/etc/init.d/squid restart * Restarting Squid HTTP proxy squid 2009/08/18 14:04:15| Invalid Proxy Auth ACL 'acl AuthorizedUsers proxy_auth REQUIRED' because no authentication schemes are fully configured. FATAL: Bungled squid.conf line 39: acl AuthorizedUsers proxy_auth REQUIRED Squid Cache (Version 2.6.STABLE18): Terminated abnormally. [fail] squid.conf root@sunbox:/var/log/squid# more /etc/squid/squid.conf visible_hostname sunbox hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts http_port 100.100.100.50:3128 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 631 # cups acl Safe_ports port 777 # multiling http acl Safe_ports port 901 # SWAT acl Safe_ports port 993 # IMAP acl Safe_ports port 587 # SMTP acl Safe_ports port 22 # SSH acl purge method PURGE acl special_urls url_regex "/etc/squid/squid-noblock.acl" acl extndeny url_regex -i "/etc/squid/blocks.files.acl" acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt" acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe acl lan src 192.168.1.0 100.100.100.0/24 acl stud ident_regex babu acl download method GET acl CONNECT method CONNECT acl AuthorizedUsers proxy_auth REQUIRED cache_mem 100 MB #redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf ident_lookup_access allow all http_access deny all http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access allow special_urls http_access deny extndeny download http_access deny extndeny http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny badurl http_access deny malware_block_list deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list http_access allow localhost http_access allow lan http_reply_access allow all http_access allow AuthorizedUsers http_access deny all icp_access allow all coredump_dir /var/spool/squid auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet auth_param ntlm use_ntlm_negotiate on # warning: basic authentication sends passwords plaintext # a network sniffer can and will discover passwords auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Thanks Avinash On Tue, Aug 18, 2009 at 12:33 PM, Chris Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: > checking the trust secret via RPC calls succeeded means the secret is good, they changed the wording a while back, glad you're working > > chris > > Kind Regards, > Christopher Boczko > Server Support Analyst - IT Shared Services > HomeServe > Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS > > DDI: 01482 677272 > Mob: 07967 059241 > > www.homeserve.com > www.chemdry.co.uk > > DDI: 01482 677272 > Mob: 07967 059241 > > www.homeserve.com > www.chemdry.co.uk > > > -----Original Message----- > From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] > Sent: 17 August 2009 16:38 > To: Chris Boczko > Subject: Re: Need help in integrating squid and samba > > Chris, > > Please don't get bugged, wbinfo -g is working now .. > wbinfo -g > BUILTIN\administrators > BUILTIN\users > > and even wbinfo -t > > wbinfo -t > checking the trust secret via RPC calls succeeded > > but it didn't give the out "the secret is good" . I have no idea how > this is working all of a sudden, it didn't work a little while ago! > > Regards, > Avinash > > > > On Mon, Aug 17, 2009 at 8:58 PM, Avinash Rao<avinash.aol@xxxxxxxxx> wrote: >> Yes, Squid and Samba(PDC) are running on the same server. >> >> wbinfo -g won't work as i have not created any of the NT Domain Groups >> is that necessary? Coz, i have a very simple samba configuration. >> >> I went through the link and made changes to nsswitch conf. >> >> wbinfo -set-auth-user=Administrator%'password' >> Could not lookup sid Administrator%password >> >> But, I could join the domain, i just entered net join and entered the >> current users password and it said joined the domain! >> wbinfo -u >> Error looking up domain users >> >> Thanks again >> Avinash >> >> >> >> On Mon, Aug 17, 2009 at 8:29 PM, Chris >> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>> Right ok, >>> >>> So squid is running samba (as a pdc) and squid as a cache? >>> >>> Can you try running wbinfo -g, and if that doesn't work, try running wbinfo --set-auth-user=Administrator%'YourPassword' (see: http://www.debian-administration.org/article/Question_Winbind_on_samba_PDC), the run wbinfo -g again >>> >>> Kind Regards, >>> Christopher Boczko >>> Server Support Analyst - IT Shared Services >>> HomeServe >>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS >>> >>> DDI: 01482 677272 >>> Mob: 07967 059241 >>> >>> www.homeserve.com >>> www.chemdry.co.uk >>> >>> DDI: 01482 677272 >>> Mob: 07967 059241 >>> >>> www.homeserve.com >>> www.chemdry.co.uk >>> >>> >>> -----Original Message----- >>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>> Sent: 17 August 2009 15:56 >>> To: Chris Boczko >>> Subject: Re: Need help in integrating squid and samba >>> >>> Yes its on the squid server and its a PDC and the passwd backend is tdbsam >>> >>> >>> >>> On Mon, Aug 17, 2009 at 8:22 PM, Chris >>> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>>> This is on the squid server? >>>> >>>> Its trying to be a pdc >>>> >>>> >>>> domain logons = yes >>>> os level = 65 >>>> prefered master = yes >>>> domain master = yes >>>> local master = yes >>>> >>>> Kind Regards, >>>> Christopher Boczko >>>> Server Support Analyst - IT Shared Services >>>> HomeServe >>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS >>>> >>>> DDI: 01482 677272 >>>> Mob: 07967 059241 >>>> >>>> www.homeserve.com >>>> www.chemdry.co.uk >>>> >>>> DDI: 01482 677272 >>>> Mob: 07967 059241 >>>> >>>> www.homeserve.com >>>> www.chemdry.co.uk >>>> >>>> >>>> -----Original Message----- >>>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>>> Sent: 17 August 2009 15:51 >>>> To: Chris Boczko >>>> Subject: Re: Need help in integrating squid and samba >>>> >>>> smb.conf >>>> >>>> [global] >>>> workgroup = abc >>>> server string = Samba on SUN >>>> max log size = 500 >>>> log level = 1 >>>> interfaces = eth2 100.100.100.251 >>>> bind interfaces only = True >>>> >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> >>>> domain logons = yes >>>> os level = 65 >>>> prefered master = yes >>>> domain master = yes >>>> local master = yes >>>> >>>> winbind uid = 10000-20000 >>>> winbind gid = 10000-20000 >>>> winbind use default domain = yes >>>> >>>> add machine script = /usr/sbin/useradd -s /bin/false -d /home/nobody %u >>>> dns proxy =No >>>> hosts allow = 127. 100.100.100. >>>> wins support = Yes >>>> passdb backend = smbpasswd >>>> >>>> encrypt passwords = true >>>> smb passwd file = /etc/samba/smbpasswd >>>> security = user >>>> netbios name = sunbox >>>> username map = /etc/samba/smbusers >>>> >>>> [homes] >>>> comment = Home Dir >>>> read only = NO >>>> browseable = NO >>>> valid users = %S >>>> path = %H >>>> directory mask = 0700 >>>> create mask = 0700 >>>> >>>> >>>> [share] >>>> comment = test share >>>> path = /sambashare >>>> valid users = nimda >>>> create mask = 0765 >>>> >>>> >>>> Cheers >>>> Avinash >>>> >>>> >>>> On Mon, Aug 17, 2009 at 8:04 PM, Chris >>>> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>>>> Ah, make a little more sense, but i'm afraid my only experience is with windows as a active directory controller and samba linking to that, but i can still take a look at your smb.conf if you would like >>>>> >>>>> Kind Regards, >>>>> Christopher Boczko >>>>> Server Support Analyst - IT Shared Services >>>>> HomeServe >>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS >>>>> >>>>> DDI: 01482 677272 >>>>> Mob: 07967 059241 >>>>> >>>>> www.homeserve.com >>>>> www.chemdry.co.uk >>>>> >>>>> DDI: 01482 677272 >>>>> Mob: 07967 059241 >>>>> >>>>> www.homeserve.com >>>>> www.chemdry.co.uk >>>>> >>>>> >>>>> -----Original Message----- >>>>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>>>> Sent: 17 August 2009 15:30 >>>>> To: Chris Boczko >>>>> Cc: squid-users@xxxxxxxxxxxxxxx >>>>> Subject: Re: Need help in integrating squid and samba >>>>> >>>>> Dear Christopher, >>>>> >>>>> Thank you for your reply. >>>>> >>>>> I am not using Active Directory, I am using a samba as a PDC (NT4) and >>>>> its a simple configuration. All clients are WinXP and they login to >>>>> the domain and i just want to control their access to internet that is >>>>> all. >>>>> >>>>> And there is no other Windows NT domain machine in my network, its >>>>> just this ubuntu server running squid and samba! >>>>> >>>>> If i am right? wbinfo -t will not work coz, i don't have a windows NT >>>>> domain machine and no trust exists. But, how do i control, restrict or >>>>> allow internet access for samba domain users through squid? >>>>> >>>>> Many Thanks >>>>> Avinash >>>>> >>>>> >>>>> On Mon, Aug 17, 2009 at 7:50 PM, Chris >>>>> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>>>>> Yes, >>>>>> >>>>>> If you are using active directory 2000/2003/2008, you'll need to configure krb5 first >>>>>> >>>>>> Please see http://ubuntuforums.org/showthread.php?t=91510 , but you only need to follow steps 1-3, then 7-9 >>>>>> >>>>>> Then run >>>>>> >>>>>> Wbinfo -t to check the trust and >>>>>> Wbinfo -g to list groups >>>>>> >>>>>> Kind Regards, >>>>>> Christopher Boczko >>>>>> Server Support Analyst - IT Shared Services >>>>>> HomeServe >>>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS >>>>>> >>>>>> DDI: 01482 677272 >>>>>> Mob: 07967 059241 >>>>>> >>>>>> www.homeserve.com >>>>>> www.chemdry.co.uk >>>>>> >>>>>> DDI: 01482 677272 >>>>>> Mob: 07967 059241 >>>>>> >>>>>> www.homeserve.com >>>>>> www.chemdry.co.uk >>>>>> >>>>>> >>>>>> -----Original Message----- >>>>>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>>>>> Sent: 17 August 2009 14:57 >>>>>> To: Chris Boczko >>>>>> Subject: Re: Need help in integrating squid and samba >>>>>> >>>>>> root@sunbox: net join -U user >>>>>> Password: >>>>>> Creation of workstation account failed >>>>>> Unable to join domain abc >>>>>> >>>>>> user@sunbox:/usr/lib/squid$ net join -U user1 >>>>>> [2009/08/17 19:24:05, 0] passdb/secrets.c:secrets_init(66) >>>>>> Failed to open /var/lib/samba/secrets.tdb >>>>>> [2009/08/17 19:24:05, 0] utils/net_rpc.c:rpc_oldjoin_internals(309) >>>>>> error storing domain sid for abc >>>>>> >>>>>> No, I haven't configured krb5. Do we need all this just to control >>>>>> internet access for samba domain users? >>>>>> >>>>>> Avinash >>>>>> >>>>>> >>>>>> On Mon, Aug 17, 2009 at 7:19 PM, Chris >>>>>> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>>>>>> Have you run net join on the squid server (from the command line), and have you configured krb5? >>>>>>> >>>>>>> Does kinit (user)@(domain).(domain) work? >>>>>>> >>>>>>> Kind Regards, >>>>>>> Christopher Boczko >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>>>>>> Sent: 17 August 2009 14:47 >>>>>>> To: Chris Boczko >>>>>>> Subject: Re: Need help in integrating squid and samba >>>>>>> >>>>>>> Samba Version: >>>>>>> >>>>>>> dpkg -l | grep samba >>>>>>> ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and printer server fo >>>>>>> ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used by both >>>>>>> the server a >>>>>>> >>>>>>> Ubuntu 8.04 Server 64-bit. >>>>>>> >>>>>>> Net Join? You mean from a windows client? I have only winXP clients >>>>>>> and they are all configured to login to the domain. >>>>>>> >>>>>>> Avinash >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 17, 2009 at 7:07 PM, Chris >>>>>>> Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote: >>>>>>>> Have you tried rejoining the domain using >>>>>>>> >>>>>>>> Net join ? >>>>>>>> >>>>>>>> Then testing the join with >>>>>>>> >>>>>>>> Wbinfo -t >>>>>>>> >>>>>>>> Also, which version of debian / samba / ad are you running? >>>>>>>> >>>>>>>> Kind Regards, >>>>>>>> Christopher Boczko >>>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx] >>>>>>>> Sent: 17 August 2009 14:25 >>>>>>>> To: squid-users@xxxxxxxxxxxxxxx >>>>>>>> Subject: Fwd: Need help in integrating squid and samba >>>>>>>> >>>>>>>> Thanks for the quick response. >>>>>>>> And, yes i will install squid using apt-get install command. >>>>>>>> The basic winbindd functionality "wbinfo -t": is not successful >>>>>>>> >>>>>>>> wbinfo -t >>>>>>>> checking the trust secret via RPC calls failed >>>>>>>> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233) >>>>>>>> Could not check secret >>>>>>>> >>>>>>>> Even, wbinfo -a mydomain\\myuser%mypasswd is unsuccessful >>>>>>>> >>>>>>>> Wondering how i should proceed without this? >>>>>>>> >>>>>>>> Avinash >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Aug 17, 2009 at 1:15 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote: >>>>>>>>> [re-inserting squid-users mailing list] >>>>>>>>> >>>>>>>>> Avinash Rao wrote: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Mon, Aug 17, 2009 at 11:30 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx >>>>>>>>>> <mailto:squid3@xxxxxxxxxxxxx>> wrote: >>>>>>>>>> >>>>>>>>>> Avinash Rao wrote: >>>>>>>>>> >>>>>>>>>> Dear all, >>>>>>>>>> >>>>>>>>>> I am new here and i would like to know the correct procedure for >>>>>>>>>> compiling squid to integrate with samba. >>>>>>>>>> I am doing this on a Ubuntu 8.04 Server 64-bit edition and i >>>>>>>>>> have all >>>>>>>>>> the updates installed. Infact, i have installed samba through >>>>>>>>>> apt-get >>>>>>>>>> install and is configured as a PDC. >>>>>>>>>> >>>>>>>>>> dpkg -l | grep samba >>>>>>>>>> ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and >>>>>>>>>> printer server fo >>>>>>>>>> ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used >>>>>>>>>> by both >>>>>>>>>> the server a >>>>>>>>>> >>>>>>>>>> I am in need of controlling internet access for samba domain users >>>>>>>>>> through squid. I read the documentation and it says Squid must be >>>>>>>>>> built with the configure options: >>>>>>>>>> >>>>>>>>>> --enable-auth="ntlm,basic" >>>>>>>>>> --enable-basic-auth-helpers=" >>>>>>>>>> winbind" >>>>>>>>>> --enable-ntlm-auth-helpers="winbind" >>>>>>>>>> >>>>>>>>>> According to the documentation, >>>>>>>>>> -------- >>>>>>>>>> Samba 3.x >>>>>>>>>> --------- >>>>>>>>>> Things are much easier under the 3.x versions of Samba. Smbd is no >>>>>>>>>> longer required to manage the machine's trust account, and there >>>>>>>>>> is >>>>>>>>>> no need to patch any utilities. >>>>>>>>>> The Samba team has incorporated functionality to change the machine >>>>>>>>>> trust account password in the new "net" command. A simple daily >>>>>>>>>> cron >>>>>>>>>> job scheduling "net rpc changetrustpw" is all that is needed. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I went through the squid documentation and the configure options >>>>>>>>>> are >>>>>>>>>> vast. All i want is normal squid operations but with samba >>>>>>>>>> integration. Do I have to specify other options for normal squid >>>>>>>>>> operations?? What is the correct procedure and which version of >>>>>>>>>> squid >>>>>>>>>> suits well for the version of samba i am using? I have used >>>>>>>>>> squid but >>>>>>>>>> never compiled. My requirement with samba is PDC, winxp clients, >>>>>>>>>> users home directories are mapped as they login to the domain, a >>>>>>>>>> common share for all users and a printer if needed. >>>>>>>>>> >>>>>>>>>> Many Thanks, >>>>>>>>>> Avinash >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> This covers the NTLM auth via Samba requirements. >>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm >>>>>>>>>> >>>>>>>>>> This covers the Active Directory (kerberos/negotiate auth) >>>>>>>>>> requirements: >>>>>>>>>> >>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Amos >>>>>>>>>> -- Please be using >>>>>>>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 >>>>>>>>>> Current Beta Squid 3.1.0.13 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Amos, >>>>>>>>>> >>>>>>>>>> Thanks for the reply. >>>>>>>>>> >>>>>>>>>> I read the documentation, and it says, " >>>>>>>>>> >>>>>>>>>> As Samba-3.x has it's own authentication helper there is no need to build >>>>>>>>>> any of the Squid authentication helpers for use with Samba-3.x (and the >>>>>>>>>> helpers provided by Squid won't work if you do). You do however need to >>>>>>>>>> enable support for the NTLM scheme if you plan on using this. Also you may >>>>>>>>>> want to use the wbinfo_group helper for group lookups >>>>>>>>>> >>>>>>>>>> --enable-auth="ntlm,basic" >>>>>>>>>> --enable-external-acl-helpers="wbinfo_group" >>>>>>>>>> >>>>>>>>>> Does this mean that squid has to be compiled with the above options? I >>>>>>>>>> am sorry if this sounds very basic. Also, my requirement, i should be able >>>>>>>>>> to restrict few users samba users from accessing the internet through at >>>>>>>>>> certain times and not necessary authentication. Will the above options >>>>>>>>>> help. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Avinash >>>>>>>>>> >>>>>>>>> >>>>>>>>> The Squid packages available for Ubuntu already have those helpers built-in >>>>>>>>> and installed along with the package. All you need is the configuration file >>>>>>>>> changes. >>>>>>>>> >>>>>>>>> If you are building your own Squid from raw source code, you may need to add >>>>>>>>> them. >>>>>>>>> >>>>>>>>> For someone who does not know the very basics I would seriously advise >>>>>>>>> staying with the pre-packaged versions of Squid until you know what you are >>>>>>>>> doing. >>>>>>>>> --> apt-get install squid >>>>>>>>> >>>>>>>>> Then change the /etc/squid.conf file as needed. >>>>>>>>> >>>>>>>>> >>>>>>>>> Amos >>>>>>>>> -- >>>>>>>>> Please be using >>>>>>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 >>>>>>>>> Current Beta Squid 3.1.0.13 >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
