Hi,
I had a working setup with Ubuntu 10.04 LTS x64 with the following versions:
squid 3.0.STABLE19-1ubuntu0.1
samba 2:3.4.7~dfsg-1ubuntu3.5
We have a AD domain with around 50 clients using Windows 7 and joined
in the domain.
For this clients we user squid with kerberos and it's working fine
with no issues.
We had a second auth method (NTLM basic,ntlmssp) for clients that were
not joined in the domain.
For this clients normally a pop-up auth appear in the browser witch
then the user should provide AD
credentials in the following manner:
User: MYDOMAIN\user
Pass: password
Since last week NTLM seams to stop working, but from all the tests i
run from the proxy shell it seams ok
Here is what i already did to debug the issue:
root@proxy:/# net ads testjoin
Join is OK
root@proxy:/# wbinfo -t
checking the trust secret via RPC calls succeeded
root@proxy:/# wbinfo -a lsquintella%lsquintella
plaintext password authentication succeeded
challenge/response password authentication succeeded
wbinfo -u and wbinfo -g both work and list users and groups without the domain.
I'm using ntml binary from the samba:
root@proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+lsquintella lsquintella
OK
Im running out of ideas to solve this im missing something here?
Can someone please point me to the right direction.
Below is are my config files:
/etc/samba/smb.conf
[global]
#log level = 5
netbios name = proxy
security = ads
realm = MYDOMAIN.LAN
workgroup = MYDOMAIN
; winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = true
winbind use default domain = yes
restrict anonymous = 2
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/ksadmind.log
[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
fcc-mit-ticketflags = true
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
MYDOMAIN.LAN = {
kdc = dc1.mydomain.lan
kdc = dc2.mydomain.lan
admin_server = dc1.mydomain.lan
default_domain = mydomain.lan
}
[domain_realm]
.mydomain.lan = MYDOMAIN.LAN
mydomain.lan = MYDOMAIN.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/squid3/squid.conf
visible_hostname proxy1.mydomain.lan
http_port 3128
hierarchy_stoplist cgi-bin ?
cache_mem 1024 MB
maximum_object_size 8096 KB
cache_dir aufs /var/spool/squid3 50000 16 256
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log squid
cache_store_log none
#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
refresh_pattern -i (cgi-bin|\?) 0
0% 0
refresh_pattern -i \.index.(html|htm)$ 0 40%
10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320
auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
HTTP/ldapbind@xxxxxxxxxxxx
auth_param negotiate children 20
auth_param negotiate keep_alive on
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Mydomain Log
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
external_acl_type FaGroup ttl=900 %LOGIN
/usr/lib/squid3/squid_ldap_group -R -b "dc=mydomain,dc=lan" -D
"cn=ldapbind,cn=users,dc=mydomain,dc=lan" -W "/etc$
authenticate_ttl 1 hour
authenticate_cache_garbage_interval 1 hour
acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8443 # https
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl rede_interna src 192.168.20.0/24
acl rede_servidores src 192.168.10.0/24
acl h_trabalho_manha time MTWHF 09:00-13:00
acl h_trabalho_tarde time MTWHF 14:30-18:00
acl FullAccess external FaGroup InetFA
acl sites_internos_nocache dst 192.168.10.0/24
cache deny sites_internos_nocache
acl Publicidade url_regex "/etc/squid3/list/publicidade.acl"
acl BlockFiles urlpath_regex -i "/etc/squid3/list/block-files.acl"
acl BlockSites dstdomain "/etc/squid3/list/block-sites.acl"
acl TimeBasedSites dstdomain "/etc/squid3/list/timebased-sites.acl"
acl DenyFun dstdomain "/etc/squid3/list/block-sites-fun.acl"
deny_info ERR_MYDOMAIN_TBSITES_DENY TimeBasedSites
deny_info ERR_MYDOMAIN_FUN_DENY DenyFun
acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com
acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain .dropbox.com
http_access allow CONNECT wuCONNECT rede_interna
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate rede_interna
http_access allow windowsupdate localhost
acl msn url_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type ^application/x-msn-messenger$
http_access deny msnd
http_access deny msn
http_access deny msn1
http_access deny !FullAccess Publicidade
http_access deny !FullAccess BlockFiles
http_access deny !FullAccess BlockSites
http_access deny !FullAccess DenyFun
http_access deny rede_interna h_trabalho_manha !FullAccess TimeBasedSites
http_access deny rede_interna h_trabalho_tarde !FullAccess TimeBasedSites
acl NoAuthNeeded dstdomain .avg.com backup.avg.cz .dropbox.com
.google.com .openoffice.org
http_access allow all NoAuthNeeded
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
cache_mgr sys@xxxxxxxxxxxx
logfile_rotate 10
error_directory /etc/squid3/error
coredump_dir /var/spool/squid3
--
Ricardo Nuno
