LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Prompts password for squid using NTLM (https://www.linuxquestions.org/questions/linux-server-73/prompts-password-for-squid-using-ntlm-673036/)

tanveer 09-29-2008 04:00 AM
Prompts password for squid using NTLM
 
Hi all,

I have setup a squid server with ntlm and dansguardian 2.9.9.8 to track users via their AD username. I can now have AD username in both squid and DG access log. But the problem is sometimes all of a sudden it asks for users AD credentials. Upon giving it works fine again but cancelled then gives this below message which is logical:
PHP Code:
ERROR
Cache Access Denied
--------------------------------------------------------------------------------
While trying to retrieve the URL
http://cnn.com/index.htm 

The following error was encountered

Cache Access Denied

Sorryyou are not currently allowed to request

    http://cnn.com/index.htm from this cache until you have authenticated yourself. 

You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to workPlease contact the cache administrator if you have difficulties authenticating yourself or change your default password

--------------------------------------------------------------------------------

Generated Mon29 Sep 2008 03:47:31 GMT by PROXY (squid/2.5.STABLE6
Currently using IE7.

Below is the settings that I did in squid.conf for NTLM

PHP Code:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 hour
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
.....
.......
acl manager proto cache_object
acl authenticated_users proxy_auth REQUIRED
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8

...
.....
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost

##http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
#http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow authenticated_users 
Now when the login prompt comes it gives these meessages in /var/log/squid/cache.log
PHP Code:
[2008/09/29 13:38:373libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[testuserdomain=[XYZworkstation=[PC21len1=24 len2=24
[2008/09/29 13:39:113utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [XYZ]\[testuser]@[PC21failed due to [Reading winbind reply failed!]
2008/09/29 13:39:11The request GET http://search.live.com/LS/GLinkPing.aspx?/_1_9SE/1?http://tech.groups.yahoo.com/group/dansguardian/messages/18643&&DI=6244&IG=f1b620695fed47daa019283cf6d85804&ID=SERP,78 is DENIED, because it matched 'authenticated_users'
[2008/09/29 13:39:123utils/ntlm_auth.c:winbind_pw_check(427)
  Login for user [XYZ]\[testuser]@[PC21failed due to [Reading winbind reply failed!] 
Any idea how to stop this password prompt.
Thanks in advance.

tanveer 10-28-2008 11:32 PM
Hi all,
Me again. After lots of searching I found this problem a very popular one but no one gave a clear answer of resolving it. At least I didn't found any.
NoW I am compiling samba and squid from source. And after compiling samba it's not letting me start the winbind service.

Here is the compile options:

./configure --with-ads --with-winbind --with-winbind-auth-challenge --prefix=/usr/local/samba --with-lockdir=/var/cache/samba --with-piddir=/var/run --with-privatedir=/etc/samba --with-logfilebase=/var/log/samba --with-coonfigdir=/etc/samba

After compiling I can start smbd,nmbd but not winbindd.

In log file it gives these messages
PHP Code:
[2008/10/29 10:32:01,  0winbindd/winbindd.c:main(1127)
  winbindd version 3.2.4 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/10/29 10:32:01,  2lib/tallocmsg.c:register_msg_pool_usage(106)
  Registered MSG_REQ_POOL_USAGE
[2008/10/29 10:32:01,  2lib/dmallocmsg.c:register_dmalloc_msgs(77)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED 

yanqian 06-24-2013 12:34 AM
I have the same issue, didn't find a solution.

Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
squid-2.5.STABLE14-4.el4
samba3-client-3.6.16-45.el4
samba3-winbind-3.6.16-45.el4

I installed samba from here http://ftp.sernet.de/pub/samba/3.6/rhel/4/
I know RHEL4 is too old now, I am testing squid with a third party web filter product, that product supports old squid version only.

I read this wiki page http://wiki.squid-cache.org/ConfigEx...henticate/Ntlm
wbinfo worked as expected, and I also could test the helpers by this command
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

everything seems work well, but client browser couldn't authenticate by NTLM, but it works when we use basic only.

yanqian 06-24-2013 01:36 AM
I fixed my issue.

# chown root:squid /var/lib/samba/winbindd_privileged

the key point is that samba changed the path of winbind pipe file.

The original path:
/var/cache/samba/winbindd_privileged

new path:
/var/lib/samba/winbindd_privileged

I always checked the old path, just notice the new path, it took me several hours to diagnose this. Maybe I should enable some debug option of winbind or samba package.


All times are GMT -5. The time now is 11:47 PM.