[squid-users] samba 3.0.0 squid 2.5STABLAE5 - authorisation for the users incorporating windows group membership

From: <[email protected]>
Date: Thu, 29 Apr 2004 10:28:13 +1100

Hi,

I am trying to use squid with domain authentication and authorisation based
on Windows domain group membership.
I have authentication working, but if I try to combine this with checking
if user belongs to the group - failure.
Can someone look and tell me what I am doing wrong? (hence why I am bigger
idiot than I think...)

Here are my details:
# squid -v
Squid Cache: Version 2.5.STABLE5
configure options: --prefix=/usr --datadir=/usr/share --localstatedir=/var
--sysconfdir=/etc/squid --infodir=/usr/share/info --mandir=/usr/share/man
--enable-snmp --enable-ssl --enable-auth=ntlm,basic
--enable-external-acl-helpers=wbinfo_group
--------
Samba
# smbd -V
Version 3.0.0

smb.conf
# Global parameters
[global]
        log file = /var/log/samba/log.%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        wins server = 172.21.59.34
        encrypt passwords = yes
        winbind use default domain = Yes
        template shell = /bin/bash
        dns proxy = No
        netbios name = AUKGPX01
        server string = Samba Server
        password server = *
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/%D/%U
        workgroup = KAZ-CORPORATE
        winbind enum users = yes
        winbind enum groups = yes
        os level = 20
        security = domain
        preferred master = no
        max log size = 50
        winbind cache time = 10
        realm = CORPORATE.KAZ-GROUP.PRIV

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

squid.conf (relevant parts)
# Microsoft IE
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# Netscape, Mozilla and others
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

external_acl_type NT_global_group %LOGIN /usr/bin/wbinfo_group.pl
acl ProxyUsers external NT_global_group GIT
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow AuthorizedUsers ProxyUsers

results of the variuos tests:
wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -a KAZ-CORPORATE\\lesgeb01%xxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
lesgeb01 xxxxxxxxxx
OK

# wbinfo_group.pl # (with debug turned on)
kaz-corporate\lesgeb01 GIT
Got kaz-corporate\lesgeb01 GIT from squid
User:kaz-corporate\lesgeb01
Group:GIT
User: -kaz-corporate\lesgeb01-
Group: -GIT-
SID: -S-1-5-21-2194707059-1491904946-811963398-1149-

GID: -10459-
Sending OK to squid
OK

HOWEVER, if I try to use browser I get "Deny"

and in log.winbind I have
 tail /var/log/samba/log.winbindd
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain KTSNSW S-1-5-21-4138973905-1476685488-4151052191
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list
[2004/04/28 13:31:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
  user '\LESGEB01' does not exist
[2004/04/28 13:33:49, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list
[2004/04/28 13:38:49, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list
[root@AUKGPX01 bin]# tail /var/log/samba/log.winbindd
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
  Added domain KTSNSW S-1-5-21-4138973905-1476685488-4151052191
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
  scanning trusted domain list
[2004/04/28 13:31:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
  user '\LESGEB01' does not exist
<--------------------------------------------
      ^
      |
      |
suddenly domain is "stripped"
Why winbindd_getgroups is trying to get group for me even if I try to use
external_acl_type NT_global_group %LOGIN /usr/bin/wbinfo_group.pl

I understand that I have to do something with samba (nsswitch.conf?)
configuration
or/and squid.conf.
Any useful link to the documents which shows how to do this kind?

Or maybe I have to change the idea of using Samba 3.0.0 and wbinfo_group as
external helper.

Thank you for help

leszek.geba@kaz-group.com
Received on Wed Apr 28 2004 - 17:27:40 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:03 MDT