Greetings all, For the past week I've been trying going demented trying to figure out how to get squid working with AD groups, and despite everything I've tried I can't get any joy. At this point I'm not sure if this is a squid problem or a samba problem. I think it's a problem with wb_group.pl but I'm not sure. :-/ I'd be grateful if someone could lend a hand and help me track the root of this problem. I recon its something very minor that I'm missing, if I can get this working I'll gladly provide the HOWTO doc which I'm writing up on this. I think it would be of vaule to people looking to build a box like this from scratch. I'm using RHEL4, and using stable source code releases of samba(3.0.21a) and squid(2.5Stable12). I've attached the squidconfig, and samples of the cachelog and accesslog. To verify that samba is talking to AD I have tried the following: "wbinfo -a pauld%squidpassword" responds with "challenge/response password authentication succeeded" "wbinfo -u |grep pauld" it responds with my useridfrom the AD network "pauld" I have a group setup on AD called "InternetAllowed", doing "wbinfo -g |grep InternetAllowed" returns the group "InternetAllowed" "wbinfo -t" responds with "checking the trust secret via RPC calls succeeded" I have set a userid , using wbinfo --set-auth-user=squid%squidpassword, to retreive the userid information from AD. This is verified from the command "wbinfo --get-auth-user" which correctly returns "MYDOMAIN/squid%squidpassword" My userid is a member of the AD group "InternetAllowed", but when I try the command "/usr/libexec/wbinfo_group.pl", and enter "MYDOMAIN/pauld InternetAllowed" the reponse from the wbinfo_group.pl script is "ERR" I'm not sure why this is responding with an error?? If I try: "ntlm_auth --username=pauld --domain=FINEOS --require-membership-of=MYDOMAIN/InternetAllowed" I get the response "NT_STATUS_OK: Success (0x0)" when I have entered my password in correctly. On the squid side of things: If I start squid, with a basic acl in the config of including the following: acl allowedUsers external ad_group InternetAllowed acl Authenticated proxy_auth REQUIRED http_access allow allowedUsers Authenticated It seems like squid is not getting the NTLM authentication request correctly, so instead decides that access should be denied instead. I then try to look up something like http://www.google.com The cache.log returns at the end of the log,amongst the following: aclCheck: checking 'http_access allow allowedUsers Authenticated' aclMatchAclList: checking allowedUsers aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' authenticateAuthenticate: header NTLM TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAx0XnDVgB37W1tBsACJ62zOgFS3/19xEwSSaLbNJCe4yZ5qjQKBcG2LElrnci6FF0w. authenticateAuthenticate: This is a new checklist test on FD:44 aclMatchAcl: returning 0 sending credentials to helper. aclMatchAclList: no match, returning 0 aclCheck: checking password via authenticator aclCheck: checking 'http_access allow allowedUsers Authenticated' aclMatchAclList: checking allowedUsers aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' authenticateAuthenticate: header NTLM TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAx0XnDVgB37W1tBsACJ62zOgFS3/19xEwSSaLbNJCe4yZ5qjQKBcG2LElrnci6FF0w. aclMatchAclList: no match, returning 0 aclCheck: checking 'http_access allow allowedUsers Authenticated' aclMatchAclList: checking allowedUsers aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' aclMatchAclList: no match, returning 0 aclCheck: checking 'http_access deny all' aclMatchAclList: checking all aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' aclMatchIp: '192.168.125.44' found aclMatchAclList: returning 1 aclCheck: match found, returning 0 aclCheckCallback: answer=0 The request GET http://www.google.com/ is DENIED, because it matched 'all' (see the attached squidconf for further reference) I'm thinking the wbinfo_group.pl script is not passing the call correctly. I have PATH statements set correctly for wbinfo(i.e PATH includes /usr/local/bin). I have explicitly set the call to wbinfo in wbinfo_group.pl to point to /usr/local/bin/wbinfo I have also set the LANG variable to C rather than the UTF-8 value. But it seems everything I try is failing to produce the desired result. If anyone can shed some light it would be most appreciated. As I mentioned if I get this working I'll provide the HOWTO doc that I've drawn up, from my many rebuilds and days spent on this. The box was built scratch, minimal RHEL4 install with only the developer tools installed (from CDs) - Built NTP source, and configured it to ensure that time was in synch with the AD controllers. - Next built samba using the following configure command: ./configure --prefix=/usr --localstatedir=/var --with-configdir=/etc/samba --with-privatedir=/etc/samba \ --with-fhs --with-quotas --with-msdfs --with-smbmount --with-ads --with-pam --with-pam_smbpass \ --with-syslog --with-utmp --with-sambabook=/usr/share/swat/using_samba --with-swatdir=/usr/share/swat \ --with-libsmbclient --with-winbind --with-winbind-auth-challenge - Configured Squid using the following command: ./configure --prefix=/usr --datadir=/usr/share --localstatedir=/var --sysconfdir=/etc/squid \ --infodir=/usr/share/info --mandir=/usr/share/man --enable-snmp --enable-ssl --enable-auth=ntlm,basic \ --enable-external-acl-helpers=wbinfo_group - verified kerberos was working with the box (kinit, etc) - joined the box to the domain - began trying the squid configuration. - now stuck :)
1138208526.126 0 192.168.125.44 TCP_DENIED/407 1729 GET http://www.google.com/ - NONE/- text/html 1138208526.131 1 192.168.125.44 TCP_DENIED/407 1733 GET http://www.google.com/ - NONE/- text/html 1138208526.231 100 192.168.125.44 TCP_DENIED/403 1367 GET http://www.google.com/ pauld NONE/- text/html
2006/01/25 17:02:06| aclCheckFast: list: 0x92c6ca0 2006/01/25 17:02:06| aclMatchAclList: checking all 2006/01/25 17:02:06| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' found 2006/01/25 17:02:06| aclMatchAclList: returning 1 2006/01/25 17:02:06| aclCheck: checking 'http_access allow manager localhost' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny manager' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny !Safe_ports' 2006/01/25 17:02:06| aclMatchAclList: checking !Safe_ports 2006/01/25 17:02:06| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny CONNECT !SSL_ports' 2006/01/25 17:02:06| aclMatchAclList: checking CONNECT 2006/01/25 17:02:06| aclMatchAcl: checking 'acl CONNECT method CONNECT' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow localhost' 2006/01/25 17:02:06| aclMatchAclList: checking localhost 2006/01/25 17:02:06| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' NOT found 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2006/01/25 17:02:06| aclMatchAcl: returning 0 sending authentication challenge. 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: requiring Proxy Auth header. 2006/01/25 17:02:06| aclCheck: match found, returning 2 2006/01/25 17:02:06| aclCheckCallback: answer=2 2006/01/25 17:02:06| The request GET http://www.google.com/ is DENIED, because it matched 'allowedUsers' 2006/01/25 17:02:06| aclCheckFast: list: 0x92c6ca0 2006/01/25 17:02:06| aclMatchAclList: checking all 2006/01/25 17:02:06| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' found 2006/01/25 17:02:06| aclMatchAclList: returning 1 2006/01/25 17:02:06| aclCheck: checking 'http_access allow manager localhost' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny manager' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny !Safe_ports' 2006/01/25 17:02:06| aclMatchAclList: checking !Safe_ports 2006/01/25 17:02:06| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny CONNECT !SSL_ports' 2006/01/25 17:02:06| aclMatchAclList: checking CONNECT 2006/01/25 17:02:06| aclMatchAcl: checking 'acl CONNECT method CONNECT' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow localhost' 2006/01/25 17:02:06| aclMatchAclList: checking localhost 2006/01/25 17:02:06| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' NOT found 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| authenticateAuthenticate: header NTLM TlRMTVNTUAABAAAAB7IIogYABgAuAAAABgAGACgAAAAFASgKAAAAD0lFTDAwMUZJTkVPU2==. 2006/01/25 17:02:06| authenticateAuthenticate: This is a new checklist test on FD:44 2006/01/25 17:02:06| authenticateAuthenticate: no connection authentication type 2006/01/25 17:02:06| aclMatchAcl: returning 0 sending credentials to helper. 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking password via authenticator 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| authenticateAuthenticate: header NTLM TlRMTVNTUAABAAAAB7IIogYABgAuAAAABgAGACgAAAAFASgKAAAAD0lFTDAwMUZJTkVPU2==. 2006/01/25 17:02:06| aclMatchAcl: returning 0 sending authentication challenge. 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: requiring Proxy Auth header. 2006/01/25 17:02:06| aclCheck: match found, returning 2 2006/01/25 17:02:06| aclCheckCallback: answer=2 2006/01/25 17:02:06| The request GET http://www.google.com/ is DENIED, because it matched 'allowedUsers' 2006/01/25 17:02:06| aclCheck: checking 'http_access allow manager localhost' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny manager' 2006/01/25 17:02:06| aclMatchAclList: checking manager 2006/01/25 17:02:06| aclMatchAcl: checking 'acl manager proto cache_object' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny !Safe_ports' 2006/01/25 17:02:06| aclMatchAclList: checking !Safe_ports 2006/01/25 17:02:06| aclMatchAcl: checking 'acl Safe_ports port 80 # http' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny CONNECT !SSL_ports' 2006/01/25 17:02:06| aclMatchAclList: checking CONNECT 2006/01/25 17:02:06| aclMatchAcl: checking 'acl CONNECT method CONNECT' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow localhost' 2006/01/25 17:02:06| aclMatchAclList: checking localhost 2006/01/25 17:02:06| aclMatchAcl: checking 'acl localhost src 127.0.0.1/255.255.255.255' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' NOT found 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| authenticateAuthenticate: header NTLM TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAxzA6KawMiVwlricBargFt/dnljC31SpyK0jxrX0LLu+Ey4fDvLDSEP8YCIr2E2jFS. 2006/01/25 17:02:06| authenticateAuthenticate: This is a new checklist test on FD:44 2006/01/25 17:02:06| aclMatchAcl: returning 0 sending credentials to helper. 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking password via authenticator 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| authenticateAuthenticate: header NTLM TlRMTVNTUAADAAAAGAAYAFoAAAAYABgAcgAAAAYABgBIAAAABgAGAE4AAAAGAAYAVAAAAAAAAACKAAAABgIAAgUBKAoAAAAPRklORU9TREVBU1lQSUVMMDAxzA6KawMiVwlricBargFt/dnljC31SpyK0jxrX0LLu+Ey4fDvLDSEP8YCIr2E2jFS. 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access allow allowedUsers Authenticated' 2006/01/25 17:02:06| aclMatchAclList: checking allowedUsers 2006/01/25 17:02:06| aclMatchAcl: checking 'acl allowedUsers external ad_group InternetAllowed' 2006/01/25 17:02:06| aclMatchAclList: no match, returning 0 2006/01/25 17:02:06| aclCheck: checking 'http_access deny all' 2006/01/25 17:02:06| aclMatchAclList: checking all 2006/01/25 17:02:06| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0' 2006/01/25 17:02:06| aclMatchIp: '192.168.125.44' found 2006/01/25 17:02:06| aclMatchAclList: returning 1 2006/01/25 17:02:06| aclCheck: match found, returning 0 2006/01/25 17:02:06| aclCheckCallback: answer=0 2006/01/25 17:02:06| The request GET http://www.google.com/ is DENIED, because it matched 'all'
http_port 8080 icp_port 0 cache_peer x.x.x.x parent 80 7 no-query default hierarchy_stoplist cgi-bin ? cache_mem 100 MB cache_dir ufs /var/cache/squid 500 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid/cache.log cache_store_log none ftp_user anonymous@xxxxxxxx refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 #=========Authentication Bit========================== auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 15 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate off auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 15 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours #==========Use AD Domain groups for ACLsv=============== external_acl_type ad_group ttl=0 concurrency=5 %LOGIN /usr/libexec/wbinfo_group.pl #==========ACCESS CONTROLS=============================== acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports_ftp port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl CONNECT method CONNECT acl allowedUsers external ad_group InternetAllowed acl Authenticated proxy_auth REQUIRED http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow allowedUsers Authenticated http_access deny all http_reply_access allow all icp_access allow all mail_from squid@xxxxxxxxxxxxxxxxx mail_program mail cache_mgr hostmaster cache_effective_user squid cache_effective_group squid append_domain .company.com never_direct allow all coredump_dir /var/cache/squid #note 33,2 lets you see which acl allowed or denied debug_options ALL,1 33,2 28,9
