Hi,
I am trying to use squid with domain authentication and authorisation based
on Windows domain group membership.
I have authentication working, but if I try to combine this with checking
if user belongs to the group - failure.
Can someone look and tell me what I am doing wrong? (hence why I am bigger
idiot than I think...)
Here are my details:
# squid -v
Squid Cache: Version 2.5.STABLE5
configure options: --prefix=/usr --datadir=/usr/share --localstatedir=/var
--sysconfdir=/etc/squid --infodir=/usr/share/info --mandir=/usr/share/man
--enable-snmp --enable-ssl --enable-auth=ntlm,basic
--enable-external-acl-helpers=wbinfo_group
--------
Samba
# smbd -V
Version 3.0.0
smb.conf
# Global parameters
[global]
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins server = 172.21.59.34
encrypt passwords = yes
winbind use default domain = Yes
template shell = /bin/bash
dns proxy = No
netbios name = AUKGPX01
server string = Samba Server
password server = *
idmap uid = 10000-20000
idmap gid = 10000-20000
template homedir = /home/%D/%U
workgroup = KAZ-CORPORATE
winbind enum users = yes
winbind enum groups = yes
os level = 20
security = domain
preferred master = no
max log size = 50
winbind cache time = 10
realm = CORPORATE.KAZ-GROUP.PRIV
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
squid.conf (relevant parts)
# Microsoft IE
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# Netscape, Mozilla and others
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type NT_global_group %LOGIN /usr/bin/wbinfo_group.pl
acl ProxyUsers external NT_global_group GIT
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow AuthorizedUsers ProxyUsers
results of the variuos tests:
wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -a KAZ-CORPORATE\\lesgeb01%xxxxxxxx
plaintext password authentication succeeded
challenge/response password authentication succeeded
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
lesgeb01 xxxxxxxxxx
OK
# wbinfo_group.pl # (with debug turned on)
kaz-corporate\lesgeb01 GIT
Got kaz-corporate\lesgeb01 GIT from squid
User:kaz-corporate\lesgeb01
Group:GIT
User: -kaz-corporate\lesgeb01-
Group: -GIT-
SID: -S-1-5-21-2194707059-1491904946-811963398-1149-
GID: -10459-
Sending OK to squid
OK
HOWEVER, if I try to use browser I get "Deny"
and in log.winbind I have
tail /var/log/samba/log.winbindd
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
Added domain KTSNSW S-1-5-21-4138973905-1476685488-4151052191
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
[2004/04/28 13:31:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
user '\LESGEB01' does not exist
[2004/04/28 13:33:49, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
[2004/04/28 13:38:49, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
[root@AUKGPX01 bin]# tail /var/log/samba/log.winbindd
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domain(149)
Added domain KTSNSW S-1-5-21-4138973905-1476685488-4151052191
[2004/04/28 13:28:56, 1] nsswitch/winbindd_util.c:add_trusted_domains(206)
scanning trusted domain list
[2004/04/28 13:31:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(959)
user '\LESGEB01' does not exist
<--------------------------------------------
^
|
|
suddenly domain is "stripped"
Why winbindd_getgroups is trying to get group for me even if I try to use
external_acl_type NT_global_group %LOGIN /usr/bin/wbinfo_group.pl
I understand that I have to do something with samba (nsswitch.conf?)
configuration
or/and squid.conf.
Any useful link to the documents which shows how to do this kind?
Or maybe I have to change the idea of using Samba 3.0.0 and wbinfo_group as
external helper.
Thank you for help
leszek.geba@kaz-group.com
Received on Wed Apr 28 2004 - 17:27:40 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:03 MDT