Authenticating Server: 2003 with Active Directory Enabled
Squid Server: FreeBSD 5.1
Samba: 3.0.7,1
Other package info in package list at bottom.
The DNS server is on the 2003 Server with the proper kerberos and ldap
entries in the DNS server. (Passes Active Directory DNS utility tests)
Responses are sent in LM, NTLM, &NTLM2 when negotiated.
Signing requirements are not configured. (Choices: Enable, or not
configured).
Have read, and followed to best of my ability the squid FAQ and
winbind/nmb/samba man pages. Things that work: All of the command line
based tests work, as you will see when you look below. But when I try to
authenticate with a browser I get denied, and the following info in
cache.log and log.winbindd. If I modify the permissions on
/var/db/samba/winbindd_privileged, that breaks the wbinfo tests saying that
the permissions on that file are incorrect.
Note: when I went to build samba --with-ads on freebsd it complaind about
KRB5 and asked for HEIMDAL instead...so I am actually using HEIMDAL not
KRB5, as Samba refused to compile with KRB5 but compiled fine with HEIMDAL.
Squid works great unauthenticated, but fails all auth tests when using an
actual browser. The squid-helper passes basic auth tests from the command
line, but when using a browser such as netscape which should use BASIC auth
mode, it denies with the same messages in the logs as IE failing on
challenge/response.
-------------tail of access.log-------------------
1096907971.215 4 192.168.1.110 TCP_DENIED/407 3715 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908014.779 3 192.168.1.110 TCP_DENIED/407 3674 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908014.840 11 192.168.1.110 TCP_DENIED/407 3701 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908014.848 7 192.168.1.110 TCP_DENIED/407 3674 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908017.003 7 192.168.1.110 TCP_DENIED/407 3701 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908017.010 6 192.168.1.110 TCP_DENIED/407 3674 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908017.487 6 192.168.1.110 TCP_DENIED/407 3701 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908017.493 6 192.168.1.110 TCP_DENIED/407 3674 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908018.007 6 192.168.1.110 TCP_DENIED/407 3701 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
1096908018.013 6 192.168.1.110 TCP_DENIED/407 3674 GET
http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html
----------------------------------------------------------------------------
---------------------------
------------------tail of cache.log ----------------
[2004/10/04 11:40:17, 0] utils/ntlm_auth.c:winbind_pw_check(439)
Login for user [DOMAIN]\[GOODUSER]@[WIN_2K_TEST] failed due to [winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/db/samba/winbindd_privileged are set correctly.]
[2004/10/04 11:40:17, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2004/10/04 11:40:17| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2004/10/04 11:40:18, 0] utils/ntlm_auth.c:winbind_pw_check(439)
Login for user [DOMAIN]\[ADMINTEST]@[WIN_2K_TEST] failed due to [winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions on
/var/db/samba/winbindd_privileged are set correctly.]
[2004/10/04 11:40:18, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2004/10/04 11:40:18| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
----------------------------------------------------------------------------
----
-----------------tail of log.winbindd----------------------------------
[2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Unknown error -1765328228
[2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759)
Kinit failed: Unknown error -1765328228
[2004/10/04 11:43:01, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313)
krb5_cc_get_principal failed (No such file or directory)
[2004/10/04 11:43:01, 0] libads/kerberos.c:ads_kinit_password(136)
kerberos_kinit_password host/HOST@ failed: Unknown error -1765328228
[2004/10/04 11:43:01, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81)
ads_connect for domain DOMAIN failed: Unknown error -1765328228
---------------------------------------------------------------------
------------- wbinfo -a --------------------------------
host:~ # wbinfo -a gooduser%goodpass
plaintext password authentication succeeded
challenge/response password authentication succeeded
-------------------------------------------------------------------------
--------------wbinfo -t------------------------
host:~ # wbinfo -t
checking the trust secret via RPC calls succeeded
------------------------------------------------
---------------ntlm_auth----------------------
filtercube:~ / # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
gooduser goodpass
OK
domain\gooduser goodpass
OK
-----------------------------------------------------
---------------krb5.conf------------------------
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN
dns_lookup_realm = yes
dns_lookup_kdc = yes
[realms]
DOMAIN = {
kdc = DOMAIN.com
}
--------------------------------------------------------
---------------------nsswitch.conf--------------
passwd: files winbind
group: files winbind
hosts: dns winbind
--------------------------------------------------------
-----------------pam conf ----------------------
Not Sure which files needed to modify for ntlm_auth to work. Have tried
passwd and login by adding lines listed in squid FAQ. I am using a newer
version of pam that uses /etc/pam.d/service for authentication directions.
Do I need to create a new auth file called ntlm_auth?
--------------------------------------------------------
---------------smb.conf:-----------------------
#Global Settings
[global]
workgroup = DOMAIN
server string = Filtering Server
log file = /var/log/log.%m
max log size = 50
security = ads
password server = *
encrypt passwords = yes
socket options = TCP_NODELAY
dns proxy = no
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind separator = \\
realm = DOMAIN.com
winbind use default domain = yes
---------------------------------------------------------------
Package List:
apache+mod_ssl-1.3.28+2.8.15_1 The Apache 1.3 webserver with SSL/TLS
functional
bash-2.05b.007 The GNU Bourne Again Shell
bind9-9.2.2 Completely new version of the BIND DNS server
bison-1.75_1 A parser generator from FSF, (mostly) compatible with
Yacc
bsdftpd-ssl-0.6.3 FTP server with TLS/SSL support
curl-7.10.7 Non-interactive tool to get files from FTP, GOPHER,
HTTP(S)
cvsup-16.1h General network file distribution system optimized for
CVS
cvsup-without-gui-16.1h General network file distribution system optimized
for
db-2.7.7_1 The Berkeley DB package, revision 2
db3-3.3.11,1 The Berkeley DB package, revision 3
db4-4.0.14_1,1 The Berkeley DB package, revision 4
db41-4.1.25_1 The Berkeley DB package, revision 4.1
db42-4.2.52_3 The Berkeley DB package, revision 4.2
expat-1.95.6_1 XML 1.0 parser written in C
ezm3-1.1 Easier, more portable Modula-3 distribution for building
CV
gd-2.0.15_1,1 A graphics library for fast creation of images
gdbm-1.8.3 The GNU database manager
gettext-0.12.1 GNU gettext package
glib-1.2.10_9 Some useful routines of C programming (previous stable
vers
gmake-3.80_1 GNU version of 'make' utility
heimdal-0.6.1 A re-implementation of Kerberos V
help2man-1.33.1 Automatically generating simple manual pages from
program o
imake-4.3.0 Imake and other utilities from XFree86
libiconv-1.8_2 A character set conversion library
libltdl-1.5 System independent dlopen wrapper
linux_base-7.1_4 The base set of packages needed in Linux mode
nspr-4.4.1_1 A platform-neutral API for system level and libc like
funct
nss-3.9.2 Libraries to support development of security-enabled
applic
openldap-client-2.2.15 Open source LDAP client implementation
openldap-server-2.2.15 Open source LDAP server implementation
openssh-3.6.1_5 OpenBSD's secure shell client and server (remote login
prog
openssl-0.9.7d_1 SSL and crypto library
pf_freebsd-2.03 OpenBSD pf as a kldmodule
samba-3.0.7,1 A free SMB and CIFS client and server for UNIX
squid-2.5.6_10 The successful WWW proxy cache and accelerator
squidGuard-1.2.0_1 A fast redirector for squid
sudo-1.6.7.4 Allow others to run commands as root
----------------------------------------------------------------------------
---------------------
Michael Wray
S4F Technologies, Inc.
2448 S. 81st St.
Tulsa, OK 74137
http://www.s4f.com
mailto:mwray@s4f.com
Received on Mon Oct 04 2004 - 13:18:58 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST