[squid-users] Problems with WB_Groups and Squid 3.0 PRE3

From: Riccardo Fontana <[email protected]>
Date: Fri, 26 Sep 2003 12:55:32 +0200

I'm having some difficult to implemenet Group Authentication via Winbind
and Samba with Squid 3.0 PRE3.

I've compiled Samba 2.2.8 with the following settings

./configure --with-winbind --with-winbind-auth-challenge
--with-winbind-ldap-hack

And I successfully joined my Linux box (RedHat 7.3 with 2.4.18-3 Kernel)
to my NT Domain.

Here is the smb.conf file that I'm using:
---------------------------------
[global]
         workgroup = DOMAINNAME
         security = domain
         encrypt passwords = yes
         password server = *
         wins server = <Wins servers IP Adresses>
         template homedir = /home/%D/%U
         template shell = /bin/bash
         winbind uid = 10000-20000
         winbind gid = 10000-20000
         winbind enum users = yes
         winbind enum groups = yes

[test]
         comment = For testing only, please
         path = /usr/local/samba/tmp
         read only = no
         guest ok = yes
----------------------------------

All tests with wbinfo went OK.

Then I compiled Squid with the following configuration:

Squid Cache: Version 3.0-PRE3-20030924
configure options: '--prefix=/usr/local/squid' '--enable-useragent-log'
'--enable-snmp' '--enable-cache-digests'
'--enable-default-err-language=Italian' '--disable-ident-lookups'
'--enable-delay-pools' '--enable-auth=ntlm'
'--enable-external-acl-helpers=winbind_group'
'--enable-ntlm-authentication' '--enable-ntlm-auth-helpers=SMB fakeauth
no_check winbind' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--datadir=/usr/lib/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--libdir=/usr/lib/squid' '--mandir=/usr/man'
'--with-samba=/root/samba-2.2.8a/source'

I tested wb_group helper with -d option and it went OK:
/usr/lib/squid/wb_group -d
DOMAIN\\username grouptocheck

Then I configured the following lines inside my squid.conf

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 20
auth_param ntlm max_challenge_lifetime 15 minutes

external_acl_type wb_group concurrency=5 ttl=900 %LOGIN
/usr/lib/squid/wb_group

acl webaccess external wb_group -i "/etc/squid/webaccess"
http_access allow webaccess

When I try to browse Internet with SQUID I obtain the following line
inside winbindd and IE receive a REJECTED page.

[2003/09/26 12:49:03, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(146)
   [14259]: pam auth crap domain: DOMAIN user: USERNAME

This instead is what I see if I try to use the wb_group helper from
command line as descripted above:

/wb_group[14310](wb_check_group.c:367): Got 'DOMAIN\\USERNAME WebAccess'
from Squid (length: 26).
[2003/09/26 12:50:17, 3] nsswitch/winbindd_group.c:winbindd_getgroups(790)
   [14310]: getgroups DOMAIN\USERNAME

What I'm doing wrong ?
Received on Fri Sep 26 2003 - 04:55:40 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:02 MST