Hi all, I've searched through the archives and the internet but as of yet I have been unable to find a solution. One or two topics that refer to the problem but no solution as of yet. So if it has been posted before I do apologise. I am running ubuntu 6.06 LAMP server and have installed squid 2.5 stable12 with winbind and samba 3.0.22 authenticating against AD. I am not sure which version of winbind I am using but it must be one of the latest stable releases available in the repositories. Authentication works fine without any problems, the problem I have is that when an user accesses a site we've blocked it prompts them for a username and password. As far as I know it is ntlm_auth because there is no prompt for domain just username and password. The cache.log doesn't quite tell me anything nor do any of the other logs. I have a very busy syslog so I need to grep the info I need, but don't know what to search for. If I grep winbind I do get the following: Sep 12 09:39:01 helsinki winbindd[4013]: [2007/09/12 09:39:01, 0] lib/util_sid.c:string_to_sid(285) Sep 12 09:39:01 helsinki winbindd[4013]: string_to_sid: Sid S-0-0 is not in a valid format. I can use wbinfo to querry the domain for just about everything the trust succeeds, I can get the gids for a user. I can lookup domain users and domain groups. Wbinfo_group.pl when queried returns with OK as does ntlm_auth -protocol-helper=squid-2.5-basic. I googled it but it seems that samba used to in the past ignore these messages but now it forwards it through to syslog. I do not really know what to look for in the logs for this problem permissions on winbindd_privileged are set (and I think correctly because otherwise it would just not authenticate) The users are still denied from accessing the website but it prompts them each time. And whenever they are on google's image website it creates massive complaints when there are some images referenced to a denied site and then the prompt just keeps appearing. This probably shouldn't have any bearing on the problem, but I'll mention it anyway. I have also installed nagios 3.0b along with apache2. Though I think they should work nicely together. Any help is greatly appreciated. Here are my squid.conf details auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm children 80 auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 5 minutes auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 50 auth_param basic realm DAV-webcache proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off ### exampl #auth_param ntlm program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 20 minutes #auth_param basic program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic #auth_param basic children 5 #auth_param basic realm Squid proxy-caching web server #auth_param basic credentialsttl 2 hours ## ACL for ADS user #external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group ##external_acl_type NT_global_group children=10 ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl external_acl_type NT_global_group children=30 ttl=2700 %LOGIN /usr/lib/squid/wbinfo_group.pl acl ProxyUsers external NT_global_group WebAccessAllowed acl AuthorizedUsers proxy_auth REQUIRED acl TrustedUsers proxy_auth REQUIRED acl UnrestrictedUsers external NT_global_group WebAll acl RestrictedUsers external NT_global_group WebMoreAccess acl NewUsers external NT_global_group BlockedCareerSites ##Access control lists must be entered here http_access deny blocked_sites_1 RestrictedUsers http_access deny blocked_sites ProxyUsers http_access deny blocked_career_sites NewUsers http_access allow AuthorizedUsers ProxyUsers http_access allow TrustedUsers RestrictedUsers http_access allow UnrestrictedUsers http_access allow NewUsers #http_access allow dav_net #miss_access allow all #always_direct deny all #never_direct allow all # And finally deny all other access to this proxy http_access deny all Thanks Marcel
