Hello,
I'm having a little problem after logging into domain via samba, after a few
minutes the squid no longer authenticates the users through single sign on and
keeps asking for authentication in the browser without stopping.
below is my settings and error logs.
smb.conf
[global]workgroup = SALEnetbios name = utmadmserver string = PROXY SERVERload
printers = nolog file = /var/log/samba34/log.%mpid directory =
/var/run/samba34max log size = 500realm = sale.brsecurity = adsauth methods =
winbindwinbind separator = |encrypt passwords = yeswinbind cache time =
300winbind enum users = yeswinbind enum groups = yeswinbind use default domain
= yesidmap uid = 10000-50000idmap gid = 10000-50000local master = noos level =
233domain master = nopreferred master = nodomain logons = nowins server =
192.168.8.202dns proxy = noldap ssl = noclient use spnego = noserver signing =
autoclient signing = autolog level = 3 auth:10 winbind:10
krb5.conf
[libdefaults]default_realm = SALE.BRclockskew = 300[realms]SALE.BR = {
kdc = 192.168.0.1 default_domain = domain.local admin_server =
192.168.0.1}[logging]kdc = FILE:/var/log/krb5/krb5kdc.logadmin_server =
FILE:/var/log/krb5/kadmind.logdefault = SYSLOG:NOTICE:DAEMON
[domain_realm].domain.local = DOMAIN.LOCAL
[appdefaults]pam = { ticket_lifetime = 1d renew_lifetime = 1d
forwardable = true proxiable = false retain_after_close =
false minimum_uid = 1
squid.conf
# Do not edit manually !http_port 192.168.0.1:8080icp_port 0
pid_filename /var/run/squid.pidcache_effective_user proxycache_effective_group
proxyerror_directory /usr/local/etc/squid/errors/Englishicon_directory
/usr/local/etc/squid/iconsvisible_hostname localhostcache_mgr
admin@localhostaccess_log /var/squid/logs/access.logcache_log
/var/squid/logs/cache.logreferer_log /var/squid/logs/referer.loglogfile_rotate
0cache_store_log noneshutdown_lifetime 3 seconds# Allow local network(s) on
interface(s)acl localnet src 192.168.0.0/255.255.255.0uri_whitespace
stripdns_nameservers 208.67.222.222cache_mem 8 MBmaximum_object_size_in_memory
32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap
LFUDAcache_dir ufs /var/squid/cache 100 16 256minimum_object_size 0
KBmaximum_object_size 4 KBoffline_mode offcache_swap_low 90cache_swap_high 95
url_rewrite_program /usr/local/bin/redirectorurl_rewrite_children 50
# Setup some default aclsacl all src 0.0.0.0/0.0.0.0acl localhost src
127.0.0.1/255.255.255.255acl safeports port 21 70 80 210 280 443 488 563 591
631 777 901 5080 3128 1025-65535 5080 81 80 443 21 20acl sslports port 443 563
5080 5080 81 80 443 21 20acl manager proto cache_objectacl purge method
PURGEacl connect method CONNECTacl dynamic urlpath_regex cgi-bin \?acl
unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"acl whitelist
dstdom_regex -i "/var/squid/acl/whitelist.acl"cache deny dynamichttp_access
allow manager localhosthttp_access deny managerhttp_access allow purge
localhosthttp_access deny purgehttp_access deny !safeportshttp_access deny
CONNECT !sslports
# Always allow localhost connectionshttp_access allow localhost
request_body_max_size 0 KBreply_body_max_size 0 deny alldelay_pools
1delay_class 1 2delay_parameters 1 -1/-1 -1/-1delay_initial_bucket_level
100delay_access 1 allow all
# Custom optionstcp_outgoing_address 192.168.0.1auth_param ntlm keep_alive on
# These hosts do not have any restrictionshttp_access allow unrestricted_hosts#
Always allow access to whitelist domainshttp_access allow whitelistauth_param
ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 45auth_param basic
program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basicauth_param
basic casesensitive offauthenticate_cache_garbage_interval 10 secondsauth_param
basic children 45auth_param basic realm Please enter your credentials to access
the proxyauth_param basic credentialsttl 600 minutesacl password proxy_auth
REQUIREDhttp_access allow unrestricted_hostshttp_access allow password
localnet# Default block all to be surehttp_access deny all
My winbind_privileged
drwxr-x--- 2 root proxy 512B Oct 2 10:00 winbindd_privileged
Error logs:
[2013/10/01 19:39:44, 0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
NTLMSSP BH: NT_STATUS_ACCESS_DENIED2013/10/01 19:39:44|
authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH
NT_STATUS_ACCESS_DENIED'
Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to [Access
denied]2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'[2013/10/01 19:37:35, 0]
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) NTLMSSP BH:
NT_STATUS_ACCESS_DENIED
[2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request) NTLMSSP
BH: NT_STATUS_ACCESS_DENIED
[2013/10/01 10:30:12, 3] utils/ntlm_auth.c:329(check_plaintext_auth)
NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
