RE: [squid-users] Winbind authentication cannot work on squid
If you are using winbindd with ntlm it should not ask you for the passowrd, have you define any ACL, if yes what is that. --- Tanzer GENC [EMAIL PROTECTED] wrote: Hello, Please check squid's cache.log.It will give an idea to us. Could you try to authenticate with another a browser. It should be an permission problem in /var/cache/samba/winbind_privileged directory. Ýf it's a permission problem in winbind_privileged directory you must apply commands below, chmod 750 /var/cache/samba/winbind_privileged chgrp squid /var/cache/samba/winbind_privileged There is a good information http://informatik.asn-graz.ac.at/modules.php?name=Newsfile=articlesid=2710 adress. Tanzer GENC -Original Message- From: Herman (ISTD) [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 5:14 AM To: [EMAIL PROTECTED] Subject: [squid-users] Winbind authentication cannot work on squid Importance: High Dear all, My squid version is : squid-2.5.STABLE5 The winbind I am using is : samba-3.0.4 Basically I already can authenticate using Samba : [EMAIL PROTECTED] logs]# /usr/local/samba/bin/wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] logs]# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+myuser mypassword OK Here is the configuration of my squid.conf : auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl fool proxy_auth REQUIRED acl all src 0/0 http_access allow fool http_access deny all When I browse using IE 6.0, I got the authentication windows, I type MYDomain\myuser and password, but I always got denied : ERROR Cache Access Denied While trying to retrieve the URL: http://www.google.com/ The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: http://www.google.com/from this cache until you have authenticated yourself. You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password. Generated Tue, 22 Jun 2004 02:02:06 GMT by squid/2.5.STABLE5 In access.log : 1087869178.580502 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html 1087869182.556969 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html Any one can help me ??? Thank you. Regards, Herman -Original Message- From: Adam Aube [mailto:[EMAIL PROTECTED] Sent: 07 Juni 2004 1:48 To: [EMAIL PROTECTED] Subject: [squid-users] Re: Winbind authentication Herman (ISTD) wrote: I am using winbind authentication with squid. So far, windbind authentication to single Domain has no problem. But in our environment, the users using squid are distributed on two different domains, so I need winbind to be able to authenticate to two different Domains. Does anyone ever try this before? I would appreciate very much if you can share your experiences with me. If you can link Samba correctly to all the domains, then the Winbind helper will work fine. Since this is really a Samba issue, the best sources of help will be the Samba docs and the Samba list. Adam = Regards, Mohsin Khan CCNA ( Cisco Certified Network Associate 2.0 ) http://www.aaghaz.net Happy is the one who can smile __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo
Re: [squid-users] Winbind authentication cannot work on squid
Here is the log : [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:02, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) 2004/06/22 13:00:06| Starting Squid Cache version 2.5.STABLE5 for i586-pc-linux- gnu... Did you try to reconfigure or restart the squid. Above messages are the warning for that action. Check this discussion here at, http://www.mail-archive.com/[EMAIL PROTECTED]/msg01950.html Regards, Muthukumar. --- === It is a Virus Free Mail === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004
RE: [squid-users] Winbind authentication cannot work on squid
Hi Muthukumar, Actually the message in the log is after I restart squid. When the squid is running, and I got denied for ages ... I could not find additional messages regarding the failed authentication in cache.log. Here is the detailed : [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:02, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) 2004/06/22 13:00:06| Starting Squid Cache version 2.5.STABLE5 for i586-pc-linux- gnu... 2004/06/22 13:00:06| Process ID 27290 2004/06/22 13:00:06| With 1024 file descriptors available 2004/06/22 13:00:06| Performing DNS Tests... 2004/06/22 13:00:06| Successful DNS name lookup tests... 2004/06/22 13:00:06| DNS Socket created at 0.0.0.0, port 4992, FD 4 2004/06/22 13:00:06| Adding nameserver 10.16.20.25 from squid.conf 2004/06/22 13:00:06| helperOpenServers: Starting 5 'ntlm_auth' processes 2004/06/22 13:00:06| Unlinkd pipe opened on FD 14 2004/06/22 13:00:06| Swap maxSize 6553600 KB, estimated 504123 objects 2004/06/22 13:00:06| Target number of buckets: 25206 2004/06/22 13:00:06| Using 32768 Store buckets 2004/06/22 13:00:06| Max Mem size: 8192 KB 2004/06/22 13:00:06| Max Swap size: 6553600 KB 2004/06/22 13:00:06| Rebuilding storage in /home/squid-cache (DIRTY) 2004/06/22 13:00:06| Using Least Load store dir selection 2004/06/22 13:00:06| chdir: /usr/local/squid-2.5.STABLE5//var/cache: (2) No such file or directory 2004/06/22 13:00:06| Current Directory is /usr/local/squid-2.5.STABLE5/var/logs 2004/06/22 13:00:06| Loaded Icons. 2004/06/22 13:00:08| Accepting HTTP connections at 0.0.0.0, port 3128, FD 16. 2004/06/22 13:00:08| Accepting ICP messages at 0.0.0.0, port 3130, FD 17. 2004/06/22 13:00:08| Accepting SNMP messages on port 3401, FD 18. 2004/06/22 13:00:08| WCCP Disabled. 2004/06/22 13:00:08| Ready to serve requests. 2004/06/22 13:00:08| Done reading /home/squid-cache swaplog (1 entries) 2004/06/22 13:00:08| Finished rebuilding storage from disk. 2004/06/22 13:00:08| 1 Entries scanned 2004/06/22 13:00:08| 0 Invalid entries. 2004/06/22 13:00:08| 0 With invalid flags. 2004/06/22 13:00:08| 1 Objects loaded. 2004/06/22 13:00:08| 0 Objects expired. 2004/06/22 13:00:08| 0 Objects cancelled. 2004/06/22 13:00:08| 0 Duplicate URLs purged. 2004/06/22 13:00:08| 0 Swapfile clashes avoided. 2004/06/22 13:00:08| Took 1.4 seconds ( 0.7 objects/sec). 2004/06/22 13:00:08| Beginning Validation Procedure 2004/06/22 13:00:08| Completed Validation Procedure 2004/06/22 13:00:08| Validated 1 Entries 2004/06/22 13:00:08| store_swap_size = 4k 2004/06/22 13:00:09| storeLateRelease: released 0 objects 2004/06/22 13:21:07| urlParse: Illegal character in hostname 'csd_str(ujung)' Regards, Herman -Original Message- From: Muthukumar [mailto:[EMAIL PROTECTED] Sent: 22 Juni 2004 16:20 To: Herman (ISTD); [EMAIL PROTECTED] Subject: Re: [squid-users] Winbind authentication cannot work on squid Here is the log : [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:02, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) 2004/06/22 13:00:06| Starting Squid Cache version 2.5.STABLE5 for i586-pc-linux- gnu... Did you try to reconfigure or restart the squid. Above messages are the warning for that action. Check this discussion here at, http://www.mail-archive.com/[EMAIL PROTECTED]/msg01950.html Regards, Muthukumar. --- === It is a Virus Free Mail === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004
[squid-users] Winbind authentication cannot work on squid
Dear all, My squid version is : squid-2.5.STABLE5 The winbind I am using is : samba-3.0.4 Basically I already can authenticate using Samba : [EMAIL PROTECTED] logs]# /usr/local/samba/bin/wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] logs]# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+myuser mypassword OK Here is the configuration of my squid.conf : auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl fool proxy_auth REQUIRED acl all src 0/0 http_access allow fool http_access deny all When I browse using IE 6.0, I got the authentication windows, I type MYDomain\myuser and password, but I always got denied : ERROR Cache Access Denied While trying to retrieve the URL: http://www.google.com/ The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: http://www.google.com/from this cache until you have authenticated yourself. You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password. Generated Tue, 22 Jun 2004 02:02:06 GMT by squid/2.5.STABLE5 In access.log : 1087869178.580502 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html 1087869182.556969 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html Any one can help me ??? Thank you. Regards, Herman -Original Message- From: Adam Aube [mailto:[EMAIL PROTECTED] Sent: 07 Juni 2004 1:48 To: [EMAIL PROTECTED] Subject: [squid-users] Re: Winbind authentication Herman (ISTD) wrote: I am using winbind authentication with squid. So far, windbind authentication to single Domain has no problem. But in our environment, the users using squid are distributed on two different domains, so I need winbind to be able to authenticate to two different Domains. Does anyone ever try this before? I would appreciate very much if you can share your experiences with me. If you can link Samba correctly to all the domains, then the Winbind helper will work fine. Since this is really a Samba issue, the best sources of help will be the Samba docs and the Samba list. Adam
Re: [squid-users] Winbind authentication cannot work on squid
You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password. You tried to check the authentication with the I.E 6.0 browser. Did you check it by enabling http 1.1 Check authentication with some more general links.Bcas google is not cacheable one (cache control is private) Your command line test is successful. Fine. Any messages in the cache.log entires for authentication related. Regards, Muthukumar. --- === It is a Virus Free Mail === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004
RE: [squid-users] Winbind authentication cannot work on squid
Hello, Please check squid's cache.log.It will give an idea to us. Could you try to authenticate with another a browser. It should be an permission problem in /var/cache/samba/winbind_privileged directory. f it's a permission problem in winbind_privileged directory you must apply commands below, chmod 750 /var/cache/samba/winbind_privileged chgrp squid /var/cache/samba/winbind_privileged There is a good information http://informatik.asn-graz.ac.at/modules.php?name=Newsfile=articlesid=2710 adress. Tanzer GENC -Original Message- From: Herman (ISTD) [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 22, 2004 5:14 AM To: [EMAIL PROTECTED] Subject: [squid-users] Winbind authentication cannot work on squid Importance: High Dear all, My squid version is : squid-2.5.STABLE5 The winbind I am using is : samba-3.0.4 Basically I already can authenticate using Samba : [EMAIL PROTECTED] logs]# /usr/local/samba/bin/wbinfo -t checking the trust secret via RPC calls succeeded [EMAIL PROTECTED] logs]# /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic mydomain+myuser mypassword OK Here is the configuration of my squid.conf : auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl fool proxy_auth REQUIRED acl all src 0/0 http_access allow fool http_access deny all When I browse using IE 6.0, I got the authentication windows, I type MYDomain\myuser and password, but I always got denied : ERROR Cache Access Denied While trying to retrieve the URL: http://www.google.com/ The following error was encountered: Cache Access Denied. Sorry, you are not currently allowed to request: http://www.google.com/from this cache until you have authenticated yourself. You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password. Generated Tue, 22 Jun 2004 02:02:06 GMT by squid/2.5.STABLE5 In access.log : 1087869178.580502 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html 1087869182.556969 10.32.4.45 TCP_DENIED/407 1714 GET http://www.google.com/ MyDomain\myuser NONE/- text/html Any one can help me ??? Thank you. Regards, Herman -Original Message- From: Adam Aube [mailto:[EMAIL PROTECTED] Sent: 07 Juni 2004 1:48 To: [EMAIL PROTECTED] Subject: [squid-users] Re: Winbind authentication Herman (ISTD) wrote: I am using winbind authentication with squid. So far, windbind authentication to single Domain has no problem. But in our environment, the users using squid are distributed on two different domains, so I need winbind to be able to authenticate to two different Domains. Does anyone ever try this before? I would appreciate very much if you can share your experiences with me. If you can link Samba correctly to all the domains, then the Winbind helper will work fine. Since this is really a Samba issue, the best sources of help will be the Samba docs and the Samba list. Adam
RE: [squid-users] Winbind authentication cannot work on squid
Thank's god ... at least got some response today .. :) Here is the log : [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:01, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) [2004/06/22 13:00:02, 1] utils/ntlm_auth.c:manage_squid_request(1592) fgets() failed! dying. errno=0 (Success) 2004/06/22 13:00:06| Starting Squid Cache version 2.5.STABLE5 for i586-pc-linux- gnu... 2004/06/22 13:00:06| Process ID 27290 2004/06/22 13:00:06| With 1024 file descriptors available 2004/06/22 13:00:06| Performing DNS Tests... 2004/06/22 13:00:06| Successful DNS name lookup tests... 2004/06/22 13:00:06| DNS Socket created at 0.0.0.0, port 4992, FD 4 2004/06/22 13:00:06| Adding nameserver 10.16.20.25 from squid.conf 2004/06/22 13:00:06| helperOpenServers: Starting 5 'ntlm_auth' processes 2004/06/22 13:00:06| Unlinkd pipe opened on FD 14 2004/06/22 13:00:06| Swap maxSize 6553600 KB, estimated 504123 objects 2004/06/22 13:00:06| Target number of buckets: 25206 2004/06/22 13:00:06| Using 32768 Store buckets 2004/06/22 13:00:06| Max Mem size: 8192 KB Got any idea ? Thank you very much ... Regards, herman -Original Message- From: Muthukumar [mailto:[EMAIL PROTECTED] Sent: 22 Juni 2004 10:45 To: Herman (ISTD); [EMAIL PROTECTED] Subject: Re: [squid-users] Winbind authentication cannot work on squid You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please contact the cache administrator if you have difficulties authenticating yourself or change your default password. You tried to check the authentication with the I.E 6.0 browser. Did you check it by enabling http 1.1 Check authentication with some more general links.Bcas google is not cacheable one (cache control is private) Your command line test is successful. Fine. Any messages in the cache.log entires for authentication related. Regards, Muthukumar. --- === It is a Virus Free Mail === Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004
[squid-users] Winbind authentication
Dear all, I am using winbind authentication with squid. So far, windbind authentication to single Domain has no problem. But in our environment, the users using squid are distributed on two different domains, so I need winbind to be able to authenticate to two different Domains. Does anyone ever try this before? I would appreciate very much if you can share your experiences with me. Thank you very much. Regards, herman
Re: [squid-users] Winbind authentication
Hello, I have 3 domains, and the only way I find to solve this problem is to create a trust between one domain and the 2 other one. Not an elegant solution, but I never figure out how to do in other way. I will face this problem again with win2003 and AD, so if you receive any suggestion on how to solve it, I will gratfull if you can share it with me. Best regards, Arno Streuli ** DISCLAIMER - E-MAIL --- The information contained in this E-Mail is intended for the named recipient(s). It may contain certain privileged and confidential information, or information which is otherwise protected from disclosure. If you are not the intended recipient, you must not copy,distribute or take any action in reliance on this information **
RE: [squid-users] Winbind authentication
Hai, The two domains are already trusted, but I am wondering how to request the users of both domain with winbind. For example, I usually use #wbinfo -u for querying user, but how to do it for querying users in the two domains ? Is there any modification needed on smb.conf ? Regards, herman -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 04 Juni 2004 15:09 To: Herman (ISTD) Cc: [EMAIL PROTECTED] Subject: Re: [squid-users] Winbind authentication Hello, I have 3 domains, and the only way I find to solve this problem is to create a trust between one domain and the 2 other one. Not an elegant solution, but I never figure out how to do in other way. I will face this problem again with win2003 and AD, so if you receive any suggestion on how to solve it, I will gratfull if you can share it with me. Best regards, Arno Streuli ** DISCLAIMER - E-MAIL --- The information contained in this E-Mail is intended for the named recipient(s). It may contain certain privileged and confidential information, or information which is otherwise protected from disclosure. If you are not the intended recipient, you must not copy,distribute or take any action in reliance on this information **
RE: [squid-users] winbind authentication
I have seen this before and it seems to be a function of the application not knowing how to authenticate with the proxy. AIM and MSN use NSCA auth. I don't know a workaround for it. -Original Message- From: Dhaval Chokshi [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 12:50 AM To: [EMAIL PROTECTED] Subject: [squid-users] winbind authentication I have configured squid proxy server with winbind enable option. winbind runs properly with squid and i get all the results specified in the squid FAQ. like, pop up window asking password from browsers and entries in access.log with the names of users. But i cannot use any messenger services using that proxy server, evenif the user is authorized to use it. He can even access any websites from the proxy but not the messenger services. I have changed preference option in yahoo/hotmail messenger to the proxy address with port number. then also, When i tried to connect to any messenger, I failed. Access.log entry for messenger request includes( i have shown only related entries) : timestamp ... TCP_DENIED .. -NONE- One point i have noted: - even though the winbind is enable and user is authorized windowNT domain user, username entry shows NONE instead of the username. I am sure this causes the request to be not satisfied. - i am getting valid username entry for all other webpage requests. Please help me to enable messenger services with winbind enable Thank you Dhaval. _ Cricket World Cup 2003- News, Views and Match Reports. http://server1.msn.co.in/msnspecials/worldcup03/ ** This message was virus scanned at siliconjunkie.net and any known viruses were removed. For a current virus list see http://www.siliconjunkie.net/antivirus/list.html
Re: [squid-users] winbind authentication
On Tuesday 11 March 2003 07.49, Dhaval Chokshi wrote: But i cannot use any messenger services using that proxy server, evenif the user is authorized to use it. He can even access any websites from the proxy but not the messenger services. I have changed preference option in yahoo/hotmail messenger to the proxy address with port number. then also, When i tried to connect to any messenger, I failed. Are you using Basic or NTLM authentication? Try experiemnting by configuring only ntlm, only basic, and both schemes. This should allow you to determine the authentication capabilities of the messanger clients. Regards Henrik