Avinash Rao wrote:
/etc/init.d/squid restart
* Restarting Squid HTTP proxy squid
2009/08/18 14:04:15| Invalid Proxy Auth ACL 'acl
AuthorizedUsers proxy_auth REQUIRED' because no authentication schemes
are fully configured.
FATAL: Bungled squid.conf line 39: acl AuthorizedUsers proxy_auth REQUIRED
Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
[fail]
Order for most things is VERY VERY important in squid.conf
You are trying to tell squid what to do with authentication (ACL) before
it has reached the section which turns authentication on (auth_param).
Amos
squid.conf
root@sunbox:/var/log/squid# more /etc/squid/squid.conf
visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 100.100.100.50:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
acl lan src 192.168.1.0 100.100.100.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_reply_access allow all
http_access allow AuthorizedUsers
http_access deny all
icp_access allow all
coredump_dir /var/spool/squid
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Thanks
Avinash
On Tue, Aug 18, 2009 at 12:33 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
checking the trust secret via RPC calls succeeded means the secret is good, they changed the wording a while back, glad you're working
chris
Kind Regards,
Christopher Boczko
Server Support Analyst - IT Shared Services
HomeServe
Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 16:38
To: Chris Boczko
Subject: Re: Need help in integrating squid and samba
Chris,
Please don't get bugged, wbinfo -g is working now ..
wbinfo -g
BUILTIN\administrators
BUILTIN\users
and even wbinfo -t
wbinfo -t
checking the trust secret via RPC calls succeeded
but it didn't give the out "the secret is good" . I have no idea how
this is working all of a sudden, it didn't work a little while ago!
Regards,
Avinash
On Mon, Aug 17, 2009 at 8:58 PM, Avinash Rao<avinash.aol@xxxxxxxxx> wrote:
Yes, Squid and Samba(PDC) are running on the same server.
wbinfo -g won't work as i have not created any of the NT Domain Groups
is that necessary? Coz, i have a very simple samba configuration.
I went through the link and made changes to nsswitch conf.
wbinfo -set-auth-user=Administrator%'password'
Could not lookup sid Administrator%password
But, I could join the domain, i just entered net join and entered the
current users password and it said joined the domain!
wbinfo -u
Error looking up domain users
Thanks again
Avinash
On Mon, Aug 17, 2009 at 8:29 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
Right ok,
So squid is running samba (as a pdc) and squid as a cache?
Can you try running wbinfo -g, and if that doesn't work, try running wbinfo --set-auth-user=Administrator%'YourPassword' (see: http://www.debian-administration.org/article/Question_Winbind_on_samba_PDC), the run wbinfo -g again
Kind Regards,
Christopher Boczko
Server Support Analyst - IT Shared Services
HomeServe
Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 15:56
To: Chris Boczko
Subject: Re: Need help in integrating squid and samba
Yes its on the squid server and its a PDC and the passwd backend is tdbsam
On Mon, Aug 17, 2009 at 8:22 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
This is on the squid server?
Its trying to be a pdc
domain logons = yes
os level = 65
prefered master = yes
domain master = yes
local master = yes
Kind Regards,
Christopher Boczko
Server Support Analyst - IT Shared Services
HomeServe
Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 15:51
To: Chris Boczko
Subject: Re: Need help in integrating squid and samba
smb.conf
[global]
workgroup = abc
server string = Samba on SUN
max log size = 500
log level = 1
interfaces = eth2 100.100.100.251
bind interfaces only = True
log file = /var/log/samba/log.%m
max log size = 1000
domain logons = yes
os level = 65
prefered master = yes
domain master = yes
local master = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
add machine script = /usr/sbin/useradd -s /bin/false -d /home/nobody %u
dns proxy =No
hosts allow = 127. 100.100.100.
wins support = Yes
passdb backend = smbpasswd
encrypt passwords = true
smb passwd file = /etc/samba/smbpasswd
security = user
netbios name = sunbox
username map = /etc/samba/smbusers
[homes]
comment = Home Dir
read only = NO
browseable = NO
valid users = %S
path = %H
directory mask = 0700
create mask = 0700
[share]
comment = test share
path = /sambashare
valid users = nimda
create mask = 0765
Cheers
Avinash
On Mon, Aug 17, 2009 at 8:04 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
Ah, make a little more sense, but i'm afraid my only experience is with windows as a active directory controller and samba linking to that, but i can still take a look at your smb.conf if you would like
Kind Regards,
Christopher Boczko
Server Support Analyst - IT Shared Services
HomeServe
Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 15:30
To: Chris Boczko
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: Need help in integrating squid and samba
Dear Christopher,
Thank you for your reply.
I am not using Active Directory, I am using a samba as a PDC (NT4) and
its a simple configuration. All clients are WinXP and they login to
the domain and i just want to control their access to internet that is
all.
And there is no other Windows NT domain machine in my network, its
just this ubuntu server running squid and samba!
If i am right? wbinfo -t will not work coz, i don't have a windows NT
domain machine and no trust exists. But, how do i control, restrict or
allow internet access for samba domain users through squid?
Many Thanks
Avinash
On Mon, Aug 17, 2009 at 7:50 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
Yes,
If you are using active directory 2000/2003/2008, you'll need to configure krb5 first
Please see http://ubuntuforums.org/showthread.php?t=91510 , but you only need to follow steps 1-3, then 7-9
Then run
Wbinfo -t to check the trust and
Wbinfo -g to list groups
Kind Regards,
Christopher Boczko
Server Support Analyst - IT Shared Services
HomeServe
Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
DDI: 01482 677272
Mob: 07967 059241
www.homeserve.com
www.chemdry.co.uk
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 14:57
To: Chris Boczko
Subject: Re: Need help in integrating squid and samba
root@sunbox: net join -U user
Password:
Creation of workstation account failed
Unable to join domain abc
user@sunbox:/usr/lib/squid$ net join -U user1
[2009/08/17 19:24:05, 0] passdb/secrets.c:secrets_init(66)
Failed to open /var/lib/samba/secrets.tdb
[2009/08/17 19:24:05, 0] utils/net_rpc.c:rpc_oldjoin_internals(309)
error storing domain sid for abc
No, I haven't configured krb5. Do we need all this just to control
internet access for samba domain users?
Avinash
On Mon, Aug 17, 2009 at 7:19 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
Have you run net join on the squid server (from the command line), and have you configured krb5?
Does kinit (user)@(domain).(domain) work?
Kind Regards,
Christopher Boczko
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 14:47
To: Chris Boczko
Subject: Re: Need help in integrating squid and samba
Samba Version:
dpkg -l | grep samba
ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and printer server fo
ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used by both
the server a
Ubuntu 8.04 Server 64-bit.
Net Join? You mean from a windows client? I have only winXP clients
and they are all configured to login to the domain.
Avinash
On Mon, Aug 17, 2009 at 7:07 PM, Chris
Boczko<Christopher.Boczko@xxxxxxxxxxxxx> wrote:
Have you tried rejoining the domain using
Net join ?
Then testing the join with
Wbinfo -t
Also, which version of debian / samba / ad are you running?
Kind Regards,
Christopher Boczko
-----Original Message-----
From: Avinash Rao [mailto:avinash.aol@xxxxxxxxx]
Sent: 17 August 2009 14:25
To: squid-users@xxxxxxxxxxxxxxx
Subject: Fwd: Need help in integrating squid and samba
Thanks for the quick response.
And, yes i will install squid using apt-get install command.
The basic winbindd functionality "wbinfo -t": is not successful
wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret
Even, wbinfo -a mydomain\\myuser%mypasswd is unsuccessful
Wondering how i should proceed without this?
Avinash
On Mon, Aug 17, 2009 at 1:15 PM, Amos Jeffries<squid3@xxxxxxxxxxxxx> wrote:
[re-inserting squid-users mailing list]
Avinash Rao wrote:
On Mon, Aug 17, 2009 at 11:30 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx
<mailto:squid3@xxxxxxxxxxxxx>> wrote:
Avinash Rao wrote:
Dear all,
I am new here and i would like to know the correct procedure for
compiling squid to integrate with samba.
I am doing this on a Ubuntu 8.04 Server 64-bit edition and i
have all
the updates installed. Infact, i have installed samba through
apt-get
install and is configured as a PDC.
dpkg -l | grep samba
ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and
printer server fo
ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used
by both
the server a
I am in need of controlling internet access for samba domain users
through squid. I read the documentation and it says Squid must be
built with the configure options:
--enable-auth="ntlm,basic"
--enable-basic-auth-helpers="
winbind"
--enable-ntlm-auth-helpers="winbind"
According to the documentation,
--------
Samba 3.x
---------
Things are much easier under the 3.x versions of Samba. Smbd is no
longer required to manage the machine's trust account, and there
is
no need to patch any utilities.
The Samba team has incorporated functionality to change the machine
trust account password in the new "net" command. A simple daily
cron
job scheduling "net rpc changetrustpw" is all that is needed.
I went through the squid documentation and the configure options
are
vast. All i want is normal squid operations but with samba
integration. Do I have to specify other options for normal squid
operations?? What is the correct procedure and which version of
squid
suits well for the version of samba i am using? I have used
squid but
never compiled. My requirement with samba is PDC, winxp clients,
users home directories are mapped as they login to the domain, a
common share for all users and a printer if needed.
Many Thanks,
Avinash
This covers the NTLM auth via Samba requirements.
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
This covers the Active Directory (kerberos/negotiate auth)
requirements:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
Amos
-- Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
Amos,
Thanks for the reply.
I read the documentation, and it says, "
As Samba-3.x has it's own authentication helper there is no need to build
any of the Squid authentication helpers for use with Samba-3.x (and the
helpers provided by Squid won't work if you do). You do however need to
enable support for the NTLM scheme if you plan on using this. Also you may
want to use the wbinfo_group helper for group lookups
--enable-auth="ntlm,basic"
--enable-external-acl-helpers="wbinfo_group"
Does this mean that squid has to be compiled with the above options? I
am sorry if this sounds very basic. Also, my requirement, i should be able
to restrict few users samba users from accessing the internet through at
certain times and not necessary authentication. Will the above options
help.
Thanks,
Avinash
The Squid packages available for Ubuntu already have those helpers built-in
and installed along with the package. All you need is the configuration file
changes.
If you are building your own Squid from raw source code, you may need to add
them.
For someone who does not know the very basics I would seriously advise
staying with the pre-packaged versions of Squid until you know what you are
doing.
--> apt-get install squid
Then change the /etc/squid.conf file as needed.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
Current Beta Squid 3.1.0.13
