I don't understand it yet. I'll try to expose my scenario: I've a working PDC with samba/openldap. I've more servers with PAM configured to do ldap auth to the PDC server. In one of this servers I've configured squid, and I'd like be able to use the NTLM module so I can use the windows credentials instead of pushing users to auth themselves. The squid server has a bunch of other services (like bind, dhcp3-server, and so on), but it does not have samba installed (however, it has a /etc/samba/smb.conf file). What I'm confused is that, while following the squid-cache wiki tutorial, some things worked, but others didn't. For example, wbinfo -t works and wbinfo -a also, but wbinfo -g nor wbinfo -u didn't work. Moreover, gpasswd -a proxy winbindd_priv didn't work in the squid machine, but it worked in the PDC machine. I've didn't changed anything in the PAM configuration nor the nsswitch info. I'm really lost here, I don't get why it seems that I need a working samba server on the squid machine to be able to connecto the the PDC. I've also googled a lot but most of the realted topics point to either AD or kerberos, which I'm not using... Any hint? Versions: ii squid 2.7.STABLE3-4.1ubuntu1 Internet object cache (WWW proxy cache) ii winbind 2:3.3.2-1ubuntu3.1 Samba nameservice integration server Proof: root@venus:~# wbinfo -t checking the trust secret via RPC calls succeeded root@venus:~# wbinfo -a mydomain\\myuser%mypassword plaintext password authentication succeeded challenge/response password authentication succeeded root@venus:~# invoke-rc.d squid restart * Restarting Squid HTTP proxy squid 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter 'max_challenge_reuses' 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter 'max_challenge_lifetime' 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter 'use_ntlm_negotiate' [ OK ] ++ squid.conf ++ auth_param ntlm program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm use_ntlm_negotiate on auth_param basic program /usr/lib/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param basic children 5 auth_param basic realm ESCI Proxy auth_param basic credentialsttl 2 hours acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 # # Example rule allowing access from your local networks. # Adapt to list your (internal) IP networks from where browsing # should be allowed acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network # acl SSL_ports port 443 # https acl SSL_ports port 563 # snews acl SSL_ports port 873 # rsync acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais #acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 631 # cups acl Safe_ports port 873 # rsync acl Safe_ports port 901 # SWAT acl purge method PURGE acl CONNECT method CONNECT acl ntlm_users proxy_auth REQUIRED #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Only allow purge requests from localhost http_access allow purge localhost http_access deny purge # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS http_access allow ntlm_users # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed #http_access allow localnet http_access allow localhost # And finally deny all other access to this proxy http_access deny all #Allow ICP queries from local networks only icp_access allow localnet icp_access deny all # Squid normally listens to port 3128 http_port 3128 #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? access_log /var/log/squid/access.log squid #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 # Don't upgrade ShoutCast responses to HTTP acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] upgrade_http0.9 deny shoutcast # Apache mod_gzip and mod_deflate known to be broken so don't trust # Apache to signal ETag correctly on such responses acl apache rep_header Server ^Apache broken_vary_encoding allow apache extension_methods REPORT MERGE MKACTIVITY CHECKOUT # Leave coredumps in the first cache dir coredump_dir /var/spool/squid ++ smb.conf ++ [global] workgroup = ESCI realm = ESCI.ES security = DOMAIN password server = samba.esci.es restrict anonymous = 2 client NTLMv2 auth = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes Thanks! --------------------- Andreas Calvo Gómez <andreas.calvo@xxxxxxxxxxxx> Dept. Informàtica ESCI Pg. Pujades, 1 08003 Barcelona tel. (34) 932954710 ext.233 fax. (34) 932954720 http://www.esci.es -------------------- El jue, 17-09-2009 a las 18:15 +0200, Kinkie escribió: > On Thu, Sep 17, 2009 at 5:32 PM, Andreas Calvo Gómez > <andreas.calvo@xxxxxxxxxxxx> wrote: > > Hi, > > I'm trying to set up squid with NTLM to do automated auth based on > > windows credentials. > > I'm running a samba/openldap PDC server, and squid is in a separate > > computer. > > Is it necessary to install another samba plus winbind in the machine > > that has squid running? > > Only winbindd is needed on the squid system, smbd performs some > additional activities (changing the machine account password) which > can also be performed by scripted calls to the "net" command. > > > If I run wbinfo -t in the squid computer it works, however runnig the > > gpasswd -a proxy winbindd_priv does not work (obviously, it does not > > have the winbind). > > When I try to run the ntlm_auth --helper-protocol=squid-2.5-basic it > > reports an ERR message, but I don't know where to look for logs (nor > > syslog nor squid logs have information about it). > > > > So, what I think I'm missing is what should be done if I'm running squid > > in a non samba machine. > > > > Any hints? > > These questions are better asked to the Samba user-groups. > >
