Hello!
Im using squid2.6STABLE9 on RHEL4 and trying to setup authentication
on a domain controller using smb_auth.sh. When i browse web, i get a
popup to enter login and password but it doesnt authenticate.
I modified the script smb_auth.sh and i can check that it works
correctly ie when i enter correct login+password it returns 0 else it
returns 1.
#./smb_auth.sh
Test1 badpasswd
# echo $?
1
#./smb_auth.sh
Test1 goodpasswd
# echo $?
0
Can you help me debugging ?
Thanks in advance.
Christian.
============ smb_auth.sh =========================
#!/bin/bash
# smb_auth - SMB proxy authentication module
# return 0 if allow else return 1
DOMAINNAME=MYDOM
DBGLOG=/var/log/squid/authinfo
AUTHSHARE=netlogon
AUTHFILE=proxyauth
read INFO
echo "INFO=$INFO" >> $DBGLOG
SMBUSER=${INFO% *}
SMBPASS=${INFO#* }
echo "SMBUSER=$SMBUSER SMPASS=$SMBPASS" >> $DBGLOG
dcip=192.168.100.250
dcname=mydc
# Read the contents of the file $AUTHFILE on the $AUTHSHARE share
authinfo=`/usr/bin/smbclient "//$dcname/$AUTHSHARE" "$SMBPASS" -I
$dcip -d 0 -U $SMBUSER -W "$DOMAINNAME" -c 'get \\proxyauth -'
2>/dev/null`
echo "authinfo=$authinfo" >> $DBGLOG
# Allow for both \n and \r\n end-of-line termination
[ "$authinfo" = "allow" -o "$authinfo" = "allow" ] || exit 1
exit 0
============ squid.conf =========================
# debug opts
debug_options ALL,1 28,20
http_port 8080
cache_peer 127.0.0.1 parent 3128 3130 no-query default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? \.cgi \.pl \.php3 \.asp
no_cache deny QUERY
cache_mem 640 MB
cache_effective_user squid
cache_effective_group squid
cache_dir ufs /var/spool/squid 5000 16 256
auth_param basic program /usr/local/squid/libexec/smb_auth.sh
auth_param basic children 5
auth_param basic realm SQUID
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https, snews
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl MY_NETWORK src 192.168.100.0/255.255.255.0
acl SECU_NETWORK proxy_auth REQUIRED src 192.168.101.0/255.255.255.0
http_access allow MY_NETWORK
http_access deny !SECU_NETWORK
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname MY_PROXY_NAME
logfile_rotate 10
never_direct allow all
coredump_dir /var/spool/squid
redirector_bypass off
redirect_children 30
redirect_program /opt/Websense/bin/WsRedtor
======= cache.log ==========
2007/05/29 11:54:07| aclCheckFast: list: 0x97b3ad0
2007/05/29 11:54:07| aclMatchAclList: checking all
2007/05/29 11:54:07| aclMatchAcl: checking 'acl all src 0.0.0.0/0.0.0.0'
2007/05/29 11:54:07| aclMatchIp: '192.168.101.3' found
2007/05/29 11:54:07| aclMatchAclList: returning 1
2007/05/29 11:54:08| aclCheck: checking 'http_access allow manager localhost'
2007/05/29 11:54:08| aclMatchAclList: checking manager
2007/05/29 11:54:08| aclMatchAcl: checking 'acl manager proto cache_object'
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking 'http_access deny manager'
2007/05/29 11:54:08| aclMatchAclList: checking manager
2007/05/29 11:54:08| aclMatchAcl: checking 'acl manager proto cache_object'
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking 'http_access deny !Safe_ports'
2007/05/29 11:54:08| aclMatchAclList: checking !Safe_ports
2007/05/29 11:54:08| aclMatchAcl: checking 'acl Safe_ports port 80 # http'
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking 'http_access deny CONNECT !SSL_ports'
2007/05/29 11:54:08| aclMatchAclList: checking CONNECT
2007/05/29 11:54:08| aclMatchAcl: checking 'acl CONNECT method CONNECT'
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking 'http_access allow MY_NETWORK'
2007/05/29 11:54:08| aclMatchAclList: checking MY_NETWORK
2007/05/29 11:54:08| aclMatchAcl: checking 'acl MY_NETWORK src
192.168.100.0/255.255.255.0'
2007/05/29 11:54:08| aclMatchIp: '192.168.101.3' NOT found
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking 'http_access deny !SECU_NETWORK'
2007/05/29 11:54:08| aclMatchAclList: checking !SECU_NETWORK
2007/05/29 11:54:08| aclMatchAcl: checking 'acl SECU_NETWORK
proxy_auth REQUIRED src 192.168.101.0/255.255.255.0'
2007/05/29 11:54:08| aclMatchAcl: returning 0 sending credentials to helper.
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: checking password via authenticator
2007/05/29 11:54:08| aclCheck: checking 'http_access deny !SECU_NETWORK'
2007/05/29 11:54:08| aclMatchAclList: checking !SECU_NETWORK
2007/05/29 11:54:08| aclMatchAcl: checking 'acl SECU_NETWORK
proxy_auth REQUIRED src 192.168.101.0/255.255.255.0'
2007/05/29 11:54:08| aclMatchAcl: returning 0 sending authentication challenge.
2007/05/29 11:54:08| aclMatchAclList: no match, returning 0
2007/05/29 11:54:08| aclCheck: requiring Proxy Auth header.
2007/05/29 11:54:08| aclCheck: match found, returning 2
2007/05/29 11:54:08| aclCheckCallback: answer=2
2007/05/29 11:54:08| WARNING: basicauthenticator #3 (FD 38) exited
2007/05/29 11:54:08| Too few basicauthenticator processes are running
2007/05/29 11:54:08| Starting new helpers
2007/05/29 11:54:08| helperOpenServers: Starting 5 'smb_auth.sh' processes
Received on Tue May 29 2007 - 06:24:38 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT