Re: [squid-users] Configuring wb_group

From: Scott Kern <[email protected]>
Date: Wed, 20 Nov 2002 11:58:06 -0500

Yes, winbindd is running. The global section of smb.conf is as follows:

[global]
        smb passwd file = /etc/samba/smbpasswd
        passwd program = /usr/bin/passwd %u
        pam password change = yes
        printing = lprng
        dns proxy = no
        encrypt passwords = yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        max log size = 0
        obey pam restrictions = yes
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        security = user
        unix password sync = Yes
        server string = Samba Server
        log file = /var/log/samba/%m.log
        load printers = yes
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%D/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        workgroup = <NT domain>
        security = domain
        password server = *
        winbind use default domain = yes

>>> Edward Mann <edward@arctechnology.com> 11/20/02 11:45AM >>>
What does your smb.conf file look like and do you have winbindd running?

thanks.

On Wed, 2002-11-20 at 10:22, Scott Kern wrote:
> Thank you very much for the help.
>
> I added the following and squid starts without any errors. One problem down, many more to go. :)
>
> Now authenticating from the browser fails. I'm using Netscape 4.79 on a system running Red Hat 7.3. I'm entering my Windows user name and password or do I need to add the domain or group?
>
> The access.log entry is:
> 1037809148.392 3 172.19.10.20 TCP_DENIED/407 1750 GET http://www.rootprompt.org/ - NONE/- text/html
>
> Which looks like the user name isn't being passed on.
>
> >>> Edward Mann <edward@arctechnology.com> 11/19/02 04:01PM >>>
>
> auth_param ntlm program /usr/lib/squid/wb_ntlmauth
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/lib/squid/wb_auth
> auth_param basic children 5
> auth_param basic realm ChoicePoint Proxy server
> auth_param basic credentialsttl 2 hours
>
> external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
>
> acl FullAccess external NT_global_group Domain_Group
>
>
> http_access allow FullAccess
>
> Do you have something like that?
>
>
> On Tue, 2002-11-19 at 14:54, Scott Kern wrote:
> > I'm trying to setup squid to use wb_group.
> >
> > Testing wb_group, I type domain+username group and get ERR.
> > Both wbinfo -u & -g report back users and groups.
> >
> > In squid.conf, I have
> >
> > external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group
> > acl ProxyUsers external NT_global_group <group>
> > acl internetusers proxy_auth REQUIRED
> > http_access allow internetusers ProxyUsers
> >
> > When I start squid, I get:
> > 2002/11/19 15:46:56| aclParseAclLine: IGNORING: Proxy Auth ACL 'acl internetusers proxy_auth REQUIRED' because no authentication schemes are fully configured.
> > 2002/11/19 15:46:56| aclParseAclLine: IGNORING invalid ACL: acl internetusers proxy_auth REQUIRED
> > 2002/11/19 15:46:56| squid.conf line 1718: http_access allow internetusers ProxyUsers
> > 2002/11/19 15:46:56| aclParseAccessLine: ACL name 'internetusers' not found.
> > FATAL: Bungled squid.conf line 1746: acl ProxyUsers external NT_global_group CTX-InternetDL
> > Squid Cache (Version 2.5.STABLE1): Terminated abnormally.
> > CPU Usage: 0.006 seconds = 0.004 user + 0.002 sys
> > Maximum Resident Size: 0 KB
> > Page faults with physical i/o: 207
> > Aborted
> >
> > Where am I going wrong.
>
Received on Thu Nov 21 2002 - 09:21:06 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:11:20 MST