Hi all,
I'm trying to install a brand new Squid 4.7 on an Arch GNU/Linux (Kernel 5.0.7), authorizing its users against Active Directory, based on a Windows 2008 R2 Domain.
I configured samba4 on the Arch machine, and it looks working well. wbinfo commands get executed and with correct output.
But when using the Squid, I get all the time messages like:
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for x86_64-pc-linux-gnu...
2019/05/27 04:08:12 kid1| Service Name: squid
2019/05/27 04:08:12 kid1| Process ID 7584
2019/05/27 04:08:12 kid1| Process Roles: worker
2019/05/27 04:08:12 kid1| With 1024 file descriptors available
2019/05/27 04:08:12 kid1| Initializing IP Cache...
2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7
2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from /etc/resolv.conf
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'negotiate_wrapper' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'basic_ldap_auth' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/5 'ext_ldap_group_acl' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'ext_ldap_group_acl' processes needed.
2019/05/27 04:08:12 kid1| Logfile: opening log /var/log/squid/access.log
2019/05/27 04:08:12 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
2019/05/27 04:08:12 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/05/27 04:08:12 kid1| Store logging disabled
2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2019/05/27 04:08:12 kid1| Target number of buckets: 1008
2019/05/27 04:08:12 kid1| Using 8192 Store buckets
2019/05/27 04:08:12 kid1| Max Mem size: 262144 KB
2019/05/27 04:08:12 kid1| Max Swap size: 0 KB
2019/05/27 04:08:12 kid1| Using Least Load store dir selection
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Finished loading MIME types and icons.
2019/05/27 04:08:12 kid1| HTCP Disabled.
2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0
2019/05/27 04:08:12 kid1| Adaptation support is off.
2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
2019/05/27 04:08:13 kid1| storeLateRelease: released 0 objects
2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers...
2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10 'negotiate_wrapper' processes
negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab
negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_7586
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got NTLMSSP neg_flags=0xe2088297
Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304
Login for user [mydomain]\[user01]@[MYPC] failed due to [Reading winbind reply failed!]
GENSEC login failed: NT_STATUS_UNSUCCESSFUL
2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for x86_64-pc-linux-gnu...
2019/05/27 04:08:12 kid1| Service Name: squid
2019/05/27 04:08:12 kid1| Process ID 7584
2019/05/27 04:08:12 kid1| Process Roles: worker
2019/05/27 04:08:12 kid1| With 1024 file descriptors available
2019/05/27 04:08:12 kid1| Initializing IP Cache...
2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7
2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from /etc/resolv.conf
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'negotiate_wrapper' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'basic_ldap_auth' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'basic_ldap_auth' processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/5 'ext_ldap_group_acl' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'ext_ldap_group_acl' processes needed.
2019/05/27 04:08:12 kid1| Logfile: opening log /var/log/squid/access.log
2019/05/27 04:08:12 kid1| WARNING: log name now starts with a module name. Use 'stdio:/var/log/squid/access.log'
2019/05/27 04:08:12 kid1| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2019/05/27 04:08:12 kid1| Store logging disabled
2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2019/05/27 04:08:12 kid1| Target number of buckets: 1008
2019/05/27 04:08:12 kid1| Using 8192 Store buckets
2019/05/27 04:08:12 kid1| Max Mem size: 262144 KB
2019/05/27 04:08:12 kid1| Max Swap size: 0 KB
2019/05/27 04:08:12 kid1| Using Least Load store dir selection
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Finished loading MIME types and icons.
2019/05/27 04:08:12 kid1| HTCP Disabled.
2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0
2019/05/27 04:08:12 kid1| Adaptation support is off.
2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9
2019/05/27 04:08:13 kid1| storeLateRelease: released 0 objects
2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers...
2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10 'negotiate_wrapper' processes
negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab
negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22| negotiate_kerberos_auth: INFO: Changed keytab to MEMORY:negotiate_kerberos_auth_7586
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got NTLMSSP neg_flags=0xe2088297
Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304
Login for user [mydomain]\[user01]@[MYPC] failed due to [Reading winbind reply failed!]
GENSEC login failed: NT_STATUS_UNSUCCESSFUL
2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user. Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}
Some questions I have:
1) About the message:
directory_create_or_exist_strict: invalid ownership on directory /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
cmdline_messaging_context: Unable to initialize messaging context.
Checking the permissions, it has 755, so I really do not understand why it´s showing this. Don't know if there is some ownership rule or something like this...
2) About the message:
Login for user [mydomain]\[user01]@[MYPC] failed due to [Reading winbind reply failed!]
I tried debugging Samba, but see no message indicating something here. Any help would be really appreciated.
3) Is there any example configuration for Squid 4 + Samba 4 + Active Directory? Sorry for this, but I see tons of information about Active Directory for Samba 4 and Squid3, but not much about the configuration I'm trying to have.
I see several differences, for instance:
1) Use of "negotiate_wrapper".
2) Several aspects of files located on /var/lib/squid, where I do not see the equivalence between them and the ones listed for Squid3, and visible on tons of documentation.
3) Some docs say NTLM is deprecated, some are still showing ntlm_auth on config files. This is why I really need to see if there is any example for this config...
Thanks a lot in advance for your time and attention, and best regards.
--
HeCSa
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users