Authenticating Server: 2003 with Active Directory Enabled Squid Server: FreeBSD 5.1 Samba: 3.0.7,1 Other package info in package list at bottom.
The DNS server is on the 2003 Server with the proper kerberos and ldap entries in the DNS server. (Passes Active Directory DNS utility tests) Responses are sent in LM, NTLM, &NTLM2 when negotiated. Signing requirements are not configured. (Choices: Enable, or not configured). Have read, and followed to best of my ability the squid FAQ and winbind/nmb/samba man pages. Things that work: All of the command line based tests work, as you will see when you look below. But when I try to authenticate with a browser I get denied, and the following info in cache.log and log.winbindd. If I modify the permissions on /var/db/samba/winbindd_privileged, that breaks the wbinfo tests saying that the permissions on that file are incorrect. Note: when I went to build samba --with-ads on freebsd it complaind about KRB5 and asked for HEIMDAL instead...so I am actually using HEIMDAL not KRB5, as Samba refused to compile with KRB5 but compiled fine with HEIMDAL. Squid works great unauthenticated, but fails all auth tests when using an actual browser. The squid-helper passes basic auth tests from the command line, but when using a browser such as netscape which should use BASIC auth mode, it denies with the same messages in the logs as IE failing on challenge/response. -------------tail of access.log------------------- 1096907971.215 4 192.168.1.110 TCP_DENIED/407 3715 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.779 3 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.840 11 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908014.848 7 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.003 7 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.010 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.487 6 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908017.493 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908018.007 6 192.168.1.110 TCP_DENIED/407 3701 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html 1096908018.013 6 192.168.1.110 TCP_DENIED/407 3674 GET http://www.microsoft.com/isapi/redir.dll? - NONE/- text/html ---------------------------------------------------------------------------- --------------------------- ------------------tail of cache.log ---------------- [2004/10/04 11:40:17, 0] utils/ntlm_auth.c:winbind_pw_check(439) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/db/samba/winbindd_privileged are set correctly.] [2004/10/04 11:40:17, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2004/10/04 11:40:17| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' [2004/10/04 11:40:18, 0] utils/ntlm_auth.c:winbind_pw_check(439) Login for user [EMAIL PROTECTED] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/db/samba/winbindd_privileged are set correctly.] [2004/10/04 11:40:18, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2004/10/04 11:40:18| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' ---------------------------------------------------------------------------- ---- -----------------tail of log.winbindd---------------------------------- [2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759) Kinit failed: Unknown error -1765328228 [2004/10/04 11:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(759) Kinit failed: Unknown error -1765328228 [2004/10/04 11:43:01, 1] libsmb/clikrb5.c:ads_krb5_mk_req(313) krb5_cc_get_principal failed (No such file or directory) [2004/10/04 11:43:01, 0] libads/kerberos.c:ads_kinit_password(136) kerberos_kinit_password host/HOST@ failed: Unknown error -1765328228 [2004/10/04 11:43:01, 1] nsswitch/winbindd_ads.c:ads_cached_connection(81) ads_connect for domain DOMAIN failed: Unknown error -1765328228 --------------------------------------------------------------------- ------------- wbinfo -a -------------------------------- host:~ # wbinfo -a gooduser%goodpass plaintext password authentication succeeded challenge/response password authentication succeeded ------------------------------------------------------------------------- --------------wbinfo -t------------------------ host:~ # wbinfo -t checking the trust secret via RPC calls succeeded ------------------------------------------------ ---------------ntlm_auth---------------------- filtercube:~ / # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basic gooduser goodpass OK domain\gooduser goodpass OK ----------------------------------------------------- ---------------krb5.conf------------------------ [libdefaults] ticket_lifetime = 24000 default_realm = DOMAIN dns_lookup_realm = yes dns_lookup_kdc = yes [realms] DOMAIN = { kdc = DOMAIN.com } -------------------------------------------------------- ---------------------nsswitch.conf-------------- passwd: files winbind group: files winbind hosts: dns winbind -------------------------------------------------------- -----------------pam conf ---------------------- Not Sure which files needed to modify for ntlm_auth to work. Have tried passwd and login by adding lines listed in squid FAQ. I am using a newer version of pam that uses /etc/pam.d/service for authentication directions. Do I need to create a new auth file called ntlm_auth? -------------------------------------------------------- ---------------smb.conf:----------------------- #Global Settings [global] workgroup = DOMAIN server string = Filtering Server log file = /var/log/log.%m max log size = 50 security = ads password server = * encrypt passwords = yes socket options = TCP_NODELAY dns proxy = no winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind separator = \\ realm = DOMAIN.com winbind use default domain = yes --------------------------------------------------------------- Package List: apache+mod_ssl-1.3.28+2.8.15_1 The Apache 1.3 webserver with SSL/TLS functional bash-2.05b.007 The GNU Bourne Again Shell bind9-9.2.2 Completely new version of the BIND DNS server bison-1.75_1 A parser generator from FSF, (mostly) compatible with Yacc bsdftpd-ssl-0.6.3 FTP server with TLS/SSL support curl-7.10.7 Non-interactive tool to get files from FTP, GOPHER, HTTP(S) cvsup-16.1h General network file distribution system optimized for CVS cvsup-without-gui-16.1h General network file distribution system optimized for db-2.7.7_1 The Berkeley DB package, revision 2 db3-3.3.11,1 The Berkeley DB package, revision 3 db4-4.0.14_1,1 The Berkeley DB package, revision 4 db41-4.1.25_1 The Berkeley DB package, revision 4.1 db42-4.2.52_3 The Berkeley DB package, revision 4.2 expat-1.95.6_1 XML 1.0 parser written in C ezm3-1.1 Easier, more portable Modula-3 distribution for building CV gd-2.0.15_1,1 A graphics library for fast creation of images gdbm-1.8.3 The GNU database manager gettext-0.12.1 GNU gettext package glib-1.2.10_9 Some useful routines of C programming (previous stable vers gmake-3.80_1 GNU version of 'make' utility heimdal-0.6.1 A re-implementation of Kerberos V help2man-1.33.1 Automatically generating simple manual pages from program o imake-4.3.0 Imake and other utilities from XFree86 libiconv-1.8_2 A character set conversion library libltdl-1.5 System independent dlopen wrapper linux_base-7.1_4 The base set of packages needed in Linux mode nspr-4.4.1_1 A platform-neutral API for system level and libc like funct nss-3.9.2 Libraries to support development of security-enabled applic openldap-client-2.2.15 Open source LDAP client implementation openldap-server-2.2.15 Open source LDAP server implementation openssh-3.6.1_5 OpenBSD's secure shell client and server (remote login prog openssl-0.9.7d_1 SSL and crypto library pf_freebsd-2.03 OpenBSD pf as a kldmodule samba-3.0.7,1 A free SMB and CIFS client and server for UNIX squid-2.5.6_10 The successful WWW proxy cache and accelerator squidGuard-1.2.0_1 A fast redirector for squid sudo-1.6.7.4 Allow others to run commands as root ---------------------------------------------------------------------------- --------------------- Michael Wray S4F Technologies, Inc. 2448 S. 81st St. Tulsa, OK 74137 http://www.s4f.com mailto:[EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
