Hello,
(I am cross posting this to both the Squid and Samba-Tech list as it
relates to the integration of both- sorry! )
Here is the setup:
-1 W2K PDC and 2 W2K BDCs- no active directory
-lots of Windows clients: XP and W2K Cytrix
-Using Squid 2.5Stable4 and Kerberos 1.3.1 on RH9
We are using Squid in a transparent proxy fashion for logging. This
setup works great in every fashion except its transparency. (yuck!!)
Problem: Occasionally (like once every 4 hours), a Windows client user
will call help desk saying "Internet Explorer" is asking for my
username/password/domain to access a web page.
Well, my first thought was to check my logs on the RH9 box: squid,
samba, winbindd.
Nothing...
Ok, so I assume that possibly our PDC is being overloaded with requests
and I add "kdc" entries in krb5.conf in the realms section that point to
our backup domain controllers. I also add the *same* entries in
smb.conf. Restart Squid, Samba and Winbindd.
The problem worsens- it now occurs every hour!
So I undo my changes...
And I am thinking this: when a workstation logins to the Domain, it can
hit *ANY* of the domain controllers, probably the primary. Then when the
*SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
verifies the user with *ANY* of the domain controllers.
Hence, there is the possibility of 2 sessions, one via the workstation
and one via Internet Explorer/Squid- both on different domain
controllers.
If this is correct,then it is *impossible* for Squid to ever know which
domain controller the user logged into and therefore the occasional auth
window will appear, making transparency impossible!
Am I on the right track here?
Is there a workaround?
A config setting that I missed?
Also, a colleague of mine noticed that those who where Domain Admins
never saw this problem. That begs the question: Does wbinfo have to use
a user that is a domain admin?
Thanks,
Dave
wbinfo -t ,-u and -g all work great
-------------------
Here is my smb.conf:
[global]
workgroup = MINE
netbios name = GATEWAY
realm = MINE
security = domain
encrypt passwords = yes
password server = dc1.mine
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
interfaces = 192.168.1.211
bind interfaces only = yes
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 5
client signing = Yes
server signing = Yes
client use spnego = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
------------------
krb5.conf:
[libdefaults]
default_realm = MINE
[realms]
MINE = {
kdc = dc1.mine
}
[logging]
kdc = SYSLOG:INFO
-----------------------
squid.conf- (relevant portions only)
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
Received on Tue Dec 30 2003 - 16:02:37 MST
This archive was generated by hypermail pre-2.1.9 : Thu Jan 01 2004 - 12:00:27 MST