RE: [squid-users] running old wbinfo, pam_winbind or libnss_winbind clients

From: Jason Oakley <[email protected]>
Date: Tue, 26 Oct 2004 12:04:29 +1000

Edit squid.conf

Setup the authenticators. (Samba-3.X)
Add the following to enable both the winbind basic and ntlm
authenticators. IE will use ntlm and everything else basic:

        auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
        auth_param ntlm children 30
        auth_param ntlm max_challenge_reuses 0
        auth_param ntlm max_challenge_lifetime 2 minutes

        auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
        auth_param basic children 5
        auth_param basic realm Squid proxy-caching web server
        auth_param basic credentialsttl 2 hours
 

-----Original Message-----
From: Jerry Murdock [mailto:jmurdock@itraktech.com]
Sent: Tuesday, 26 October 2004 12:00 PM
To: Jason Oakley; squid-users@squid-cache.org
Subject: Re: [squid-users] running old wbinfo, pam_winbind or
libnss_winbind clients

Look at the Samba 3.x sections for the FAQ again. Your using the
squid-provided winbind helpers which are ONLY for later Samba 2.x
versions.

You need to be using the Samba provided ntlm_auth helper for 3.x.

Jerry
----- Original Message -----
From: "Jason Oakley" <Jason.Oakley@aapt.com.au>
To: <squid-users@squid-cache.org>
Sent: Monday, October 25, 2004 8:47 PM
Subject: [squid-users] running old wbinfo, pam_winbind or libnss_winbind
clients

I've just installed the Squid 2.5.STABLE7 & Samba 3.0.7 on my FreeBSD
box.

I am trying to authenticate it to the Active Directory (for my Squid
server).

When I go to a webpage using the squid server, I get this error from
Winbind:

Oct 25 15:33:39 eclipse winbindd[61830]: [2004/10/25 15:33:39, 0]
nsswitch/winbindd.c:process_loop(737)
Oct 25 15:33:39 eclipse winbindd[61830]: process_loop: Invalid request
size from pid 61926: 1304 bytes sent, should be 1824
Oct 25 15:33:39 eclipse winbindd[61830]: process_loop: Invalid request
size from pid 61926: 1304 bytes sent, should be 1824
Oct 25 15:33:39 eclipse winbindd[61830]: This usually means that you
are running old wbinfo, pam_winbind or libnss_winbind clients
Oct 25 15:33:39 eclipse winbindd[61830]: This usually means that you
are running old wbinfo, pam_winbind or libnss_winbind clients
[2004/10/26 10:17:13, 0] nsswitch/winbindd.c:process_loop(737)
  process_loop: Invalid request size from pid 65244: 1304 bytes sent,
should be 1824
  This usually means that you are running old wbinfo, pam_winbind or
libnss_winbind clients
[2004/10/26 10:17:13, 0] nsswitch/winbindd.c:process_loop(737)
  process_loop: Invalid request size from pid 65244: 1304 bytes sent,
should be 1824
  This usually means that you are running old wbinfo, pam_winbind or
libnss_winbind clients
[2004/10/26 10:17:13, 0] nsswitch/winbindd.c:process_loop(737)
  process_loop: Invalid request size from pid 65244: 1304 bytes sent,
should be 1824
  This usually means that you are running old wbinfo, pam_winbind or
libnss_winbind clients

Repeated over and over and over again in my log.winbind or
/var/log/messages file.

I also get this too:
Oct 26 09:25:28 eclipse (squid): authenticateNTLMHandleReply: called
with no result string
Oct 26 09:25:29 eclipse kernel: pid 61947 (squid), uid 100: exited on
signal 6 (core dumped)
Oct 26 09:25:29 eclipse squid[61454]: Squid Parent: child process 61947
exited due to signal 6
Oct 26 09:25:32 eclipse squid[61454]: Squid Parent: child process 64487
started

I can authenticate using the test commands from the website:
# ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+myuser mypasswd
OK

# wbinfo -t
checking the trust secret via RPC calls succeeded

This is all on a brand new install of Samba & Squid.

 squid -v
Squid Cache: Version 2.5.STABLE7
configure options: --bindir=/usr/local/sbin
--sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid
--libexecdir=/usr/local/libexec/squid --localstatedir=/usr/local/squid
'--enable-removal-policies=lru heap' '--enable-auth=basic ntlm digest'
'--enable-basic-auth-helpers=NCSA PAM YP MSNT SMB winbind'
--enable-digest-auth-helpers=password
'--enable-external-acl-helpers=ip_user unix_group wbinfo_group
winbind_group' '--enable-ntlm-auth-helpers=SMB winbind'
'--enable-storeio=ufs diskd null' --enable-underscores
'--enable-err-languages=Bulgarian Catalan Czech Danish Dutch English
Estonian Finnish French German Hebrew Hungarian Italian Japanese
Korean Lithuanian Polish Portuguese Romanian Russian-1251
Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish
Traditional_Chinese Turkish' --enable-default-err-language=English
--prefix=/usr/local i386-portbld-freebsd5.2.1

In squid.conf:
auth_param ntlm program /usr/local/libexec/squid/wb_ntlmauth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/local/libexec/squid/wb_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

Any clues?

Thanks.

--------------
Jason Oakley
Robina Helpdesk
AAPT Limited
Ph: 07 5562 4359

Jason.Oakley@aapt.com.au

------------------------------------------------------------------------

--
----
This communication, including any attachments, is confidential. If
 you are not the intended recipient, you should not read it - please
 contact me immediately, destroy it, and do not copy or use any part of
 this communication or disclose anything about it.
------------------------------------------------------------------------
--
----
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If 
 you are not the intended recipient, you should not read it - please 
 contact me immediately, destroy it, and do not copy or use any part of 
 this communication or disclose anything about it.
------------------------------------------------------------------------------
Received on Mon Oct 25 2004 - 20:04:43 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST