Re: [squid-users] Need help in integrating squid and samba

From: Avinash Rao <avinash.aol_at_gmail.com>
Date: Tue, 18 Aug 2009 09:48:20 +0530

Hi,

I am able to test wbinfo -a mydomain\\myuser%mypasswd, the output is
as expected.
But, the helpers testing didn't give proper results.

/usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain\user password
Doesn't return anything.. if i pressed enter key, i see ERR

Thanks
Avinash

On Mon, Aug 17, 2009 at 9:07 PM, Avinash Rao<avinash.aol_at_gmail.com> wrote:
> Chris,
>
> Please don't get bugged, wbinfo -g is working now ..
> wbinfo -g
> BUILTIN\administrators
> BUILTIN\users
>
> and even wbinfo -t
>
> wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> but it didn't give the out "the secret is good" . I have no idea how
> this is working all of a sudden, it didn't work a little while ago!
>
> Regards,
> Avinash
>
>
>
> On Mon, Aug 17, 2009 at 8:58 PM, Avinash Rao<avinash.aol_at_gmail.com> wrote:
>> Yes, Squid and Samba(PDC) are running on the same server.
>>
>> wbinfo -g won't work as i have not created any of the NT Domain Groups
>> is that necessary? Coz, i have a very simple samba configuration.
>>
>> I went through the link and made changes to nsswitch conf.
>>
>> wbinfo -set-auth-user=Administrator%'password'
>> Could not lookup sid Administrator%password
>>
>> But, I could join the domain, i just entered net join and entered the
>> current users password and it said joined the domain!
>> wbinfo -u
>> Error looking up domain users
>>
>> Thanks again
>> Avinash
>>
>>
>>
>> On Mon, Aug 17, 2009 at 8:29 PM, Chris
>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>> Right ok,
>>>
>>> So squid is running samba (as a pdc) and squid as a cache?
>>>
>>> Can you try running wbinfo -g, and if that doesn't work, try running wbinfo --set-auth-user=Administrator%'YourPassword' (see: http://www.debian-administration.org/article/Question_Winbind_on_samba_PDC), the run wbinfo -g again
>>>
>>> Kind Regards,
>>> Christopher Boczko
>>> Server Support Analyst - IT Shared Services
>>> HomeServe
>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>
>>> DDI: 01482 677272
>>> Mob: 07967 059241
>>>
>>> www.homeserve.com
>>> www.chemdry.co.uk
>>>
>>> DDI: 01482 677272
>>> Mob: 07967 059241
>>>
>>> www.homeserve.com
>>> www.chemdry.co.uk
>>>
>>>
>>> -----Original Message-----
>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>> Sent: 17 August 2009 15:56
>>> To: Chris Boczko
>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>
>>> Yes its on the squid server and its a PDC and the passwd backend is tdbsam
>>>
>>>
>>>
>>> On Mon, Aug 17, 2009 at 8:22 PM, Chris
>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>> This is on the squid server?
>>>>
>>>> Its trying to be a pdc
>>>>
>>>>
>>>>    domain logons = yes
>>>>    os level = 65
>>>>    prefered master = yes
>>>>    domain master = yes
>>>>    local master = yes
>>>>
>>>> Kind Regards,
>>>> Christopher Boczko
>>>> Server Support Analyst - IT Shared Services
>>>> HomeServe
>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>
>>>> DDI: 01482 677272
>>>> Mob: 07967 059241
>>>>
>>>> www.homeserve.com
>>>> www.chemdry.co.uk
>>>>
>>>> DDI: 01482 677272
>>>> Mob: 07967 059241
>>>>
>>>> www.homeserve.com
>>>> www.chemdry.co.uk
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>> Sent: 17 August 2009 15:51
>>>> To: Chris Boczko
>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>
>>>> smb.conf
>>>>
>>>> [global]
>>>>    workgroup = abc
>>>>    server string = Samba on SUN
>>>>    max log size = 500
>>>>    log level = 1
>>>>    interfaces = eth2 100.100.100.251
>>>>    bind interfaces only = True
>>>>
>>>>    log file = /var/log/samba/log.%m
>>>>    max log size = 1000
>>>>
>>>>    domain logons = yes
>>>>    os level = 65
>>>>    prefered master = yes
>>>>    domain master = yes
>>>>    local master = yes
>>>>
>>>>    winbind uid = 10000-20000
>>>>    winbind gid = 10000-20000
>>>>    winbind use default domain = yes
>>>>
>>>>    add machine script = /usr/sbin/useradd -s /bin/false -d /home/nobody %u
>>>>    dns proxy =No
>>>>    hosts allow = 127. 100.100.100.
>>>>    wins support = Yes
>>>>    passdb backend = smbpasswd
>>>>
>>>>    encrypt passwords = true
>>>>    smb passwd file = /etc/samba/smbpasswd
>>>>    security = user
>>>>    netbios name = sunbox
>>>>    username map = /etc/samba/smbusers
>>>>
>>>> [homes]
>>>>    comment = Home Dir
>>>>    read only = NO
>>>>    browseable = NO
>>>>    valid users = %S
>>>>    path = %H
>>>>    directory mask = 0700
>>>>    create mask = 0700
>>>>
>>>>
>>>> [share]
>>>>   comment = test share
>>>>    path = /sambashare
>>>>    valid users = nimda
>>>>    create mask = 0765
>>>>
>>>>
>>>> Cheers
>>>> Avinash
>>>>
>>>>
>>>> On Mon, Aug 17, 2009 at 8:04 PM, Chris
>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>> Ah, make a little more sense, but i'm afraid my only experience is with windows as a active directory controller and samba linking to that, but i can still take a look at your smb.conf if you would like
>>>>>
>>>>> Kind Regards,
>>>>> Christopher Boczko
>>>>> Server Support Analyst - IT Shared Services
>>>>> HomeServe
>>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>>
>>>>> DDI: 01482 677272
>>>>> Mob: 07967 059241
>>>>>
>>>>> www.homeserve.com
>>>>> www.chemdry.co.uk
>>>>>
>>>>> DDI: 01482 677272
>>>>> Mob: 07967 059241
>>>>>
>>>>> www.homeserve.com
>>>>> www.chemdry.co.uk
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>> Sent: 17 August 2009 15:30
>>>>> To: Chris Boczko
>>>>> Cc: squid-users_at_squid-cache.org
>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>
>>>>> Dear Christopher,
>>>>>
>>>>> Thank you for your reply.
>>>>>
>>>>> I am not using Active Directory, I am using a samba as a PDC (NT4) and
>>>>> its a simple configuration.  All clients are WinXP and they login to
>>>>> the domain and i just want to control their access to internet that is
>>>>> all.
>>>>>
>>>>> And there is no other Windows NT domain machine in my network, its
>>>>> just this ubuntu server running squid and samba!
>>>>>
>>>>> If i am right? wbinfo -t will not work coz, i don't have a windows NT
>>>>> domain machine and no trust exists. But, how do i control, restrict or
>>>>> allow internet access for samba domain users through squid?
>>>>>
>>>>> Many Thanks
>>>>> Avinash
>>>>>
>>>>>
>>>>> On Mon, Aug 17, 2009 at 7:50 PM, Chris
>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>> Yes,
>>>>>>
>>>>>> If you are using active directory 2000/2003/2008, you'll need to configure krb5 first
>>>>>>
>>>>>> Please see http://ubuntuforums.org/showthread.php?t=91510 , but you only need to follow steps 1-3, then 7-9
>>>>>>
>>>>>> Then run
>>>>>>
>>>>>> Wbinfo -t to check the trust and
>>>>>> Wbinfo -g to list groups
>>>>>>
>>>>>> Kind Regards,
>>>>>> Christopher Boczko
>>>>>> Server Support Analyst - IT Shared Services
>>>>>> HomeServe
>>>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>>>
>>>>>> DDI: 01482 677272
>>>>>> Mob: 07967 059241
>>>>>>
>>>>>> www.homeserve.com
>>>>>> www.chemdry.co.uk
>>>>>>
>>>>>> DDI: 01482 677272
>>>>>> Mob: 07967 059241
>>>>>>
>>>>>> www.homeserve.com
>>>>>> www.chemdry.co.uk
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>> Sent: 17 August 2009 14:57
>>>>>> To: Chris Boczko
>>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>>
>>>>>> root_at_sunbox: net join -U user
>>>>>> Password:
>>>>>> Creation of workstation account failed
>>>>>> Unable to join domain abc
>>>>>>
>>>>>> user_at_sunbox:/usr/lib/squid$ net join -U user1
>>>>>> [2009/08/17 19:24:05, 0] passdb/secrets.c:secrets_init(66)
>>>>>>  Failed to open /var/lib/samba/secrets.tdb
>>>>>> [2009/08/17 19:24:05, 0] utils/net_rpc.c:rpc_oldjoin_internals(309)
>>>>>>  error storing domain sid for abc
>>>>>>
>>>>>> No, I haven't configured krb5. Do we need all this just to control
>>>>>> internet access for samba domain users?
>>>>>>
>>>>>> Avinash
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 17, 2009 at 7:19 PM, Chris
>>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>>> Have you run net join on the squid server (from the command line), and have you configured krb5?
>>>>>>>
>>>>>>> Does kinit (user)@(domain).(domain) work?
>>>>>>>
>>>>>>> Kind Regards,
>>>>>>> Christopher Boczko
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>>> Sent: 17 August 2009 14:47
>>>>>>> To: Chris Boczko
>>>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>>>
>>>>>>> Samba Version:
>>>>>>>
>>>>>>> dpkg -l | grep samba
>>>>>>> ii  samba  3.0.28a-1ubuntu4.8   a LanManager-like file and printer server fo
>>>>>>> ii  samba-common  3.0.28a-1ubuntu4.8   Samba common files used by both
>>>>>>> the server a
>>>>>>>
>>>>>>> Ubuntu 8.04 Server 64-bit.
>>>>>>>
>>>>>>> Net Join? You mean from a windows client? I have only winXP clients
>>>>>>> and they are all configured to login to the domain.
>>>>>>>
>>>>>>> Avinash
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 17, 2009 at 7:07 PM, Chris
>>>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>>>> Have you tried rejoining the domain using
>>>>>>>>
>>>>>>>> Net join ?
>>>>>>>>
>>>>>>>> Then testing the join with
>>>>>>>>
>>>>>>>> Wbinfo -t
>>>>>>>>
>>>>>>>> Also, which version of debian / samba / ad are you running?
>>>>>>>>
>>>>>>>> Kind Regards,
>>>>>>>> Christopher Boczko
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>>>> Sent: 17 August 2009 14:25
>>>>>>>> To: squid-users_at_squid-cache.org
>>>>>>>> Subject: Fwd: [squid-users] Need help in integrating squid and samba
>>>>>>>>
>>>>>>>> Thanks for the quick response.
>>>>>>>> And, yes i will install squid using apt-get install command.
>>>>>>>> The basic winbindd functionality "wbinfo -t": is not successful
>>>>>>>>
>>>>>>>> wbinfo -t
>>>>>>>> checking the trust secret via RPC calls failed
>>>>>>>> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
>>>>>>>> Could not check secret
>>>>>>>>
>>>>>>>> Even, wbinfo -a mydomain\\myuser%mypasswd is unsuccessful
>>>>>>>>
>>>>>>>> Wondering how i should proceed without this?
>>>>>>>>
>>>>>>>> Avinash
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Aug 17, 2009 at 1:15 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>>>>>>>>> [re-inserting squid-users mailing list]
>>>>>>>>>
>>>>>>>>> Avinash Rao wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Aug 17, 2009 at 11:30 AM, Amos Jeffries <squid3_at_treenet.co.nz
>>>>>>>>>> <mailto:squid3_at_treenet.co.nz>> wrote:
>>>>>>>>>>
>>>>>>>>>>    Avinash Rao wrote:
>>>>>>>>>>
>>>>>>>>>>        Dear all,
>>>>>>>>>>
>>>>>>>>>>        I am new here and i would like to know the correct procedure for
>>>>>>>>>>        compiling squid to integrate with samba.
>>>>>>>>>>        I am doing this on a Ubuntu 8.04 Server 64-bit edition and i
>>>>>>>>>>        have all
>>>>>>>>>>        the updates installed. Infact, i have installed samba through
>>>>>>>>>>        apt-get
>>>>>>>>>>        install and is configured as a PDC.
>>>>>>>>>>
>>>>>>>>>>        dpkg -l | grep samba
>>>>>>>>>>        ii  samba  3.0.28a-1ubuntu4.8   a LanManager-like file and
>>>>>>>>>>        printer server fo
>>>>>>>>>>        ii  samba-common  3.0.28a-1ubuntu4.8   Samba common files used
>>>>>>>>>>        by both
>>>>>>>>>>        the server a
>>>>>>>>>>
>>>>>>>>>>         I am in need of controlling internet access for samba domain users
>>>>>>>>>>        through squid. I read the documentation and it says Squid must be
>>>>>>>>>>        built with the configure options:
>>>>>>>>>>
>>>>>>>>>>           --enable-auth="ntlm,basic"
>>>>>>>>>>           --enable-basic-auth-helpers="
>>>>>>>>>>        winbind"
>>>>>>>>>>           --enable-ntlm-auth-helpers="winbind"
>>>>>>>>>>
>>>>>>>>>>        According to the documentation,
>>>>>>>>>>        --------
>>>>>>>>>>        Samba 3.x
>>>>>>>>>>        ---------
>>>>>>>>>>        Things are much easier under the 3.x versions of Samba. Smbd is no
>>>>>>>>>>        longer required to manage the machine's trust account, and  there
>>>>>>>>>> is
>>>>>>>>>>        no need to patch any utilities.
>>>>>>>>>>        The Samba team has incorporated functionality to change the machine
>>>>>>>>>>        trust account password in the new "net" command.  A simple daily
>>>>>>>>>>        cron
>>>>>>>>>>        job scheduling "net rpc changetrustpw" is all that is needed.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>        I went through the squid documentation and the configure options
>>>>>>>>>> are
>>>>>>>>>>        vast. All i want is normal squid operations but with samba
>>>>>>>>>>        integration. Do I have to specify other options for normal squid
>>>>>>>>>>        operations?? What is the correct procedure and which version of
>>>>>>>>>>        squid
>>>>>>>>>>        suits well for the version of samba i am using? I have used
>>>>>>>>>>        squid but
>>>>>>>>>>        never compiled.  My requirement with samba is PDC, winxp clients,
>>>>>>>>>>        users home directories are mapped as they login to the domain, a
>>>>>>>>>>        common share for all users and a printer if needed.
>>>>>>>>>>
>>>>>>>>>>        Many Thanks,
>>>>>>>>>>        Avinash
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    This covers the NTLM auth via Samba requirements.
>>>>>>>>>>    http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
>>>>>>>>>>
>>>>>>>>>>    This covers the Active Directory (kerberos/negotiate auth)
>>>>>>>>>> requirements:
>>>>>>>>>>
>>>>>>>>>>  http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>    Amos
>>>>>>>>>>    --    Please be using
>>>>>>>>>>     Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>>>>>>>>     Current Beta Squid 3.1.0.13
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Amos,
>>>>>>>>>>
>>>>>>>>>> Thanks for the reply.
>>>>>>>>>>
>>>>>>>>>> I read the documentation, and it says, "
>>>>>>>>>>
>>>>>>>>>> As Samba-3.x has it's own authentication helper there is no need to build
>>>>>>>>>> any of the Squid authentication helpers for use with Samba-3.x (and the
>>>>>>>>>> helpers provided by Squid won't work if you do). You do however need to
>>>>>>>>>> enable support for the NTLM scheme if you plan on using this. Also you may
>>>>>>>>>> want to use the wbinfo_group helper for group lookups
>>>>>>>>>>
>>>>>>>>>> --enable-auth="ntlm,basic"
>>>>>>>>>> --enable-external-acl-helpers="wbinfo_group"
>>>>>>>>>>
>>>>>>>>>> Does this mean that squid has to be compiled with the above options?  I
>>>>>>>>>> am sorry if this sounds very basic. Also, my requirement, i should be able
>>>>>>>>>> to restrict few users samba users from accessing the internet through at
>>>>>>>>>> certain times and not necessary authentication.  Will the above options
>>>>>>>>>> help.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Avinash
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The Squid packages available for Ubuntu already have those helpers built-in
>>>>>>>>> and installed along with the package. All you need is the configuration file
>>>>>>>>> changes.
>>>>>>>>>
>>>>>>>>> If you are building your own Squid from raw source code, you may need to add
>>>>>>>>> them.
>>>>>>>>>
>>>>>>>>> For someone who does not know the very basics I would seriously advise
>>>>>>>>> staying with the pre-packaged versions of Squid until you know what you are
>>>>>>>>> doing.
>>>>>>>>>  -->  apt-get install squid
>>>>>>>>>
>>>>>>>>> Then change the /etc/squid.conf file as needed.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Amos
>>>>>>>>> --
>>>>>>>>> Please be using
>>>>>>>>>  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>>>>>>>  Current Beta Squid 3.1.0.13
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Received on Tue Aug 18 2009 - 04:18:28 MDT

This archive was generated by hypermail 2.2.0 : Tue Aug 18 2009 - 12:00:03 MDT