Hello List,
my problem ist to get user authenticated against a AD.
Versions: Samba-2.2.5
squid-2.5.STABLE1
what i did:
configure samba --
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-pam \
--with-acl-support \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-winbind-auth-challenge \
--with-libsmbclient \
--with-winbind-auth-challenge \
--with-winbind \
edit smb.conf (with winbind options)
joined domain
a wbinfo -t gives me: secret is goog
a wbinfo --sequence gives me:
"AD2000Domain" : DISCONNECTED ???
"trustedNTDomain" : 166735
I can authenticate a USER to the Domains
a wbinfo -u shows me only the trustet domain groups.
configure squid --
--enable-poll \
--enable-snmp \
--enable-removal-policies="heap,lru" \
--enable-storeio="aufs,coss,diskd,ufs" \
--enable-delay-pools --enable-linux-netfilter \
--with-pthreads \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,MSNT" \
--enable-external-acl-helpers="winbind_group,wbinfo_group" \
--enable-ntlm-auth-helpers="winbind" \
--enable-basic-auth-helpers="winbind"
edit squid.conf with:
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/lib/squid/wb_auth
auth_param basic children 5
auth_param basic realm ChoicePoint Proxy server
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
acl ieuser external NT_global_group Datkom
acl proxy_auth REQUIRED
http access allow ieuser
The squid debug gives me:
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)"
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)"
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Thank you for help
MfG
Michael Kaiser
Business Unit IT-Services
Network Solutions
InfraServ Gendorf
Received on Fri Feb 07 2003 - 02:04:40 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:16 MST