Re: [squid-users] ntlm on distributed samba PDC system

I don't understand it yet.
I'll try to expose my scenario:
I've a working PDC with samba/openldap.
I've more servers with PAM configured to do ldap auth to the PDC server.
In one of this servers I've configured squid, and I'd like be able to
use the NTLM module so I can use the windows credentials instead of
pushing users to auth themselves.
The squid server has a bunch of other services (like bind, dhcp3-server,
and so on), but it does not have samba installed (however, it has
a /etc/samba/smb.conf file). What I'm confused is that, while following
the squid-cache wiki tutorial, some things worked, but others didn't.
For example, wbinfo -t works and wbinfo -a also, but wbinfo -g nor
wbinfo -u didn't work. Moreover, gpasswd -a proxy winbindd_priv didn't
work in the squid machine, but it worked in the PDC machine.
I've didn't changed anything in the PAM configuration nor the nsswitch
info.

I'm really lost here, I don't get why it seems that I need a working
samba server on the squid machine to be able to connecto the the PDC.
I've also googled a lot but most of the realted topics point to either
AD or kerberos, which I'm not using...

Any hint?

Versions:
ii squid 2.7.STABLE3-4.1ubuntu1
Internet object cache (WWW proxy cache)
ii winbind 2:3.3.2-1ubuntu3.1
Samba nameservice integration server

Proof:
root_at_venus:~# wbinfo -t
checking the trust secret via RPC calls succeeded

root_at_venus:~# wbinfo -a mydomain\\myuser%mypassword
plaintext password authentication succeeded
challenge/response password authentication succeeded

root_at_venus:~# invoke-rc.d squid restart
* Restarting Squid HTTP proxy squid
2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
'max_challenge_reuses'
2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
'max_challenge_lifetime'
2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
'use_ntlm_negotiate'

[ OK ]

++ squid.conf ++
auth_param ntlm program /usr/lib/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/lib/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param basic children 5
auth_param basic realm ESCI Proxy
auth_param basic credentialsttl 2 hours
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443 # https
acl SSL_ports port 563 # snews
acl SSL_ports port 873 # rsync
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
#acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl ntlm_users proxy_auth REQUIRED
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow ntlm_users

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

#Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all

# Squid normally listens to port 3128
http_port 3128

#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

access_log /var/log/squid/access.log squid

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
refresh_pattern . 0 20% 4320

# Don't upgrade ShoutCast responses to HTTP
acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
upgrade_http0.9 deny shoutcast

# Apache mod_gzip and mod_deflate known to be broken so don't trust
# Apache to signal ETag correctly on such responses
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache

extension_methods REPORT MERGE MKACTIVITY CHECKOUT

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

++ smb.conf ++
[global]
workgroup = ESCI
realm = ESCI.ES
security = DOMAIN
password server = samba.esci.es
restrict anonymous = 2
client NTLMv2 auth = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes

Thanks!
---------------------
Andreas Calvo Gómez <andreas.calvo_at_admi.esci.es>
Dept. Informàtica ESCI
Pg. Pujades, 1 08003 Barcelona
tel. (34) 932954710 ext.233 fax. (34) 932954720
http://www.esci.es
--------------------

El jue, 17-09-2009 a las 18:15 +0200, Kinkie escribió:
> On Thu, Sep 17, 2009 at 5:32 PM, Andreas Calvo Gómez
> <andreas.calvo_at_admi.esci.es> wrote:
> > Hi,
> > I'm trying to set up squid with NTLM to do automated auth based on
> > windows credentials.
> > I'm running a samba/openldap PDC server, and squid is in a separate
> > computer.
> > Is it necessary to install another samba plus winbind in the machine
> > that has squid running?
>
> Only winbindd is needed on the squid system, smbd performs some
> additional activities (changing the machine account password) which
> can also be performed by scripted calls to the "net" command.
>
> > If I run wbinfo -t in the squid computer it works, however runnig the
> > gpasswd -a proxy winbindd_priv does not work (obviously, it does not
> > have the winbind).
> > When I try to run the ntlm_auth --helper-protocol=squid-2.5-basic it
> > reports an ERR message, but I don't know where to look for logs (nor
> > syslog nor squid logs have information about it).
> >
> > So, what I think I'm missing is what should be done if I'm running squid
> > in a non samba machine.
> >
> > Any hints?
>
> These questions are better asked to the Samba user-groups.
>
>
Received on Fri Sep 18 2009 - 08:46:06 MDT