[squid-users] Problem with Squid 2.5 and Samba 3.0 and AD

From: Sebastian Kindt <[email protected]>
Date: Fri, 26 Sep 2003 13:17:12 +0200

Hello I'm now testing over 3 days to get user auth integrated in my squid. First I startet with smb and know I'am testing ntlm_auth.

I have all installed like written at: http://itmanagers.net/documents-index-walkthroughs-'Linux@Samba'.html

First here is my samba.conf

        log file = /var/log/samba/%m.log
        smb passwd file = /etc/samba/smbpasswd
        load printers = yes
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        obey pam restrictions = yes
        wins server = 10.131.0.15
        encrypt passwords = yes
        passwd program = /usr/bin/passwd %u
        dns proxy = no
        server string = Virenscanner
        printing = lprng
        unix password sync = yes
        workgroup = heumann
        os level = 20
        printcap name = /etc/printcap
        security = ads
        password server = Z009426
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
        #winbind seperator = \
        realm = HEUMANN.LOCAL
        winbind use default domain = yes
        template shell = /bin/bash
        template homedir = /home/%D/%U
        max log size = 0
        pam password change = yes

I've configured Squid like following:

./configure --prefix=/usr --datadir=/usr/share --localstatedir=/var --sysconfdir=/etc/squid --infodir=/usr/share/info --mandir=/usr/share/man --enable-snmp --enable-ssl --enable-auth=ntlm,basic --enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind --enable-external-acl-helpers=winbind_group,wbinfo_group

my squid.conf lokk this:

http_port 81
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain HEUMANN.LOCAL/Z009426
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minute

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --domain HEUMANN.LOCAL/Z009426
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hour

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

acl allowed_clients src 10.131.0.2 10.131.0.4 10.131.0.15 10.131.0.16 10.131.0.17 10.131.0.18 10.131.0.62
acl banned_sites url_regex ficken Ficken Fick fick Livefick Fickbilder Ficker Muschi Fotze Fotzensaft blasen sex oral anal Sex XXX Sperma Pussy
acl domainusers proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access deny banned_sites
http_access allow allowed_clients
http_access deny !allowed_clients
http_access allow domainusers

# And finally deny all other access to this proxy
http_access deny all

I thinks thats the important part.

test like wbinfo -u and
[root@Schmutzfink root]# ntlm_auth --username=Kindt
password:
NT_STATUS_OK: Success (0x0)
[root@Schmutzfink root]#
works fine

But in the access.log there is only the ip of my terminal server but I want the Username.

in the cache.log is a error:

2003/09/26 10:47:55| Waiting 30 seconds for active connections to finish
2003/09/26 10:47:55| FD 7 Closing HTTP connection
[2003/09/26 10:48:18, 1] utils/ntlm_auth.c:manage_squid_request(1042)
  fgets() failed! dying..... errno=0 (Success)
[2003/09/26 10:48:18, 1] utils/ntlm_auth.c:manage_squid_request(1042)
and this for 20 times.

and /usr/libexec/wb_auth gets the folloing error:

[root@Schmutzfink libexec]# ./wb_auth
/wb_auth[3718](wb_basic_auth.c:160): Can't contact winbindd. Dying
[root@Schmutzfink libexec]#

Please help me to get the Username in the Logfile!!!

With best regards

-------------------------------------------------
Sebastian Kindt
c/o Heumann + Partner StBG
Finkenpforte 1

32657 Lemgo

Tel.: +49 (5261) 94 98 26
Fax: +49 (5261) 94 98 10
mailto:s.kindt@heumann-stbg.de
Web: www.heumann-stbg.de
Received on Fri Sep 26 2003 - 05:20:14 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:02 MST