En/na Sergio Vera ha escrit:
> Hi everyone
>
> I'm having some problems to setup squid 2.5.STABLE9 to autentificate
> users
> in a windows 2000 server domain (active directory).
>
> I have followed this guide:
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>
> ntlm_auth is working fine on some client machines but not others.
> I have tested it with windows 2000 professional, IExplorer 6+SP1 and
> Firebird 1.02 and they don't work no matter the user logs in. However,
> when in some machine works, any user that logs in that machine can use
> the
> proxy.
> I mean, it seems some client machine related problem, not specific user
> problem. Neverthleless, there are no significat differences between the
> clients as they are generated from the same norton ghost image (all
> clients have the same software and versions)
> With linux clients, the login/password dalog appears and auth works
> perfectly.
>
> when in the proxy machine, any winbindd related command works OK (wbinfo,
> nltm_auth...)
>
> Now some specific stuff:
> Fedora Core 3 with 2.6.11-1.14_FC3 kernel
>
> Squid Cache: Version 2.5.STABLE9
> configure options: --build=i386-redhat-linux --host=i386-redhat-linux
> --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
> --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin
> --sysconfdir=/etc
> --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
> --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
> --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
> --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
> --sysconfdir=/etc/squid --enable-poll --enable-snmp
> --enable-removal-policies=heap,lru
> --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl
> --with-openssl=/usr/kerberos --enable-delay-pools
> --enable-linux-netfilter
> --with-pthreads --enable-ntlm-auth-helpers=SMB,winbind
> --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
>
> --enable-auth=basic,ntlm --with-winbind-auth-challenge
> --enable-useragent-log --enable-referer-log --disable-dependency-tracking
> --enable-cachemgr-hostname=localhost --disable-ident-lookups
> --enable-truncate --enable-underscores --datadir=/usr/share
> --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind
>
>
> winbindd version: 3.0.10-1.fc3
>
> here is the squid.conf without comments:
> ---------------------------------------------------------------
> http_port 192.168.2.10:8080
> http_port 192.168.8.20:8080
> icp_port 0
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> cache_mem 16 MB
> cache_dir ufs /var/spool/squid 700 16 256
> auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10
> --helper-protocol=squid-2.5-ntlmssp --nt-response
> auth_param ntlm children 30
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
>
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 8080 # Standard proxy port
> acl CONNECT method CONNECT
>
> acl red2 src 192.168.2.0/24 # red del aula
> acl red8 src 192.168.8.0/24 # red interna
> acl red1 src 192.168.1.0/24 # otra red
> acl red9 src 192.168.9.0/24 # red administradtiva
> acl red6 src 192.168.6.0/24 # inalambrica
> acl autentificados proxy_auth REQUIRED
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access allow autentificados
> http_access deny all
> http_reply_access allow all
>
> icp_access allow all
> coredump_dir /var/spool/squid
> ---------------------------------------------------------
> here comes some lines from smb.conf
> ---------------------------------------------------------
> workgroup = AULADOM
> security = domain
> password server = aulaserver
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> winbind use default domain = yes
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> -----------------------------------------------------------
>
> Some additional info & tests:
>
> Winbindd privileged dir has the correct permissions:
> drwxr-x--- 2 root squid 4096 may 2 17:58 winbindd_privileged
>
> # net join -S aulaserver -U Admin%ADMINPASSWORD
> [2005/05/02 19:10:03, 0] libads/kerberos.c:ads_kinit_password(146)
> kerberos_kinit_password Administrador@AULADOM.ES failed: Cannot find KDC
> for requested realm
> [2005/05/02 19:10:03, 0] utils/net_ads.c:ads_startup(186)
> ads_connect: Cannot find KDC for requested realm
> Joined domain AULADOM.
>
> those are the only noticeable errors, however, it seems to join the
> domain
> and autenticate users
>
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> #wbinfo -a USER%PWD
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> wbinfo -u and wbinfo -g work also...
>
> iin the access.log when ntlm_auth works the correct username of the
> client
> appears, when not authenticated, NONE appears in the username field,
> however, as you may see, sometimes an user receives a TCP_DENIED with
> NONE
> as username and then the same request is a TCP_HIT authenticated: I dont
> know if this is a normal beaviour or it can be related to the whole
> problem.
>
> (access.log extracted from a succesfuly authenticaed client)
> 1115050342.129 1 192.168.2.166 TCP_DENIED/407 1896 GET
> http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif
>
> - NONE/- text/html
> 1115050342.224 1203 192.168.2.166 TCP_REFRESH_HIT/200 8067 GET
> http://www.rage3d.com/board/images/purerage/site/logo.jpg 52437211
> DIRECT/66.224.5.66 image/jpeg
> 1115050342.405 1272 192.168.2.166 TCP_REFRESH_HIT/200 340 GET
> http://www.rage3d.com/board/clear.gif 52437211 DIRECT/66.224.5.66
> image/gif
> 1115050343.721 1591 192.168.2.166 TCP_REFRESH_HIT/200 345 GET
> http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif
>
> 52437211 DIRECT/66.224.5.66 image/gif
> ------------------------------------------
> access.log from an unsuccessfolly auth client
>
> 1115050461.386 3 192.168.2.162 TCP_DENIED/407 1730 GET
> http://www.rage3d.com/ - NONE/- text/html
> 1115050461.407 3 192.168.2.162 TCP_DENIED/407 1729 GET
> http://www.rage3d.com/ - NONE/- text/html
> 1115050475.898 4 192.168.2.162 TCP_DENIED/407 1745 GET
> http://www.meristation.com/ - NONE/- text/html
> 1115050475.918 3 192.168.2.162 TCP_DENIED/407 1744 GET
> http://www.meristation.com/ - NONE/- text/html
> 1115050510.591 1 192.168.2.162 TCP_DENIED/407 1805 GET
> http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html
> 1115050510.720 2 192.168.2.162 TCP_DENIED/407 1809 GET
> http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html
> 1115050511.614 894 192.168.2.162 TCP_CLIENT_REFRESH_MISS/200 12862 GET
> http://csc3-2004-crl.verisign.com/CSC3-2004.crl 52179933
> DIRECT/12.158.80.10 application/pkix-crl
> 1115050569.182 143 192.168.2.162 TCP_DENIED/407 1715 CONNECT
> 192.168.2.251:443 - NONE/- text/html
> 1115050569.219 3 192.168.2.162 TCP_DENIED/407 1714 CONNECT
> 192.168.2.251:443 - NONE/- text/html
> 1115050583.430 3 192.168.2.162 TCP_DENIED/407 1730 GET
> http://www.google.com/ - NONE/- text/html
> 1115050583.445 3 192.168.2.162 TCP_DENIED/407 1729 GET
> http://www.google.com/ - NONE/- text/html
> 1115050609.646 3 192.168.2.162 TCP_DENIED/407 1730 GET
> http://www.google.com/ - NONE/- text/html
> 1115050609.666 3 192.168.2.162 TCP_DENIED/407 1729 GET
> http://www.google.com/ - NONE/- text/html
> ----------------------------------------------------------------
>
> Any additional help or guide will be very much appreciated, thank-you!
>
Any ideas or things to try?
I just tested the wbifo tests as squid user and it works perfectly....
thank-you
Received on Tue May 03 2005 - 10:48:08 MDT
This archive was generated by hypermail pre-2.1.9 : Wed Jun 01 2005 - 12:00:02 MDT