Nevermind, fixed it. I was pointing to a bad ntlm_auth binary (in Ubuntu, you should use /usr/bin/ntlm_auth instead of /usr/lib/squid/ntlm_auth). Thanks anyway!! --------------------- Andreas Calvo Gómez <andreas.calvo@xxxxxxxxxxxx> Dept. Informàtica ESCI Pg. Pujades, 1 08003 Barcelona tel. (34) 932954710 ext.233 fax. (34) 932954720 http://www.esci.es -------------------- El vie, 18-09-2009 a las 10:38 +0200, Andreas Calvo Gómez escribió: > I don't understand it yet. > I'll try to expose my scenario: > I've a working PDC with samba/openldap. > I've more servers with PAM configured to do ldap auth to the PDC server. > In one of this servers I've configured squid, and I'd like be able to > use the NTLM module so I can use the windows credentials instead of > pushing users to auth themselves. > The squid server has a bunch of other services (like bind, dhcp3-server, > and so on), but it does not have samba installed (however, it has > a /etc/samba/smb.conf file). What I'm confused is that, while following > the squid-cache wiki tutorial, some things worked, but others didn't. > For example, wbinfo -t works and wbinfo -a also, but wbinfo -g nor > wbinfo -u didn't work. Moreover, gpasswd -a proxy winbindd_priv didn't > work in the squid machine, but it worked in the PDC machine. > I've didn't changed anything in the PAM configuration nor the nsswitch > info. > > I'm really lost here, I don't get why it seems that I need a working > samba server on the squid machine to be able to connecto the the PDC. > I've also googled a lot but most of the realted topics point to either > AD or kerberos, which I'm not using... > > Any hint? > > Versions: > ii squid 2.7.STABLE3-4.1ubuntu1 > Internet object cache (WWW proxy cache) > ii winbind 2:3.3.2-1ubuntu3.1 > Samba nameservice integration server > > Proof: > root@venus:~# wbinfo -t > checking the trust secret via RPC calls succeeded > > root@venus:~# wbinfo -a mydomain\\myuser%mypassword > plaintext password authentication succeeded > challenge/response password authentication succeeded > > root@venus:~# invoke-rc.d squid restart > * Restarting Squid HTTP proxy squid > 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter > 'max_challenge_reuses' > 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter > 'max_challenge_lifetime' > 2009/09/18 09:52:23| unrecognised ntlm auth scheme parameter > 'use_ntlm_negotiate' > > [ OK ] > > ++ squid.conf ++ > auth_param ntlm program /usr/lib/squid/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 30 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > auth_param ntlm use_ntlm_negotiate on > auth_param basic program /usr/lib/squid/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param basic children 5 > auth_param basic realm ESCI Proxy > auth_param basic credentialsttl 2 hours > acl all src all > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > # > # Example rule allowing access from your local networks. > # Adapt to list your (internal) IP networks from where browsing > # should be allowed > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > # > acl SSL_ports port 443 # https > acl SSL_ports port 563 # snews > acl SSL_ports port 873 # rsync > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > #acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 631 # cups > acl Safe_ports port 873 # rsync > acl Safe_ports port 901 # SWAT > acl purge method PURGE > acl CONNECT method CONNECT > acl ntlm_users proxy_auth REQUIRED > #Recommended minimum configuration: > # > # Only allow cachemgr access from localhost > http_access allow manager localhost > http_access deny manager > # Only allow purge requests from localhost > http_access allow purge localhost > http_access deny purge > # Deny requests to unknown ports > http_access deny !Safe_ports > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports > # > # We strongly recommend the following be uncommented to protect innocent > # web applications running on the proxy server who think the only > # one who can access services on "localhost" is a local user > http_access deny to_localhost > # > # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS > http_access allow ntlm_users > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP networks > # from where browsing should be allowed > #http_access allow localnet > http_access allow localhost > > # And finally deny all other access to this proxy > http_access deny all > > #Allow ICP queries from local networks only > icp_access allow localnet > icp_access deny all > > # Squid normally listens to port 3128 > http_port 3128 > > #We recommend you to use at least the following line. > hierarchy_stoplist cgi-bin ? > > access_log /var/log/squid/access.log squid > > #Suggested default: > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern (Release|Package(.gz)*)$ 0 20% 2880 > refresh_pattern . 0 20% 4320 > > # Don't upgrade ShoutCast responses to HTTP > acl shoutcast rep_header X-HTTP09-First-Line ^ICY\s[0-9] > upgrade_http0.9 deny shoutcast > > # Apache mod_gzip and mod_deflate known to be broken so don't trust > # Apache to signal ETag correctly on such responses > acl apache rep_header Server ^Apache > broken_vary_encoding allow apache > > extension_methods REPORT MERGE MKACTIVITY CHECKOUT > > # Leave coredumps in the first cache dir > coredump_dir /var/spool/squid > > ++ smb.conf ++ > [global] > workgroup = ESCI > realm = ESCI.ES > security = DOMAIN > password server = samba.esci.es > restrict anonymous = 2 > client NTLMv2 auth = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > dns proxy = No > panic action = /usr/share/samba/panic-action %d > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > > Thanks! > --------------------- > Andreas Calvo Gómez <andreas.calvo@xxxxxxxxxxxx> > Dept. Informàtica ESCI > Pg. Pujades, 1 08003 Barcelona > tel. (34) 932954710 ext.233 fax. (34) 932954720 > http://www.esci.es > -------------------- > > > > > > El jue, 17-09-2009 a las 18:15 +0200, Kinkie escribió: > > On Thu, Sep 17, 2009 at 5:32 PM, Andreas Calvo Gómez > > <andreas.calvo@xxxxxxxxxxxx> wrote: > > > Hi, > > > I'm trying to set up squid with NTLM to do automated auth based on > > > windows credentials. > > > I'm running a samba/openldap PDC server, and squid is in a separate > > > computer. > > > Is it necessary to install another samba plus winbind in the machine > > > that has squid running? > > > > Only winbindd is needed on the squid system, smbd performs some > > additional activities (changing the machine account password) which > > can also be performed by scripted calls to the "net" command. > > > > > If I run wbinfo -t in the squid computer it works, however runnig the > > > gpasswd -a proxy winbindd_priv does not work (obviously, it does not > > > have the winbind). > > > When I try to run the ntlm_auth --helper-protocol=squid-2.5-basic it > > > reports an ERR message, but I don't know where to look for logs (nor > > > syslog nor squid logs have information about it). > > > > > > So, what I think I'm missing is what should be done if I'm running squid > > > in a non samba machine. > > > > > > Any hints? > > > > These questions are better asked to the Samba user-groups. > > > > >
