Hi everyone
I'm having some problems to setup squid 2.5.STABLE9 to autentificate users in a windows 2000 server domain (active directory).
I have followed this guide: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
ntlm_auth is working fine on some client machines but not others. I have tested it with windows 2000 professional, IExplorer 6+SP1 and Firebird 1.02 and they don't work no matter the user logs in. However, when in some machine works, any user that logs in that machine can use the proxy. I mean, it seems some client machine related problem, not specific user problem. Neverthleless, there are no significat differences between the clients as they are generated from the same norton ghost image (all clients have the same software and versions) With linux clients, the login/password dalog appears and auth works perfectly.
when in the proxy machine, any winbindd related command works OK (wbinfo, nltm_auth...)
Now some specific stuff: Fedora Core 3 with 2.6.11-1.14_FC3 kernel
Squid Cache: Version 2.5.STABLE9 configure options: --build=i386-redhat-linux --host=i386-redhat-linux --target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr --bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var --sysconfdir=/etc/squid --enable-poll --enable-snmp --enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter --with-pthreads --enable-ntlm-auth-helpers=SMB,winbind --enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge --enable-useragent-log --enable-referer-log --disable-dependency-tracking --enable-cachemgr-hostname=localhost --disable-ident-lookups --enable-truncate --enable-underscores --datadir=/usr/share --enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind
winbindd version: 3.0.10-1.fc3
here is the squid.conf without comments: --------------------------------------------------------------- http_port 192.168.2.10:8080 http_port 192.168.8.20:8080 icp_port 0 hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY cache_mem 16 MB cache_dir ufs /var/spool/squid 700 16 256 auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10 --helper-protocol=squid-2.5-ntlmssp --nt-response auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 8080 # Standard proxy port acl CONNECT method CONNECT
acl red2 src 192.168.2.0/24 # red del aula acl red8 src 192.168.8.0/24 # red interna acl red1 src 192.168.1.0/24 # otra red acl red9 src 192.168.9.0/24 # red administradtiva acl red6 src 192.168.6.0/24 # inalambrica acl autentificados proxy_auth REQUIRED
http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access allow autentificados http_access deny all http_reply_access allow all
icp_access allow all coredump_dir /var/spool/squid --------------------------------------------------------- here comes some lines from smb.conf --------------------------------------------------------- workgroup = AULADOM security = domain password server = aulaserver idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 winbind use default domain = yes winbind uid = 10000-20000 winbind gid = 10000-20000 -----------------------------------------------------------
Some additional info & tests:
Winbindd privileged dir has the correct permissions: drwxr-x--- 2 root squid 4096 may 2 17:58 winbindd_privileged
# net join -S aulaserver -U Admin%ADMINPASSWORD [2005/05/02 19:10:03, 0] libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password Administrador@xxxxxxxxxx failed: Cannot find KDC for requested realm [2005/05/02 19:10:03, 0] utils/net_ads.c:ads_startup(186) ads_connect: Cannot find KDC for requested realm Joined domain AULADOM.
those are the only noticeable errors, however, it seems to join the domain and autenticate users
# wbinfo -t checking the trust secret via RPC calls succeeded
#wbinfo -a USER%PWD plaintext password authentication succeeded challenge/response password authentication succeeded
wbinfo -u and wbinfo -g work also...
iin the access.log when ntlm_auth works the correct username of the client appears, when not authenticated, NONE appears in the username field, however, as you may see, sometimes an user receives a TCP_DENIED with NONE as username and then the same request is a TCP_HIT authenticated: I dont know if this is a normal beaviour or it can be related to the whole problem.
(access.log extracted from a succesfuly authenticaed client) 1115050342.129 1 192.168.2.166 TCP_DENIED/407 1896 GET http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif - NONE/- text/html 1115050342.224 1203 192.168.2.166 TCP_REFRESH_HIT/200 8067 GET http://www.rage3d.com/board/images/purerage/site/logo.jpg 52437211 DIRECT/66.224.5.66 image/jpeg 1115050342.405 1272 192.168.2.166 TCP_REFRESH_HIT/200 340 GET http://www.rage3d.com/board/clear.gif 52437211 DIRECT/66.224.5.66 image/gif 1115050343.721 1591 192.168.2.166 TCP_REFRESH_HIT/200 345 GET http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif 52437211 DIRECT/66.224.5.66 image/gif ------------------------------------------ access.log from an unsuccessfolly auth client
1115050461.386 3 192.168.2.162 TCP_DENIED/407 1730 GET http://www.rage3d.com/ - NONE/- text/html 1115050461.407 3 192.168.2.162 TCP_DENIED/407 1729 GET http://www.rage3d.com/ - NONE/- text/html 1115050475.898 4 192.168.2.162 TCP_DENIED/407 1745 GET http://www.meristation.com/ - NONE/- text/html 1115050475.918 3 192.168.2.162 TCP_DENIED/407 1744 GET http://www.meristation.com/ - NONE/- text/html 1115050510.591 1 192.168.2.162 TCP_DENIED/407 1805 GET http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html 1115050510.720 2 192.168.2.162 TCP_DENIED/407 1809 GET http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html 1115050511.614 894 192.168.2.162 TCP_CLIENT_REFRESH_MISS/200 12862 GET http://csc3-2004-crl.verisign.com/CSC3-2004.crl 52179933 DIRECT/12.158.80.10 application/pkix-crl 1115050569.182 143 192.168.2.162 TCP_DENIED/407 1715 CONNECT 192.168.2.251:443 - NONE/- text/html 1115050569.219 3 192.168.2.162 TCP_DENIED/407 1714 CONNECT 192.168.2.251:443 - NONE/- text/html 1115050583.430 3 192.168.2.162 TCP_DENIED/407 1730 GET http://www.google.com/ - NONE/- text/html 1115050583.445 3 192.168.2.162 TCP_DENIED/407 1729 GET http://www.google.com/ - NONE/- text/html 1115050609.646 3 192.168.2.162 TCP_DENIED/407 1730 GET http://www.google.com/ - NONE/- text/html 1115050609.666 3 192.168.2.162 TCP_DENIED/407 1729 GET http://www.google.com/ - NONE/- text/html ----------------------------------------------------------------
Any additional help or guide will be very much appreciated, thank-you!