RE: [squid-users] NTLM Authentication

Thanks Josh
Yes I have the following;

acl Proxy external nt_group ProxyUsers
http_access allow Proxy

I don't have a acl Auth proxy_auth REQUIRED
Is this required? I don't have it in my 2.5 config but is it something I
need maybe for a 2.6 config

I have since found some info on the error
AuthenticateNTLMHandleReply: Error validating user via NTLM. Error
returned 'BH NT_STATUS_ACCESS_DENIED'

Since changing the permissions on the winbindd_privileged folder this
error has stopped but there still seems to still be a problem with Samba
/ Winbind

The new error is

2008/08/06 17:19:41| The reply for GET http://www.google.com.au/ is
ALLOWED, bec
ause it matched 'PowerProxy'
Got 0 AFFOODS%5Cmleonard ProxyPowerUsers from squid
Could not convert sid S-1-5-21-4266978403-3571327453-3752274348-3654 to
gid
User: -0-
Group: -AFFOODS\mleonard-
SID: -S-1-5-21-4266978403-3571327453-3752274348-3654-
GID: --
Could not get groups for user 0
Sending OK to squid
2008/08/06 17:19:41| helperHandleRead: unexpected reply on channel -1
from nt_gr
oup #1 'OK'

What am I missing? Is this now a Samba issue?

Scott

-----Original Message-----
From: Josh Haft [mailto:pacmansyu_at_gmail.com]
Sent: Wednesday, 6 August 2008 9:38 PM
To: Thompson, Scott (WA)
Cc: squid-users_at_squid-cache.org
Subject: Re: [squid-users] NTLM Authentication

Do you have an ACL in squid.conf allowing an AD group to use squid,
and is your user part of that group?

for example, in my config...

acl inet_group external group_nt squid_proxy
acl Auth proxy_auth REQUIRED

http_access allow Auth inet_group

(where inet_group is the acl name, external points to the external
auth helper you defined (nt_group in your case), and squid_proxy is
the AD group of which you must belong)

This may not be the best way to do it, but it works for me.

On Wed, Aug 6, 2008 at 1:55 AM, Thompson, Scott (WA)
<Scott.Thompson_at_affoods.com.au> wrote:
> Hi all
> After my previous run around with Winbind and Likewise Open I decided
to rebuild the server from scratch and reinstall Ubuntu 8.04, after some
firewall configs I was able to successfully join the server to our
Active Directory domain without any issues using Winbind and Samba
> Some background info
> Server is Ubuntu 8.04
> Samba is 3.0.28a
> Squid is 2.6 STABLE18
>
> Wbinfo -u and -g shows all the AD groups, KINIT works etc
>
> We were running on the old server Squid 2.5 STABLE6
>
> I have simply done an apt-get on Squid and the 2.6 STABLE18 version is
what it downloaded
> After doing an updatedb I can see all the files etc
>
> I have simply copied the squid.conf from my old server hoping this
might work
>
> When I start squid using the following command, 'squid -NCd10' it
seems to start OK but when I try and authenticate myself I get a logon
dialox box. I would have hoped it would just do it by itself and
authenticate me!
> The error I get on the console is
>
> AuthenticateNTLMHandleReply: Error validating user via NTLM. Error
returned 'BH NT_STATUS_ACCESS_DENIED'
>
>
> Part of my squid.conf that relates to authentication is
>
> # note: you may need to increase children based on your number of
users
> auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 140
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 10 minute
> #auth_param ntlm use_ntlm_negotiate on
>
> auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
> auth_param basic children 20
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hour
>
> # only need this if you want to use Windows Domain Groups for acl(s)
> external_acl_type nt_group ttl=0 concurrency=5 %LOGIN
/usr/lib/squid/wbinfo_group.pl
>
>
> Is there a better way to do this?
> I didn't have to do a make or anything so do I need to recompile for
the correct helpers etc?
> Is it a permission thing perhaps?
>
> Any suggestions would be MOST welcome
> On a side note within the last week my Linux skills have improved 100
fold!
>
> Regards,
>
> ___________________________________________
> Scott Thompson
> Network Administrator
> Australian Fast Foods Pty Ltd
> PO Box 676
> Balcatta WA 6914
>
> 08 9240 9761
> scott.thompson_at_affoods.com.au
>
>
>
Received on Thu Aug 07 2008 - 00:57:33 MDT