[squid-users] [Fwd: samba and squid are not working together]

From: Vietnhi Phuvan <[email protected]>
Date: Thu, 14 Apr 2005 18:19:20 -0400

Hello folks,

I am implementing on a RH Fedora Core Linux machine NTLM authentication
through samba 3.0.2 for my squid server (Squid-2.5STABLE5-2). Our
customer's environment is Mixed Mode Windows 2000.

To make a long story short:

(1) I have successfully upgraded kerberos from 1.2.7 to 1.3.3 (I was
successful because I also upgraded the libraries that kerberos 1.3.3
requires

(2) I have successfully implemented kerberos 1.3.3 as shown by the
output of the klist, klist -e and kinit commands

(3) I have implemented the /etc/pam.d/samba and /etc/pam.d/squid files

(4) I have successfully joined the RH Linux machine to the Windows
domain by using the "net ads join -U administrator" command

(5) I have successfully upgraded samba from samba-3.00 to samba-3.0.2 (I
was successful because I also upgraded the libraries that samba-3.0.2
requires)

(6) I have properly configured the /etc/samba/smb.conf file, and I have
shown it by successfully running commands such as wbinfo -u, wbinfo -g,
wbinfo -p, wbinfo -t, wbinfo -m, wbinfo --sequence, wbinfo -a
user%password, wbingo -get-auth user, and of course getent passwd

(7) I have successfully upgraded squid from squid-2.5STABLE3 to
squid-2.5STABLE5 and I have run squid -v to make sure that squid
supports winbind authenticaion

Issue: Doing a QA on squid by pointing an IE 6.0 browser to squid shows
that the combination squid/samba does not work with NTLM authentication
(auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp) - although squid DOES work with
basic authentication (auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic) - A check of the
/var/log/squid/cache.log file shows that an NTLM authentication is
attempted but not brought to a successful conclusion

I am using the RH rpm's rather than recompile any of the software from
source code.

Running smbd -b gets me the following results:

(1) --with Options:
   WITH_ADS
   WITH_AUTOMOUNT
   WITH_PAM
   WITH_QUOTAS
   WITH_SENDFILE
   WITH_SMBMOUNT
   WITH_SYSLOG
   WITH_UTMP
   WITH_WINBIND

(2) Builtin modules: pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa
rpc_reg rpc_lsa_ds rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_samr
idmap_ldap idmap_tdb auth_rhosts auth_sam auth_unix auth_winbind
auth_server auth_domain auth_builtin

I acknowledge that the option --with-winbind-auth-challenge looks like
it's missing, but all of the wbinfo commands work like clock work.

The message that I get from the /var/log/samba/winbindd.log file is
"krb5_get_credentials failed for monday$@ANGLERLABS.COM (Ticket
expired)" where monday$ is the contact DC and ANGLERLABS.COM is a single
domain (no dependents, no trust relationships baggage)

What gives? Where does the fault lie (squid, samba, both, neither)?

Vietnhi Phuvan
Received on Thu Apr 14 2005 - 16:19:23 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT