[squid-users] Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

From: Dave Augustus <davea@dont-contact.us>
Date: 30 Dec 2003 17:02:26 -0600

Hello,

(I am cross posting this to both the Squid and Samba-Tech list as it
relates to the integration of both- sorry! )

Here is the setup:

-1 W2K PDC and 2 W2K BDCs- no active directory
-lots of Windows clients: XP and W2K Cytrix
-Using Squid 2.5Stable4 and Kerberos 1.3.1 on RH9

We are using Squid in a transparent proxy fashion for logging. This
setup works great in every fashion except its transparency. (yuck!!)

Problem: Occasionally (like once every 4 hours), a Windows client user
will call help desk saying "Internet Explorer" is asking for my
username/password/domain to access a web page.

Well, my first thought was to check my logs on the RH9 box: squid,
samba, winbindd.

Nothing...

Ok, so I assume that possibly our PDC is being overloaded with requests
and I add "kdc" entries in krb5.conf in the realms section that point to
our backup domain controllers. I also add the *same* entries in
smb.conf. Restart Squid, Samba and Winbindd.

The problem worsens- it now occurs every hour!

So I undo my changes...

And I am thinking this: when a workstation logins to the Domain, it can
hit *ANY* of the domain controllers, probably the primary. Then when the
*SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
verifies the user with *ANY* of the domain controllers.

Hence, there is the possibility of 2 sessions, one via the workstation
and one via Internet Explorer/Squid- both on different domain
controllers.

If this is correct,then it is *impossible* for Squid to ever know which
domain controller the user logged into and therefore the occasional auth
window will appear, making transparency impossible!

Am I on the right track here?

Is there a workaround?

A config setting that I missed?

Also, a colleague of mine noticed that those who where Domain Admins
never saw this problem. That begs the question: Does wbinfo have to use
a user that is a domain admin?

Thanks,
Dave

wbinfo -t ,-u and -g all work great

-------------------
Here is my smb.conf:

[global]

workgroup = MINE
netbios name = GATEWAY

realm = MINE
security = domain
encrypt passwords = yes
password server = dc1.mine

winbind separator = /

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
interfaces = 192.168.1.211
bind interfaces only = yes
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 5
client signing = Yes
server signing = Yes
client use spnego = Yes

template shell = /bin/bash

template homedir = /home/%D/%U

------------------
krb5.conf:

[libdefaults]
    default_realm = MINE

[realms]
    MINE = {
    kdc = dc1.mine
    }

[logging]
    kdc = SYSLOG:INFO

-----------------------
squid.conf- (relevant portions only)

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
Received on Tue Dec 30 2003 - 16:02:37 MST

This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:27 MST