - no go.
> > > > I enter in my credentials with domain\username - no go.
> > >
> > > Did you try the "wbinfo -a username%password" test? Did both
plaintext
> > and
> > > challenge-response authentication succeed? Did make sure the
> > > winbind_privileged pipe is accessible by the user Squid runs as?
> > >
> > > Both of these are in the FAQ, but you made no mention of them.
> > >
> > > Adam
> >
> >
>
>
Received on Wed Jul 14 2004 - 18:29:23 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT