Hello List, my problem ist to get user authenticated against a AD.
Versions: Samba-2.2.5 squid-2.5.STABLE1 what i did: configure samba -- --with-fhs \ --with-quotas \ --with-msdfs \ --with-smbmount \ --with-pam \ --with-acl-support \ --with-pam_smbpass \ --with-syslog \ --with-utmp \ --with-winbind-auth-challenge \ --with-libsmbclient \ --with-winbind-auth-challenge \ --with-winbind \ edit smb.conf (with winbind options) joined domain a wbinfo -t gives me: secret is goog a wbinfo --sequence gives me: "AD2000Domain" : DISCONNECTED ??? "trustedNTDomain" : 166735 I can authenticate a USER to the Domains a wbinfo -u shows me only the trustet domain groups. configure squid -- --enable-poll \ --enable-snmp \ --enable-removal-policies="heap,lru" \ --enable-storeio="aufs,coss,diskd,ufs" \ --enable-delay-pools --enable-linux-netfilter \ --with-pthreads \ --enable-auth="ntlm,basic" \ --enable-basic-auth-helpers="LDAP,NCSA,PAM,SMB,MSNT" \ --enable-external-acl-helpers="winbind_group,wbinfo_group" \ --enable-ntlm-auth-helpers="winbind" \ --enable-basic-auth-helpers="winbind" edit squid.conf with: auth_param ntlm program /usr/lib/squid/wb_ntlmauth auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/lib/squid/wb_auth auth_param basic children 5 auth_param basic realm ChoicePoint Proxy server auth_param basic credentialsttl 2 hours external_acl_type NT_global_group %LOGIN /usr/lib/squid/wb_group acl ieuser external NT_global_group Datkom acl proxy_auth REQUIRED http access allow ieuser The squid debug gives me: Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group user not authenticated (0) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| authenticateAuthUserRequestSetIp: user 'campus\kaiserm' has been seen at a new IP address (212.68.118.1) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group("campus\\kaiserm Datkom") = lookup needed Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclLookup: lookup in 'NT_global_group' for 'campus\\kaiserm Datkom' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = -1 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)" Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| externalAclHandleReply: reply="(null)" Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| external_acl_cache_add: Adding 'campus\\kaiserm Datkom' = 0 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| aclMatchExternal: NT_global_group = 0 Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The request GET http://www.gendorf.hoechst.com/ is DENIED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| The reply for GET http://www.gendorf.hoechst.com/ is ALLOWED, because it matched 'ieuser' Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| WARNING: NT_global_group #1 (FD 17) exited Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited Feb 7 10:32:19 alkippe squid[1580]: WARNING: NT_global_group #1 (FD 17) exited Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable) Feb 7 10:32:19 alkippe 2003/02/07 10:32:19| clientReadRequest: FD 26: no data to process ((11) Resource temporarily unavailable) Thank you for help MfG Michael Kaiser Business Unit IT-Services Network Solutions InfraServ Gendorf