No answers to my problem below til now.
Because of another test I guess wbinfo_group is not called by squid:
I created the shell script wbinfogroup.sh:
#!/bin/sh
SQ_DIR=/usr/local/squid
$SQ_DIR/bin/wbinfo_group.pl 2>/tmp/wb.out
stderr is redirected to file /tmp/wb.out. When I logon as user squid and run
this shell all works fine. The file /tmp/wb.out contains the expected lines.
squid.conf:
external_acl_type NT_global_group ttl=900 %LOGIN
/usr/local/squid/bin/wbinfo_group.sh
When I try to acces internet with IE the request "hangs". Nothing is written
in /tmp/wb.out.
Therefore I guess that the combination of squid and wb_auth does not work
proberly.
OS: TRU64 5.1A PK3
Any ideas?
W.Rost
----------------------------------------------------------------------------
-----------------------------
Squid 2.5 S1 works with IE 6 (without SP1).
Now I want to authenticate users against a NT4 usergroup without asking for
username and password using NTLM.
I installed samba 2.2.5. "wbinfo -t" gives "secret is good".
squid.conf:
auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/squid/libexec/wb_auth
auth_param basic children 5
auth_param basic realm SQUID-Proxy ZF Boge Bonn
auth_param basic credentialsttl 2 hours
authenticate_ip_ttl 90 seconds
external_acl_type NT_global_group ttl=900 %LOGIN
/usr/local/squid/bin/wbinfo_group.pl
acl auth_iboge external NT_global_group INTERNET_USERS
http_access allow !intranet_boge auth_iboge
PROBLEM: Access to internet "hangs" for some time and is denied without any
error message. Sometimes it does not end and must be cancelled.
cache.log gives:
2003/01/23 17:30:08| ipcache_gethostbyname: 'www.google.de', flags=1
2003/01/23 17:30:08| aclMatchIp: '216.239.39.101' NOT found
2003/01/23 17:30:08| aclMatchAclList: checking auth_iboge
2003/01/23 17:30:08| aclMatchAcl: checking 'acl auth_iboge external
NT_global_group INTERNET_USERS'
2003/01/23 17:30:08| aclMatchExternal: acl="NT_global_group"
2003/01/23 17:30:08| authenticateValidateUser: Validating Auth_user request
'0'.
2003/01/23 17:30:08| authenticateValidateUser: Auth_user_request was NULL!
2003/01/23 17:30:08| authenticateAuthenticate: broken auth or no proxy_auth
header. Requesting auth header.
2003/01/23 17:30:08| aclMatchAcl: returning 0 sending authentication
challenge.
2003/01/23 17:30:08| aclMatchExternal: NT_global_group user not
authenticated (0)
2003/01/23 17:30:08| aclMatchAclList: returning 0
2003/01/23 17:30:08| aclCheck: requiring Proxy Auth header.
2003/01/23 17:30:08| cbdataUnlock: 140181a58
2003/01/23 17:30:08| aclCheck: match found, returning 2
2003/01/23 17:30:08| aclCheckCallback: answer=2
2003/01/23 17:30:08| cbdataValid: 1406bac18
2003/01/23 17:30:08| The request GET http://www.google.de/ is DENIED,
because it matched 'auth_iboge'
2003/01/23 17:30:08| Access Denied: http://www.google.de/
2003/01/23 17:30:08| AclMatchedName = auth_iboge
2003/01/23 17:30:08| Proxy Auth Message = <null>
Manual testing with wbinfo_group.pl works as expected:
./wbinfo_group.pl
rost INTERNET_USERS
Got rost INTERNET_USERS from squid
User: -rost-
Group: -INTERNET_USERS-
SID: -S-1-5-21-1691762760-2083531834-928725530-2427 2-
GID:
-10001-
Sending OK to squid
OK
# ../sbin/squid -v
Squid Cache: Version 2.5.STABLE1
configure options: --enable-auth=ntlm,basic
--enable-external-acl-helpers=winbi
nd_group --enable-basic-auth-helpers=winbind
--enable-ntlm-auth-helpers=winbind
#
# cat wbinfo_group.pl
#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#
# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';
# Disable output buffering
$|=1;
sub debug {
# Uncomment this to enable debugging
print STDERR "@_\n";
}
#
# Check if a user belongs to a group
#
sub check {
local($user, $group) = @_;
$groupSID = `wbinfo -n "$group"`;
chop $groupSID;
$groupGID = `wbinfo -Y $groupSID`;
chop $groupGID;
&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID:
-$groupGID-");
return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
return 'ERR';
}
#
# Main loop
#
while (<STDIN>) {
chop;
&debug ("Got $_ from squid");
($user, $group) = &shellwords;
$ans = &check($user, $group);
&debug ("Sending $ans to squid");
print "$ans\n";
}
Any ideas?
> Mit freundlichen Grüßen / regards
> Werner Rost
>
> ---------------------------------------------------------------------
> ZF Boge GmbH
> Werner Rost
> IT
> Friesdorfer Str. 175
> D-53175 Bonn
>
>
> phone: +49/228/3825 420
> fax: +49/228/3825 398
> werner.rost@zfboge.com
>
> www.boge-vibrationcontrol.com/
> ---------------------------------------------------------------------
>
>
Received on Mon Jan 27 2003 - 09:49:22 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:53 MST