Hi all,
I've searched through the archives and the internet but as of yet I have been unable to find a solution. One or two topics that refer to the problem but no solution as of yet. So if it has been posted before I do apologise.
I am running ubuntu 6.06 LAMP server and have installed squid 2.5 stable12 with winbind and samba 3.0.22 authenticating against AD. I am not sure which version of winbind I am using but it must be one of the latest stable releases available in the repositories.
Authentication works fine without any problems, the problem I have is that when an user accesses a site we've blocked it prompts them for a username and password. As far as I know it is ntlm_auth because there is no prompt for domain just username and password.
The cache.log doesn't quite tell me anything nor do any of the other logs. I have a very busy syslog so I need to grep the info I need, but don't know what to search for. If I grep winbind I do get the following:
Sep 12 09:39:01 helsinki winbindd[4013]: [2007/09/12 09:39:01, 0] lib/util_sid.c:string_to_sid(285)
Sep 12 09:39:01 helsinki winbindd[4013]: string_to_sid: Sid S-0-0 is not in a valid format.
I can use wbinfo to querry the domain for just about everything the trust succeeds, I can get the gids for a user. I can lookup domain users and domain groups. Wbinfo_group.pl when queried returns with OK as does ntlm_auth -protocol-helper=squid-2.5-basic.
I googled it but it seems that samba used to in the past ignore these messages but now it forwards it through to syslog.
I do not really know what to look for in the logs for this problem permissions on winbindd_privileged are set (and I think correctly because otherwise it would just not authenticate)
The users are still denied from accessing the website but it prompts them each time. And whenever they are on google's image website it creates massive complaints when there are some images referenced to a denied site and then the prompt just keeps appearing.
This probably shouldn't have any bearing on the problem, but I'll mention it anyway. I have also installed nagios 3.0b along with apache2.
Though I think they should work nicely together.
Any help is greatly appreciated.
Here are my squid.conf details
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 2 minutes
#auth_param ntlm children 80
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 5 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 50
auth_param basic realm DAV-webcache proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
### exampl
#auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
#auth_param ntlm children 5
#auth_param ntlm max_challenge_reuses 0
#auth_param ntlm max_challenge_lifetime 20 minutes
#auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
## ACL for ADS user
#external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
##external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl
external_acl_type NT_global_group children=30 ttl=2700 %LOGIN /usr/lib/squid/wbinfo_group.pl
acl ProxyUsers external NT_global_group WebAccessAllowed
acl AuthorizedUsers proxy_auth REQUIRED
acl TrustedUsers proxy_auth REQUIRED
acl UnrestrictedUsers external NT_global_group WebAll
acl RestrictedUsers external NT_global_group WebMoreAccess
acl NewUsers external NT_global_group BlockedCareerSites
##Access control lists must be entered here
http_access deny blocked_sites_1 RestrictedUsers
http_access deny blocked_sites ProxyUsers
http_access deny blocked_career_sites NewUsers
http_access allow AuthorizedUsers ProxyUsers
http_access allow TrustedUsers RestrictedUsers
http_access allow UnrestrictedUsers
http_access allow NewUsers
#http_access allow dav_net
#miss_access allow all
#always_direct deny all
#never_direct allow all
# And finally deny all other access to this proxy
http_access deny all
Thanks
Marcel
Received on Wed Sep 12 2007 - 09:22:22 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:02 MDT