[Samba] Solaris 8 and winbindd/wbinfo

Apostolou, Nicholas [IT] Nicholas.Apostolou at citigroup.com
Tue Apr 8 01:09:03 GMT 2003 

Hi Andrew,

squid was compiled with the following using the samba source

# ./configure  --prefix=/usr/local/squid --enable-async-io --enable-snmp
--with-aio --disable-wccp --disable-ident-lookups --enable-auth=ntlm,basic
--enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind
--with-samba-sources=/usr/local/src/samba-2.2.8
#

root# ./wbinfo -a nicka%password
plaintext password authentication succeeded
challenge/response password authentication succeeded


In squid I went back to using only basic auth and all works well.
	auth_param basic program /usr/local/squid/libexec/wb_auth
	auth_param basic children 20
	auth_param basic realm Squid proxy-caching web server
	auth_param basic credentialsttl 2 hours

When I add the ntlm auth program before the basic auth it fails.
	auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
	auth_param ntlm children 20
	auth_param ntlm max_challenge_reuses 10
	auth_param ntlm max_challenge_lifetime 2 minutes

Are you able to determine if it's a squid or samba problem? 
This is the debug output from squid when going to google.com. 

2003/04/08 10:45:18| aclMatchIp: '216.239.51.99' NOT found
2003/04/08 10:45:18| aclMatchAclList: returning 0
2003/04/08 10:45:18| aclCheck: checking 'http_access allow domainusers'
2003/04/08 10:45:18| aclMatchAclList: checking domainusers
2003/04/08 10:45:18| aclMatchAcl: checking 'acl domainusers proxy_auth
REQUIRED'
FATAL: Received Segment Violation...dying.
2003/04/08 10:45:18| storeDirWriteCleanLogs: Starting...
2003/04/08 10:45:18| WARNING: Closing open FD   50
2003/04/08 10:45:18|   Finished.  Wrote 344 entries.
2003/04/08 10:45:18|   Took 0.0 seconds (7810.2 entries/sec).
CPU Usage: 0.540 seconds = 0.200 user + 0.340 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 1
(wb_ntlmauth)[23406](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_auth)[23435](wb_basic_auth.c:110): fgets() failed! dying..... errno=0
(Error 0)
(wb_auth)[23437](wb_basic_auth.c:110): fgets() failed! dying..... errno=0
(Error 0)
(wb_auth)[23439](wb_basic_auth.c:110):
(wb_auth)[23436](wb_basic_auth.c:110): fgets() failed! dying..... errno=0
(Error 0)
(wb_auth)[23438](wb_basic_auth.c:110): fgets() failed! dying..... errno=0
(Error 0)
(wb_ntlmauth)[23412](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_ntlmauth)[23414](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_ntlmauth)[23416](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_ntlmauth)[23418](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
fgets() failed! dying..... errno=0 (Error 0)
(wb_ntlmauth)[23407](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_auth)[23440]((wb_ntlmauth)[23420](wb_ntlm_auth.c:273): fgets() failed!
dying..... errno=0 (Error 0)
(wb_ntlmauth)[23422](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
(wb_ntlmauth)[23424](wb_ntlm_auth.c:273): fgets() failed! dying..... errno=0
(Error 0)
wb_basic_auth.c:110): fgets() failed! dying..... errno=(wb_auth)0 ([Error
0(wb_auth))
(wb_ntlmauth)(wb_auth)[[2340823441](](wb_ntlm_auth.cwb_basic_auth.c:273:110)
: ): fgets() failed! dying..... errno=fgets() failed! dying..... errno=0 (0
(Error 0Error 0)
)
(wb_auth)23426(wb_auth)(wb_auth)(wb_auth)(wb_auth)(wb_ntlmauth)(wb_ntlmauth)
(wb_ntlmauth)(wb_ntlmauth)(wb_ntlmauth)(wb_ntlmauth)(wb_ntlmauth)(wb_ntlmaut
h)(wb_ntlmauth)[[]([[[[[[[[[[[[[2342823429wb_basic_auth.c2343123434234432344
5234092341023411234132341523417234192342123423](](:110](](](](](](](](](](](
](](wb_basic_auth.cwb_basic_auth.c):
wb_basic_auth.cwb_basic_auth.cwb_basic_auth.cwb_basic_auth.cwb_ntlm_auth.cwb
_ntlm_auth.cwb_ntlm_auth.cwb_ntlm_auth.cwb_ntlm_auth.cwb_ntlm_auth.cwb_ntlm_
auth.cwb_ntlm_auth.cwb_ntlm_auth.c:110:110fgets() failed! dying.....
errno=:110:110:110:110:273:273:273:273(wb_ntlmauth):273:273:273:273:273): ):
(wb_auth)0 (): ): ): ): ): ): (wb_auth)): ): [): (wb_auth)): ): ): ):
(wb_auth)fgets() failed! dying..... errno=(wb_auth)fgets() failed!
dying..... errno=(wb_auth)[Error 0fgets() failed! dying..... errno=fgets()
failed! dying..... errno=fgets() failed! dying..... errno=fgets() failed!
dying..... errno=fgets() failed! dying..... errno=fgets() failed! dying.....
errno=[fgets() failed! dying..... errno=fgets() failed! dying.....
errno=23425fgets() failed! dying..... errno=[fgets() failed! dying.....
errno=fgets() failed! dying..... errno=fgets() failed! dying.....
errno=[fgets() failed! dying..... errno=0 ([0 (23427[)
0 (0 (0 (0 (0 (0 (234300 (0 (](0 (234320 (0 (0 (234330 (Error 023442Error
0](23444Error 0Error 0Error 0Error 0Error 0Error 0](Error 0Error
0wb_ntlm_auth.cError 0](Error 0Error 0Error 0](Error 0)
]()
wb_basic_auth.c]()
)
)
)
)
)
wb_basic_auth.c)
)
:273)
wb_basic_auth.c)
)
)
wb_basic_auth.c)
wb_basic_auth.c:110wb_basic_auth.c:110): :110:110:110): :110): fgets()
failed! dying..... errno=): ): ): fgets() failed! dying..... errno=): 0
(fgets() failed! dying..... errno=fgets() failed! dying..... errno=fgets()
failed! dying..... errno=0 (fgets() failed! dying..... errno=fgets() failed!
dying..... errno=Error 00 (0 (0 (Error 00 (0 ()
Error 0Error 0Error 0)
Error 0Error 0)
)
)
)
)
2003/04/08 10:45:21| Starting Squid Cache version 2.5.STABLE2 for
sparc-sun-solaris2.8...
2003/04/08 10:45:21| Process ID 23464
2003/04/08 10:45:21| With 1024 file descriptors available
2003/04/08 10:45:21| Performing DNS Tests...
2003/04/08 10:45:21| Successful DNS name lookup tests...
2003/04/08 10:45:21| DNS Socket created at 0.0.0.0, port 34303, FD 4
2003/04/08 10:45:21| Adding nameserver 127.0.0.1 from /etc/resolv.conf
2003/04/08 10:45:21| Adding nameserver 169.191.96.12 from /etc/resolv.conf
2003/04/08 10:45:21| Adding nameserver 169.191.96.11 from /etc/resolv.conf
2003/04/08 10:45:21| Adding nameserver 169.191.102.28 from /etc/resolv.conf
2003/04/08 10:45:21| helperStatefulOpenServers: Starting 20 'wb_ntlmauth'
processes
(wb_ntlmauth)[23465](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23466](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23467](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23468](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23469](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23470](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23471](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23473](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23472](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23474](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23475](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23476](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23477](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23479](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23478](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23480](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23481](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23482](wb_ntlm_auth.c:355): target domain is AU
2003/04/08 10:45:21| helperOpenServers: Starting 20 'wb_auth' processes
(wb_ntlmauth)[23484](wb_ntlm_auth.c:355): target domain is AU
(wb_ntlmauth)[23483](wb_ntlm_auth.c:355): target domain is AU
2003/04/08 10:45:22| Unlinkd pipe opened on FD 49
2003/04/08 10:45:22| Swap maxSize 102400 KB, estimated 7876 objects
2003/04/08 10:45:22| Target number of buckets: 393
2003/04/08 10:45:22| Using 8192 Store buckets
2003/04/08 10:45:22| Max Mem  size: 24576 KB
2003/04/08 10:45:22| Max Swap size: 102400 KB
2003/04/08 10:45:22| Store logging disabled
2003/04/08 10:45:22| Rebuilding storage in /var/cache (CLEAN)
2003/04/08 10:45:22| Using Least Load store dir selection
2003/04/08 10:45:22| Set Current Directory to /var/cache
2003/04/08 10:45:22| Loaded Icons.
2003/04/08 10:45:22| Accepting HTTP connections at 0.0.0.0, port 8080, FD
50.
2003/04/08 10:45:22| Accepting ICP messages at 0.0.0.0, port 3130, FD 51.
2003/04/08 10:45:22| Accepting SNMP messages on port 3401, FD 52.
2003/04/08 10:45:22| Configuring Parent 127.0.0.1/8085/0
2003/04/08 10:45:22| Ready to serve requests.
2003/04/08 10:45:22| Done reading /var/cache swaplog (344 entries)
2003/04/08 10:45:22| Finished rebuilding storage from disk.
2003/04/08 10:45:22|       344 Entries scanned
2003/04/08 10:45:22|         0 Invalid entries.
2003/04/08 10:45:22|         0 With invalid flags.
2003/04/08 10:45:22|       344 Objects loaded.
2003/04/08 10:45:22|         0 Objects expired.
2003/04/08 10:45:22|         0 Objects cancelled.
2003/04/08 10:45:22|         0 Duplicate URLs purged.
2003/04/08 10:45:22|         0 Swapfile clashes avoided.
2003/04/08 10:45:22|   Took 0.4 seconds ( 882.2 objects/sec).
2003/04/08 10:45:22| Beginning Validation Procedure
2003/04/08 10:45:22|   Completed Validation Procedure
2003/04/08 10:45:22|   Validated 344 Entries
2003/04/08 10:45:22|   store_swap_size = 2305k
2003/04/08 10:45:23| storeLateRelease: released 0 objects

Thanks
Nick

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, April 07, 2003 9:12 PM
To: Apostolou, Nicholas ""[IT]
Cc: 'samba at lists.samba.org'
Subject: Re: [Samba] Solaris 8 and winbindd/wbinfo


On Mon, 2003-04-07 at 18:18, Apostolou, Nicholas [IT] wrote:
> Hi All,
> 
> I cannot get my Samba server 2.2.8 working with winbind correctly on
Solaris
> 8.
> I intend to use this to transparently authenticate squid 2.5stable2.
> 
> I compiled samba using gcc 2.95.3. configure options were 
> 
> 	./configure  --with-winbind-auth-challenge --with-winbind --with-pam

What did you compile squid with?  Read the ./configure --help for squid,
it has an option (needed) that points squid at the samba source
directory.

> root# ./wbinfo -t
> Secret is good
> 
> root# ./wbinfo -u
> 0xc0000022

You don't have to use these options for squid authentication - In any
case they are being caused by 'restrict anonymous' set on the DC.  

You should test wbinfo -auser%pass, to see if the mechanism that squid
uses will work.

Then, get the squid 'basic' authentication helper, and manually
construct an authentication line.   See if that works.  If that works,
and the above works, then the 'ntlmssp' should work.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list