Re: [squid-users] ntlm on distributed samba PDC system

From: Andreas Calvo G髆ez <andreas.calvo_at_admi.esci.es>
Date: Fri, 18 Sep 2009 12:36:50 +0200

Nevermind, fixed it.
I was pointing to a bad ntlm_auth binary (in Ubuntu, you should
use /usr/bin/ntlm_auth instead of /usr/lib/squid/ntlm_auth).

Thanks anyway!!
---------------------
Andreas Calvo G贸mez <andreas.calvo_at_admi.esci.es>
Dept. Inform脿tica ESCI
Pg. Pujades, 1 08003 Barcelona
tel. (34) 932954710 ext.233 fax. (34) 932954720
http://www.esci.es
--------------------

El vie, 18-09-2009 a las 10:38 +0200, Andreas Calvo G贸mez escribi贸:
> I don't understand it yet.
> I'll try to expose my scenario:
> I've a working PDC with samba/openldap.
> I've more servers with PAM configured to do ldap auth to the PDC server.
> In one of this servers I've configured squid, and I'd like be able to
> use the NTLM module so I can use the windows credentials instead of
> pushing users to auth themselves.
> The squid server has a bunch of other services (like bind, dhcp3-server,
> and so on), but it does not have samba installed (however, it has
> a /etc/samba/smb.conf file). What I'm confused is that, while following
> the squid-cache wiki tutorial, some things worked, but others didn't.
> For example, wbinfo -t works and wbinfo -a also, but wbinfo -g nor
> wbinfo -u didn't work. Moreover, gpasswd -a proxy winbindd_priv didn't
> work in the squid machine, but it worked in the PDC machine.
> I've didn't changed anything in the PAM configuration nor the nsswitch
> info.
>
> I'm really lost here, I don't get why it seems that I need a working
> samba server on the squid machine to be able to connecto the the PDC.
> I've also googled a lot but most of the realted topics point to either
> AD or kerberos, which I'm not using...
>
> Any hint?
>
> Versions:
> ii squid 2.7.STABLE3-4.1ubuntu1
> Internet object cache (WWW proxy cache)
> ii winbind 2:3.3.2-1ubuntu3.1
> Samba nameservice integration server
>
> Proof:
> root_at_venus:~# wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> root_at_venus:~# wbinfo -a mydomain\\myuser%mypassword
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> root_at_venus:~# invoke-rc.d squid restart
> * Restarting Squid HTTP proxy squid
> 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
> 'max_challenge_reuses'
> 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
> 'max_challenge_lifetime'
> 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter
> 'use_ntlm_negotiate'
>
> [ OK ]
>
> ++ squid.conf ++
> auth_param ntlm program /usr/lib/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 30
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm use_ntlm_negotiate on
> auth_param basic program /usr/lib/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param basic children 5
> auth_param basic realm ESCI Proxy
> auth_param basic credentialsttl 2 hours
> acl all src all
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> #
> # Example rule allowing access from your local networks.
> # Adapt to list your (internal) IP networks from where browsing
> # should be allowed
> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> #
> acl SSL_ports port 443 # https
> acl SSL_ports port 563 # snews
> acl SSL_ports port 873 # rsync
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> #acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl Safe_ports port 631 # cups
> acl Safe_ports port 873 # rsync
> acl Safe_ports port 901 # SWAT
> acl purge method PURGE
> acl CONNECT method CONNECT
> acl ntlm_users proxy_auth REQUIRED
> #Recommended minimum configuration:
> #
> # Only allow cachemgr access from localhost
> http_access allow manager localhost
> http_access deny manager
> # Only allow purge requests from localhost
> http_access allow purge localhost
> http_access deny purge
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> #
> # We strongly recommend the following be uncommented to protect innocent
> # web applications running on the proxy server who think the only
> # one who can access services on "localhost" is a local user
> http_access deny to_localhost
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> http_access allow ntlm_users
>
> # Example rule allowing access from your local networks.
> # Adapt localnet in the ACL section to list your (internal) IP networks
> # from where browsing should be allowed
> #http_access allow localnet
> http_access allow localhost
>
> # And finally deny all other access to this proxy
> http_access deny all
>
> #Allow ICP queries from local networks only
> icp_access allow localnet
> icp_access deny all
>
> # Squid normally listens to port 3128
> http_port 3128
>
> #We recommend you to use at least the following line.
> hierarchy_stoplist cgi-bin ?
>
> access_log /var/log/squid/access.log squid
>
> #Suggested default:
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880
> refresh_pattern . 0 20% 4320
>
> # Don't upgrade ShoutCast responses to HTTP
> acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9]
> upgrade_http0.9 deny shoutcast
>
> # Apache mod_gzip and mod_deflate known to be broken so don't trust
> # Apache to signal ETag correctly on such responses
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
>
> extension_methods REPORT MERGE MKACTIVITY CHECKOUT
>
> # Leave coredumps in the first cache dir
> coredump_dir /var/spool/squid
>
> ++ smb.conf ++
> [global]
> workgroup = ESCI
> realm = ESCI.ES
> security = DOMAIN
> password server = samba.esci.es
> restrict anonymous = 2
> client NTLMv2 auth = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> dns proxy = No
> panic action = /usr/share/samba/panic-action %d
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
>
> Thanks!
> ---------------------
> Andreas Calvo G贸mez <andreas.calvo_at_admi.esci.es>
> Dept. Inform脿tica ESCI
> Pg. Pujades, 1 08003 Barcelona
> tel. (34) 932954710 ext.233 fax. (34) 932954720
> http://www.esci.es
> --------------------
>
>
>
>
>
> El jue, 17-09-2009 a las 18:15 +0200, Kinkie escribi贸:
> > On Thu, Sep 17, 2009 at 5:32 PM, Andreas Calvo G贸mez
> > <andreas.calvo_at_admi.esci.es> wrote:
> > > Hi,
> > > I'm trying to set up squid with NTLM to do automated auth based on
> > > windows credentials.
> > > I'm running a samba/openldap PDC server, and squid is in a separate
> > > computer.
> > > Is it necessary to install another samba plus winbind in the machine
> > > that has squid running?
> >
> > Only winbindd is needed on the squid system, smbd performs some
> > additional activities (changing the machine account password) which
> > can also be performed by scripted calls to the "net" command.
> >
> > > If I run wbinfo -t in the squid computer it works, however runnig the
> > > gpasswd -a proxy winbindd_priv does not work (obviously, it does not
> > > have the winbind).
> > > When I try to run the ntlm_auth --helper-protocol=squid-2.5-basic it
> > > reports an ERR message, but I don't know where to look for logs (nor
> > > syslog nor squid logs have information about it).
> > >
> > > So, what I think I'm missing is what should be done if I'm running squid
> > > in a non samba machine.
> > >
> > > Any hints?
> >
> > These questions are better asked to the Samba user-groups.
> >
> >
>
Received on Fri Sep 18 2009 - 10:34:40 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 18 2009 - 12:00:03 MDT