Search squid archive

Re: ntlm_auth problem with file of users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/02/2012 2:15 a.m., CyberSoul wrote:
Hi all,
    could anyone give any suggestion for solve next problem:

I have been configured squid with Single Sign-On (kerberos+samba+ntlm)
So,commands wbinfo -t,wbinfo -p, wbinfo -u, wbinfo -g is working well (domain is KNG, realm kng.local), examples:
$wbinfo -u
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2

$wbinfo -a kng\\ldapreader%12345678
plaintext password authentication succeeded
challenge/response password authentication succeeded

squid.conf
....
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Proxy_AD
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
authenticate_ttl 0 seconds
...

So, when acl&  http_access is next, it works:
acl users proxy_auth REQUIRED
...
http_access allow users

But, i need to give access in the internet by lists of users, so i re-edit squid config&  create list:
file /etc/squid/users.acl, it contain user names:
ldapreader
testproxyad1
testproxyad2

squid.conf
...
acl users proxy_auth "/etc/squid/users.acl"
...
http_access allow users

After that, in browser squid says that "access denied",
access.log:
bla-bla-bla<IP-user>  TCP_DENIED/407 1874 GET<bla-bla-bla>  KNG\ldapreader NONE/- text/html

Changing file with names users.acl as this:
KNG\ldapreader
KNG\testproxyad1
KNG\testproxyad2

No result, "access denied".

Add options in smb.conf [global]
winbind separator = \

No result, "access denied".

Checking ntlm_auth (basic), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
kng\ldapreader 12345678
OK

Checking ntlm_auth (ntlmssp), well done:
$/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
YR
TT TlRMTVNTUAACAAAAAAAAADAAAAACAgAA7TEzPz/FpREAAAAAAAAAAAAAAAAwAAAA

This is the NTLM helper producing a challenge token to be sent to the client for use in encoding the credentials it will send later.

The KK step validing the credentials token sent by the client is what determines between valid and invalid login. The token can be found in the Proxy-Authenticate: NTLM header.


What's wrong? Why squid don't want to work with list of users?
Maybe I do not correct edit squid.conf in acl tag (acl users proxy_auth "/etc/squid/users.acl")?
Or maybe get ntlm_auth from samba source, not from squid?

You already are. --helper-protocol= is one of the command line arguments of the Samba helper. The squid one has no arguments and does not respond OK to Basic auth credentials.

Amos


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux