On 2/22/07, Ray Dermody <dermodyr@xxxxxxxxx> wrote:
Hi,
Thanks for that Craig, that seems to have got me a bit further now. Im
getting prompted for a username and password when I try to browse but
it accepting nothing. Under /var/log/messages Im can see ntlm_auth
(permission?) errors.
Feb 22 12:43:16 squidtest kernel: audit(1172148196.323:12): avc:
denied { create } for pid=3133 comm="ntlm_auth"
scontext=user_u:system_r:winbind_helper_t
tcontext=user_u:system_r:winbind_helper_t tclass=udp_socket
Feb 22 12:43:16 squidtest kernel: audit(1172148196.323:13): avc:
denied { create } for pid=3133 comm="ntlm_auth"
scontext=user_u:system_r:winbind_helper_t
tcontext=user_u:system_r:winbind_helper_t tclass=udp_socket
Feb 22 12:43:16 squidtest kernel: audit(1172148196.323:14): avc:
denied { create } for pid=3133 comm="ntlm_auth"
scontext=user_u:system_r:winbind_helper_t
tcontext=user_u:system_r:winbind_helper_t tclass=udp_socket
Has any seen this error before.
These are audit notices from SELinux. It appears that SELinux is set
to permissive mode. As they begin with 'audit' they have no true
effect on your systems operation. Somebody with more SELinux policy
experience than I might be able to tell you how to correct the policy
to permit the helper program. However, I don't think this is affecting
any issues you are mentioning in this post.
If you are working with a client that is *not* a member of your domain
you may need to try entering the username as 'domain\username' or
'username@domain' If the machine is not a domain member it will supply
its own name in the place of 'domain' and the authentication will
fail.
You can also tail the squid access.log while attempting to browse and
see what is happening to the request. Maybe the cache.log also...
although this may depend on the debug level set in your squid.conf
(again, maybe someone more knowledgeable can comment on this).
Chris
