[squid-users] Authentification via samba 3.0 to an active directory server

From: Markus Meissner <[email protected]>
Date: Tue, 12 Aug 2003 17:06:24 +0200

Hi,

I am trying to configure squid to authentificate the users from an active
directory server (Windows 2003 Server). As I don't want the old
domain-access I have installed samba-3.0.0beta3. Everything is working
great, all tests with wbinfo -t, wbinfo -u are working great with the
ad-server. The only thing which is not working is, I _think_, the
connection between squid and winbind. I have tried the following:

- Using the helper provided in the squid-sources, wb_ntlmauth. Calling
this from the command-line leads to the following error:
wb_ntlmauth[6395](wb_ntlm_auth.c:414): Can't contact winbindd. Dying.
I have read that the squid-sources are containing the samba 2.2.7 header
files, so I don't wonder.

- Using the configure-option --with-samba-sources pointing to my samba
sources. This leads to the following compilation error:
gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include
-I/usr/local/src/samba-3.0.0beta3/source -I/usr/kerberos/include -g -O2
-Wall -D_REENTRANT -c `test -f wb_common.c || echo './'`wb_common.c
wb_common.c: In function `init_request':
wb_common.c:67: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:75: structure has no member named `domain'
wb_common.c:77: structure has no member named `domain'
wb_common.c:77: structure has no member named `domain'
wb_common.c: In function `winbindd_send_request':
wb_common.c:333: structure has no member named `domain'
make[3]: *** [wb_common.o] Error 1
make[3]: Leaving directory
`/usr/local/src/squid-2.5.STABLE3/helpers/basic_auth/winbind'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory
`/usr/local/src/squid-2.5.STABLE3/helpers/basic_auth'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/squid-2.5.STABLE3/helpers'
make: *** [all-recursive] Error 1

I think the squid-sources aren't ready for samba 3.0, ok.

- The last resort: Using the new ntlm_auth provided by the samba-team.
Using this from the command-line works, wow (NT_STATUS_OK: Success (0x0)).
But integrating it in squid leads to the following error:
[2003/08/12 15:19:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(282)
  Got user=[ADMINISTRATOR] domain=[MYDOM] workstation=[LAPTOP01] len1=24
len2=24
[2003/08/12 15:19:37, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(309)
  NTLMSSP NT_STATUS_UNSUCCESSFUL
Now I don't know what to do any further. Here are some parts of my
configuration:

smb.conf:
workgroup = MYDOM
security = ADS
realm = myreal
encrypt passwords = yes
wins server = xxx
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

squid.conf
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

squid -v
Squid Cache: Version 2.5.STABLE3
configure options: --exec_prefix=/usr --bindir=/usr/sbin
--libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid
--enable-poll --enable-snmp --enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,ufs --enable-ssl
--with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter
--with-pthreads --enable-auth=ntlm --enable-basic-auth-helpers=winbind
--enable-ntlm-auth-helpers=winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group

winbindd --version
Version 3.0.0beta3

If you need any further information just ask. It would be great if someone
could help me, I think there is only a small nibble to reach the goal!

-- 
Beste Gruesse / Best regards Markus Meissner
Received on Tue Aug 12 2003 - 09:06:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:50 MST