RE: [squid-users] Squid/Samba authenication with wrong username

From: Leach, Shane - MIS Laptop <mis@dont-contact.us>
Date: Thu, 13 Mar 2008 10:24:32 -0500

Hi Joop,

The krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = NICHIRINTN.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 
[realms]
 DOMAIN.COM = {
  kdc = 10.1.0.207:88
  admin_server = 10.1.0.207:749
  default_domain = domain.com
 }
 
[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

And I receive the following errors (quite lengthy, sorry) when running
the NTLM_AUTH command, as shown:

[root@ntproxy Shane]# /usr/lib/squid/ntlm_auth --username=shane

/usr/lib/squid/ntlm_auth: invalid option -- -
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- u
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- s
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- e
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- r
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- n
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- a
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- m
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- e
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- =
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- s
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- h
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- a
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- n
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
/usr/lib/squid/ntlm_auth: invalid option -- e
unknown option: -?. Exiting
/usr/lib/squid/ntlm_auth usage:
/usr/lib/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
 
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name

Thank you for the help.

Shane

-----Original Message-----
From: J Beris [mailto:J.Beris@nederweert.nl]
Sent: Thursday, March 13, 2008 10:11 AM
To: Leach, Shane - MIS Laptop
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Squid/Samba authenication with wrong username

Hi Shane,
 
> My smb.conf is as follows (constructed based on some walkthroughs
> available on Internet):

<SNIP>

Looks good to me.
 
> I notice that when I attempt "kinit [username]@[domain]" an
interesting
> thing happens. If is set it as username@DOMAIN it returns no
errors...
> But if I use username@domain (lowercase) I receive an error that
> "Cannot find KDC for requested realm while getting initial
> credentials".
Could
> this be part of the problem?

I don't think so. If I remember correctly, Kerberos needs the domain
name to be uppercase, not lower case.

> I could not get the ntlm_auth command to work, as written... Still
> trying to figure out exactly what should be changed.

Specifically, what happens if you issue that ntlm_auth command?

What is specified in your krb5.conf?

HTH,

Joop

------------------------------------------------------------
Dit bericht is gescand op virussen en andere gevaarlijke inhoud door
MailScanner en lijkt schoon te zijn.
Mailscanner door http://www.prosolit.nl
Professional Solutions fot IT
Received on Thu Mar 13 2008 - 09:24:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT