Hi all.
I need some help sorting out a problem I've got with ntlm_auth using squid
and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7.
I've setup squid and samba from source, and configured them, all according
to the documentation found here:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
I'm sure I've done everything right, according to the docco, but when the
user requests a site, the challenge/response auth fails, and the user is
prompted for a username and password (using basic auth as a fallback), which
succeeds.
I've done a lot of troubleshooting, and tried a lot of things to get this
working. I'm running on Debian 3.0r2, but I had much the same problem on
FC2. Eveything during setup seemed to work. The following gives the
result:
# wbinfo -t
checking the trust secret via RPC calls succeeded
# wbinfo -a username%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
However, if I do as per the docs I'm following:
# wbinfo -a mydomain\\username%password
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user mydomain\username%password with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user mydomain\username with challenge/response
But, doing:
# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+username password
OK
Seems to be working there, but the browser still doesn't authenticate. With
the debugging turned on, I get this in the cache log:
2004/10/14 16:15:59| aclMatchAclList: checking AuthorizedUsers
2004/10/14 16:15:59| aclMatchAcl: checking 'acl AuthorizedUsers proxy_auth
REQUIRED'
2004/10/14 16:15:59| authenticateValidateUser: Auth_user_request was NULL!
2004/10/14 16:15:59| authenticateAuthenticate: broken auth or no proxy_auth
header. Requesting auth header.
2004/10/14 16:15:59| aclMatchAcl: returning 0 sending authentication
challenge.
2004/10/14 16:15:59| aclMatchAclList: no match, returning 0
2004/10/14 16:15:59| aclCheck: match found, returning 2
2004/10/14 16:15:59| cbdataUnlock: 0x81eadf8
2004/10/14 16:15:59| aclCheckCallback: answer=2
2004/10/14 16:15:59| cbdataValid: 0x83d7430
2004/10/14 16:15:59| The request GET http://slashdot.org/ is DENIED, because
it matched 'AuthorizedUsers'
Searching around for that error I found that someone had suggested this was
due to squid not being able to access winbinds privileged pipe, however,
squid runs as the user and group "squid", and these are the perms on the
directory in question:
drwxr-s--- 2 root squid 4096 Oct 14 15:09
/usr/local/samba/var/locks/winbindd_privileged
Seems okay to me, and consistent with the info on giving squid access to
winbinds privileged pipe in the squid FAQ mentioned above.
So, does anyone know what I've done wrong here, if anything? It seems to me
that it SHOULD be working, unless I've got something wrong in the squid or
samba .conf files. I wont post those, because this email is long enough
already, but I'll provide links to them.
Squid.conf:
http://users.bigpond.com/xdouglas/stuff/4work/squid.conf
Smb.conf:
http://users.bigpond.com/xdouglas/stuff/4work/smb.conf
Any help with this problem would be greatly appreciated.
Thanks.
-------------------
Hal Douglas
I.T. Administrator
Marist Regional College
Email: hal@mrc.tas.edu.au <mailto:hal@mrc.tas.edu.au>
-------------------
This e-mail message and any attached files are intended solely for the
addressee/s identified herein. It may contain confidential and/or legally
privileged information and may not necessarily represent the opinion of
Marist Regional College. If you receive this message in error, please
immediately notify the sender and delete it since you are not authorised to
use, disclose, distribute, print or copy all or part of the contained
information.
Received on Thu Oct 14 2004 - 18:27:29 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST