I'm having some difficult to implemenet Group Authentication via Winbind
and Samba with Squid 3.0 PRE3.
I've compiled Samba 2.2.8 with the following settings
./configure --with-winbind --with-winbind-auth-challenge
--with-winbind-ldap-hack
And I successfully joined my Linux box (RedHat 7.3 with 2.4.18-3 Kernel)
to my NT Domain.
Here is the smb.conf file that I'm using:
---------------------------------
[global]
workgroup = DOMAINNAME
security = domain
encrypt passwords = yes
password server = *
wins server = <Wins servers IP Adresses>
template homedir = /home/%D/%U
template shell = /bin/bash
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
[test]
comment = For testing only, please
path = /usr/local/samba/tmp
read only = no
guest ok = yes
----------------------------------
All tests with wbinfo went OK.
Then I compiled Squid with the following configuration:
Squid Cache: Version 3.0-PRE3-20030924
configure options: '--prefix=/usr/local/squid' '--enable-useragent-log'
'--enable-snmp' '--enable-cache-digests'
'--enable-default-err-language=Italian' '--disable-ident-lookups'
'--enable-delay-pools' '--enable-auth=ntlm'
'--enable-external-acl-helpers=winbind_group'
'--enable-ntlm-authentication' '--enable-ntlm-auth-helpers=SMB fakeauth
no_check winbind' '--bindir=/usr/bin' '--sbindir=/usr/sbin'
'--libexecdir=/usr/lib/squid' '--datadir=/usr/lib/squid'
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid'
'--libdir=/usr/lib/squid' '--mandir=/usr/man'
'--with-samba=/root/samba-2.2.8a/source'
I tested wb_group helper with -d option and it went OK:
/usr/lib/squid/wb_group -d
DOMAIN\\username grouptocheck
Then I configured the following lines inside my squid.conf
auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 20
auth_param ntlm max_challenge_lifetime 15 minutes
external_acl_type wb_group concurrency=5 ttl=900 %LOGIN
/usr/lib/squid/wb_group
acl webaccess external wb_group -i "/etc/squid/webaccess"
http_access allow webaccess
When I try to browse Internet with SQUID I obtain the following line
inside winbindd and IE receive a REJECTED page.
[2003/09/26 12:49:03, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(146)
[14259]: pam auth crap domain: DOMAIN user: USERNAME
This instead is what I see if I try to use the wb_group helper from
command line as descripted above:
/wb_group[14310](wb_check_group.c:367): Got 'DOMAIN\\USERNAME WebAccess'
from Squid (length: 26).
[2003/09/26 12:50:17, 3] nsswitch/winbindd_group.c:winbindd_getgroups(790)
[14310]: getgroups DOMAIN\USERNAME
What I'm doing wrong ?
Received on Fri Sep 26 2003 - 04:55:40 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:02 MST