[squid-users] SQUID+NTLM auth and pdc on the same machine from Victor Medina on 2009-03-31 (squid-users)

From: Victor Medina <vittico_at_gmail.com>
Date: Wed, 1 Apr 2009 14:56:01 +1930

Hi Guys!

Probably this is not the best place to ask, I'll try anyway... =)

I've been trying to configure a Samba PDC and a Squid Porxy server
with NTLM auth on the same machine but NTML_AUTH keeps complaining
about: NT_STATUS_INVALID_HANDLE.... I have others machines running
Squid and Authenticating against a Samba Server but on different
machines, this is the first time a try both on the same machine.

Can I use Squid+NTLM Auth and Samba configured as PDC on the same
machine? Is there any winbind issue with this kind of configuration?

I'm using SLES10+SP2
Samba version as reported by rpm is 3.0.32-0.8
Squid version as reported by rpm is 2.5.STABLE12-18.13

-------------------------------------------------
This is my smb.conf

[global]
       dos charset = 850
       unix charset = ISO8859-1
       workgroup = C1.SV
       netbios name = PDCSRVC1SV
       server string =
       interfaces = eth0
       bind interfaces only = Yes
       map to guest = Bad Password
       passdb backend = ldapsam:ldap://127.0.0.1
       guest account = Invitado
       time server = Yes
       deadtime = 20
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       printcap name = cups
       logon path =
       logon home =
       domain logons = Yes
       os level = 65
       preferred master = Yes
       domain master = Yes
       wins support = Yes
       ldap admin dn = cn=Administrador,o=Ferreteria EPA
       ldap delete dn = Yes
       ldap group suffix = ou=group
       ldap machine suffix = ou=people
       ldap passwd sync = Yes
       ldap suffix = ou=c1,c=sv,o=Ferreteria EPA
       ldap user suffix = ou=people
       idmap domains = DEFAULT
       idmap alloc backend = ldap
       idmap alloc config:range = 10000-100000
       idmap alloc config:ldap_url = ldap://127.0.0.1
       idmap alloc config:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
       idmap alloc config:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
       idmap config DEFAULT:range = 10000-100000
       idmap config DEFAULT:ldap_url = ldap://127.0.0.1
       idmap config DEFAULT:ldap_user_dn = cn=Administrador,o=Ferreteria EPA
       idmap config DEFAULT:ldap_base_dn = ou=idmap,ou=c1,c=sv,o=Ferreteria EPA
       idmap config DEFAULT:default = yes
       idmap config DEFAULT:readonly = no
       idmap config DEFAULT:backend = ldap
       ldapsam:editposix = yes
       ldapsam:trusted = yes
       create mask = 0640
       force create mode = 0640
       directory mask = 0750
       force directory mode = 0750
       case sensitive = No
       dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

My relevant squid.conf lines...

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp C1.SV/PDCSRVC1SV
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic C1.SV/PDCSRVC1SV
auth_param ntlm children 100
auth_param basic children 100
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

The pdc works as expected, machine join works like charm, users and
groups management works equally right, all accounts are placed in the
LDAP, getent passwd, groups and shadow shows the ldap accounts

I also did a few tests with wbinfo

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -u
invitado
usuarioprueba
e01ggen
e01glogis
e01gcont
e01jcomp1
e01jcomp2
e01jcomp3
e01jcomp4
e01jrepo
e01jreclu
e01rrece
e01gcom
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo -g
BUILTIN
BUILTIN
domain users
domain admins
domain guests
grupoprueba
gcentralsv
gcompras
gcontrol
ggerencia
glogistica
gmercadeo
gpersonal
gventas
gjefecompras
gjefecontrol
gjefelogistica
gjefepersonal
e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo --all-domains
C1.SV

I also made sure squid users can read /var/lib/samba/winbindd_privileged

I also noted this error:

e01ssvsai:/var/lib/samba/winbindd_privileged # wbinfo
--authenticate=administrator%12345678
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user administrator%12345678 with plaintext password
winbind separator was NULL!
challenge/response password authentication failed
error code was NT_STATUS_INVALID_HANDLE (0xc0000008)
error messsage was: Invalid handle
Could not authenticate user administrator with challenge/response

Does someone have any idea of could go wrong? When I use squid and
samba on different machines i usually join the squid machine to the
domain using a net join, is this necesary when the pdc and squid are
on the same machine?

Victor Medina

Samuel Goldwyn - "I don't think anyone should write their
autobiography until after they're dead."
Received on Tue Mar 31 2009 - 19:27:44 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 01 2009 - 12:00:02 MDT