LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-29-2008, 04:00 AM   #1
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 489

Rep: Reputation: 37
Prompts password for squid using NTLM


Hi all,

I have setup a squid server with ntlm and dansguardian 2.9.9.8 to track users via their AD username. I can now have AD username in both squid and DG access log. But the problem is sometimes all of a sudden it asks for users AD credentials. Upon giving it works fine again but cancelled then gives this below message which is logical:
PHP Code:
ERROR
Cache Access Denied
--------------------------------------------------------------------------------
While 
trying to retrieve the URL
http://cnn.com/index.htm 

The following error was encountered

Cache Access Denied

Sorryyou are not currently allowed to request

    
http://cnn.com/index.htm from this cache until you have authenticated yourself. 

You need to use Netscape version 2.0 or greater, or Microsoft Internet Explorer 3.0, or an HTTP/1.1 compliant browser for this to workPlease contact the cache administrator if you have difficulties authenticating yourself or change your default password

--------------------------------------------------------------------------------

Generated Mon29 Sep 2008 03:47:31 GMT by PROXY (squid/2.5.STABLE6
Currently using IE7.

Below is the settings that I did in squid.conf for NTLM

PHP Code:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 hour
auth_param ntlm use_ntlm_negotiate on
auth_param basic program 
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
.....
.......
acl manager proto cache_object
acl authenticated_users proxy_auth REQUIRED
acl localhost src 127.0.0.1
/255.255.255.255
acl to_localhost dst 127.0.0.0
/8

...
.....
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost

##http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
#http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow authenticated_users 
Now when the login prompt comes it gives these meessages in /var/log/squid/cache.log
PHP Code:
[2008/09/29 13:38:373libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  
Got user=[testuserdomain=[XYZworkstation=[PC21len1=24 len2=24
[2008/09/29 13:39:113utils/ntlm_auth.c:winbind_pw_check(427)
  
Login for user [XYZ][testuser]@[PC21failed due to [Reading winbind reply failed!]
2008/09/29 13:39:11The request GET http://search.live.com/LS/GLinkPing.aspx?/_1_9SE/1?http://tech.groups.yahoo.com/group/dansguardian/messages/18643&&DI=6244&IG=f1b620695fed47daa019283cf6d85804&ID=SERP,78 is DENIED, because it matched 'authenticated_users'
[2008/09/29 13:39:123utils/ntlm_auth.c:winbind_pw_check(427)
  
Login for user [XYZ][testuser]@[PC21failed due to [Reading winbind reply failed!] 
Any idea how to stop this password prompt.
Thanks in advance.
 
Old 10-28-2008, 11:32 PM   #2
tanveer
Member
 
Registered: Feb 2004
Location: e@rth
Distribution: RHEL-3/4/5,Gloria,opensolaris
Posts: 489

Original Poster
Rep: Reputation: 37
Hi all,
Me again. After lots of searching I found this problem a very popular one but no one gave a clear answer of resolving it. At least I didn't found any.
NoW I am compiling samba and squid from source. And after compiling samba it's not letting me start the winbind service.

Here is the compile options:

./configure --with-ads --with-winbind --with-winbind-auth-challenge --prefix=/usr/local/samba --with-lockdir=/var/cache/samba --with-piddir=/var/run --with-privatedir=/etc/samba --with-logfilebase=/var/log/samba --with-coonfigdir=/etc/samba

After compiling I can start smbd,nmbd but not winbindd.

In log file it gives these messages
PHP Code:
[2008/10/29 10:32:01,  0winbindd/winbindd.c:main(1127)
  
winbindd version 3.2.4 started.
  
Copyright Andrew Tridgell and the Samba Team 1992-2008
[2008/10/29 10:32:01,  2lib/tallocmsg.c:register_msg_pool_usage(106)
  
Registered MSG_REQ_POOL_USAGE
[2008/10/29 10:32:01,  2lib/dmallocmsg.c:register_dmalloc_msgs(77)
  
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED 
 
Old 06-24-2013, 12:34 AM   #3
yanqian
LQ Newbie
 
Registered: Oct 2011
Location: Shanghai
Posts: 4

Rep: Reputation: Disabled
I have the same issue, didn't find a solution.

Red Hat Enterprise Linux AS release 4 (Nahant Update 8)
squid-2.5.STABLE14-4.el4
samba3-client-3.6.16-45.el4
samba3-winbind-3.6.16-45.el4

I installed samba from here http://ftp.sernet.de/pub/samba/3.6/rhel/4/
I know RHEL4 is too old now, I am testing squid with a third party web filter product, that product supports old squid version only.

I read this wiki page http://wiki.squid-cache.org/ConfigEx...henticate/Ntlm
wbinfo worked as expected, and I also could test the helpers by this command
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

everything seems work well, but client browser couldn't authenticate by NTLM, but it works when we use basic only.
 
Old 06-24-2013, 01:36 AM   #4
yanqian
LQ Newbie
 
Registered: Oct 2011
Location: Shanghai
Posts: 4

Rep: Reputation: Disabled
I fixed my issue.

# chown root:squid /var/lib/samba/winbindd_privileged

the key point is that samba changed the path of winbind pipe file.

The original path:
/var/cache/samba/winbindd_privileged

new path:
/var/lib/samba/winbindd_privileged

I always checked the old path, just notice the new path, it took me several hours to diagnose this. Maybe I should enable some debug option of winbind or samba package.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SQUID NTLM Authentication keeps asking for a username and password rowellb Linux - Networking 15 09-22-2009 11:11 AM
(Samba 3.0.20) Vista prompts for username, XP prompts just for password Noffie Linux - Server 2 07-21-2008 10:26 AM
passwd prompts for new password only once when a short password is entered powah Linux - Security 0 09-19-2007 04:20 PM
Squid NTLM paul_mat Linux - Networking 2 09-15-2005 07:25 PM
IE password not saved for web site - NTLM/Squid?? percheron Linux - Networking 0 12-07-2003 11:16 AM


All times are GMT -5. The time now is 08:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration