[squid-users] auth. user against AD group

From: <KaiserM@dont-contact.us>
Date: Fri, 7 Feb 2003 10:04:24 +0100

Hello List,

my problem ist to get user authenticated against a AD.

Versions: Samba-2.2.5
                 squid-2.5.STABLE1
what i did:
         configure samba --
                 --with-fhs \
                 --with-quotas \
                 --with-msdfs \
                 --with-smbmount \
                 --with-pam \
                 --with-acl-support \
                 --with-pam_smbpass \
                 --with-syslog \
                 --with-utmp \
                 --with-winbind-auth-challenge \
                 --with-libsmbclient \
                 --with-winbind-auth-challenge \
                 --with-winbind \

         edit smb.conf (with winbind options)
         joined domain
                 a wbinfo -t gives me: secret is goog
                 a wbinfo --sequence gives me:
                        "AD2000Domain" : DISCONNECTED ???
                  "trustedNTDomain" : 166735
                 
                        I can authenticate a USER to the Domains
                  a wbinfo -u shows me only the trustet domain groups.

         configure squid --
                 --enable-poll \
                 --enable-snmp \
                 --enable-removal-policies="heap,lru" \
                 --enable-storeio="aufs,coss,diskd,ufs" \
                 --enable-delay-pools --enable-linux-netfilter \
                 --with-pthreads \
                 --enable-auth="ntlm,basic" \
                 --enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,MSNT" \
                 --enable-external-acl-helpers="winbind_group,wbinfo_group" \
                 --enable-ntlm-auth-helpers="winbind" \
                 --enable-basic-auth-helpers="winbind"

         edit squid.conf with:
                         auth_param ntlm program /usr/lib/squid/wb_ntlmauth
                         auth_param ntlm children 5
                         auth_param ntlm max_challenge_reuses 0
                         auth_param ntlm max_challenge_lifetime 2 minutes
                         auth_param basic program /usr/lib/squid/wb_auth
                         auth_param basic children 5
                         auth_param basic realm ChoicePoint Proxy server
                         auth_param basic credentialsttl 2 hours

                         external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group
                         acl ieuser external NT_global_group Datkom
                         acl proxy_auth REQUIRED
                                 http access allow ieuser

The squid debug gives me:
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)"
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)"
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser'
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)
Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable)

Thank you for help
MfG

        Michael Kaiser
        Business Unit IT-Services
        Network Solutions
        InfraServ Gendorf
Received on Fri Feb 07 2003 - 02:04:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:16 MST