[squid-users] NTLM auth problems

From: Alessandro de Manzano <[email protected]>
Date: Thu, 04 Sep 2003 15:54:33 +0200

Hello,

I'm a Squid user since years but just today I have to configure our
company's main proxy for user authentication / authorization, so I'm a
newbie about NTLM auth, proxy_auth, winbindd and so on ;-)

Client users are on win2k/xp machines in a Windows 2000 mixed-mode
domain (I've few others samba servers in the net).

I followed the good instructions of Squid doc about configuring Samba
(2.2.8a) and winbindd for a Squid (2.5-stable3) box but I'm
experiencing some weird -to me at least- problems.

Random users got blocked and not only the few my policy should block.

Box is a FreeBSD 4.8-rel machine.

As said, I'm using Samba's winbindd as authenticator and it seems to be
correctly installed and configured since "wbinfo -t" and "wbinfo -a"
both work correctly.

Here is my ACL setup in squid.conf:

================================================

acl playstos src 192.168.9.0/24
acl playdest dst 192.168.9.0/24

#to allow particular services
acl tomsn dstdomain .msn.com .msn.it .passport.com .msads.net
acl autosrvs dstdomain .ravantivirus.com

#useless currently
acl playauth proxy_auth REQUIRED

# experiment : this to just deny user called Sara
acl lusers proxy_auth sara

# scheduled access for "lusers" users
acl pauseA time MTWHF 9:30-10:00
acl pauseB time MTWHF 13:30-14:00
acl pauseC time MTWHF 18:00-19:00
acl pauseWE time SA

# per Simone
acl nosimo dstdomain .morula.org
acl sisimo srcdomain morula.playstos.ldr blastula.playstos.ldr
arcadia.playstos.ldr eraser.playstos.ldr

# Here are standard squid.conf ACLs
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

===================================================

and here is http_access setup:

===================================================

#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
http_access deny to_localhost

# HERE are my own settings
http_access allow playdest
http_access allow tomsn
http_access allow autosrvs

#if I comment out the following line all works fine (iit of course does
not authenticate users but everything else works ok)
http_access deny lusers !pauseA !pauseB !pauseC !pauseWE

http_access allow sisimo
http_access deny nosimo

# catch everything else
http_access allow playstos

# And finally deny all other access to this proxy
http_access deny all

====================================================

Here are the relevant parts of my smb.conf , if interested:

====================================================

workgroup = PLAYSTOS
security = domain
password server = PITAGORA PLATONE FILESERVER
encrypt passwords = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes

====================================================

Finally here are my squid.conf's auth_param settings

====================================================

auth_param ntlm program /usr/local/libexec/wb_ntlmauth
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/libexec/wb_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minutes

====================================================

My problem is that I got a bunch of apparently random denies of
actually authorized users!

The above setup should allow access to EVERY user of my Win2K domain
BUT user called "sara", and in those "pauseX" hours allow her too, but
this is not the behaviour I see.

Many other users are blocked with "407" errors, not just "sara" and not
just in those hours.

Where my ACLs/http_access lines are wrong ?
What I missed ?

I really hope someone could help me ! :-)

Every hints is welcome !

Many thanks in advance!

Alessandro de Manzano

Senior Network Manager
Playstos - TIMA S.p.A.
Corso Sempione 63
20149 Milano, Italy

tel.: +39-023314153
fax: +39-02315678
email: demanzano@playstos.com

http://www.playstos.com
Received on Thu Sep 04 2003 - 07:54:39 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:19:32 MST