[squid-users] POP up authentication window in NTLM Proxy with winbind

From: Tanveer Chowdhury <tanveer.chowdhury_at_gmail.com>
Date: Thu, 11 Jun 2009 11:21:07 +0600

HI all,

I again fall into the problem which I faced earlier. Sudden pop up
authentication
window. It was completely ok and was running without any hitch for
last 4/5 months.
But last day after a restart of the machine made this happen. I now
can't find out what is the problem
Last time I did a lot of change and modification and something was
there that did worked.
But this restart made things bad.

Now I am gettings this error:

[root_at_proxy ~]# tail -1000 /usr/local/squid/var/logs/cache.log |grep failed
 Login for user [DOMAINNAME]\[ad-username]@[PC-4321] failed due to
[Reading winbind reply failed!]
 Login for user [DOMAINNAME]\[ad-username]@[PC-1352] failed due to
[Reading winbind reply failed!]
 Login for user [DOMAINNAME]\[ad-username]@[PC-1352] failed due to
[Reading winbind reply failed!]

I am using RHEL4 update 2; 64 bit.
Squid:
Squid Cache: Version 3.0.STABLE9
configure options: '--enable-auth=ntlm,basic' '--with-winbind-auth-challenge'

DG was also configured 2.9.9.8.

Samba and winbind are default with OS which is
samba-common-3.0.10-1.4E.2
samba-common-3.0.10-1.4E.2
samba-client-3.0.10-1.4E.2
samba-3.0.10-1.4E.2

samba.conf
----------
[global]
workgroup = DOMAINNAME
netbios name = proxy
realm = DOMAINNAME.COM
server string = Linux Samba Server
security = ads
encrypt passwords = Yes
password server = 10.10.xx.xx
log file = /usr/local/samba/var/%m.log
max log size = 50
log level = 3
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = False
local master = No
domain master = False
dns proxy = No
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000

krb5.conf
---------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DOMAINNAME.COM
 ticket_lifetiime = 600

[realms]
 DOMAINNAME.COM = {
 kdc = 10.10.xx.xx
 kdc = 10.10.xx.xx
 kdc = abc.domainname.com
 kdc = def.domainname.com
 admin_server = abc.domainname.com
 default_domain = DOMAINNAME.COM
 }

[domain_realm]
 .domainname.com = DOMAINNAME.COM
 domainname.com = DOMAINNAME.COM

[kdc]
 profile = /var/krb5kdc/kdc.conf

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

nsswitch.conf
-------------
passwd: compat winbind
group: compat winbind
shadow: compat

hosts: files dns wins
networks: files dns
protocols: db files
services: db files
ethers: db files
rpc: db files

wbinfo -u and wbinfo -g works. ntlm_auth --username=ad-username also
works. wbinfo -t also works but takes around 2 minutes to give the
ourput
"checking the trust secret via RPC calls succeeded".

klist also shows the ticket.

Please help with any idea what could be gone wrong. This pop up window
of authentication is a pain. If you click ESC then it gives a page
with cache Access Denied.
But again if you click on Refresh then it works.
Received on Thu Jun 11 2009 - 05:21:12 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 11 2009 - 12:00:03 MDT