winbind + samba 3 + squid + krb

Tiago Filipe Dias tdias at trusted.pt
Fri May 21 17:34:54 GMT 2004 

Hi,

A few posts ago I was recommended to use ntlm_auth from samba for performing
squid authentication. 

My cenario is :

Active Directory (192.168.1.1)
Domain AGCUNHAFERREIRA.PT

Samba + Squid (192.168.1.253)
Samba Version 3.0.4
squid-2.5.STABLE1

Compiled samba with:
./configure --prefix=/usr/local/samba --sysconfdir=/etc/samba
--with-privatedir=/etc/samba/private --with-lockdir=/var/lock
--with-piddir=/var/run --with-configdir=/etc/samba --with-automount
--with-smbmount --with-quotas --with-winbind --with-winbind-auth-challenge
make && make install

squid with:
./configure --prefix=/usr/local/squid --sysconfdir=/etc/squid
--enable-delay-pools --enable-snmp --enable-htcp --enable-linux-netfilter
--enable-auth=ntlm,basic --enable-external-acl-helpers=wbinfo_group
--with-samba-sources=/opt/samba-3.0.4
make && make install

My krb5.conf:
[libdefaults]
    default_realm = MINE

[realms]
    MINE = {
    kdc = adirectory
    }

[logging]
    kdc = SYSLOG:INFO

My smb.conf:
[global]
password server = *
wins server = 192.168.1.1
security = domain encrypt
passwords = Yes
workgroup = AGCUNHAFERREIRA.PT
*********** winbindd **********
winbind separator = \ template
homedir = /home/%D/%U template
shell = /bin/bash
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

My squid.conf:
http_port 3128
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir ufs /var/squid/cache 2000 32 512

auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320

acl AuthorizedUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0

http_access allow AuthorizedUsers
http_access deny all

http_reply_access allow all

icp_access allow all

visible_hostname AGSRVPRX

httpd_accel_port 80

httpd_accel_with_proxy off

forwarded_for on

coredump_dir /var/squid/cache

Starting winbind:
[root at AGSVRPRX var]# winbindd

Logfile winbind:
[2004/05/21 17:31:10, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain AGCUNHAFERREIRA.PT  S-0-0
[2004/05/21 17:31:15, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain BUILTIN  S-1-5-32
[2004/05/21 17:31:15, 1] nsswitch/winbindd_util.c:add_trusted_domain(180)
  Added domain AGSVRPRX  S-1-5-21-1093221954-1622196935-2972056621
[2004/05/21 17:31:15, 0] lib/util_sock.c:create_pipe_sock(1034)
  invalid permissions on socket directory /tmp/.winbindd
open_winbind_socket: Success

[root at AGSVRPRX var]# ls -la /tmp/ | grep win
drwxrwxrwx    2 root     root         4096 May 13 22:59 .winbindd
[root at AGSVRPRX var]#

Trying to join domain:
Net join ads -W AGCUNHAFERREIRA.PT -U Administrador

Error Output:
  kerberos_kinit_password Administrador at AGCUNHAFERREIRA.PT failed: Cannot
find KDC for requested realm
Joined domain AGCUNHAFERREIRA.

[root at AGSVRPRX var]# wbinfo -u
Error looking up domain users
[root at AGSVRPRX var]#

Thanks for your help.


 --
 ______________________________________________________________________
Tiago Filipe Dias - Network & Security Consultant Trusted Systems 
Phone: +351.21.7994200                  Praça de Alvalade, 4 
Fax  : +351.21.7994242                  1700-036 Lisboa - Portugal
Email: tiago.dias at trusted.pt            http://www.trusted.pt

More information about the samba-technical mailing list