[Samba] Problem with ntlm autentication in squid

Silvio Aparecido silvio.aparecido at bluepex.com
Fri Oct 4 05:26:00 MDT 2013


Hi

I'm having a little problem after logging into domain via samba, after a
few minutes the squid no longer authenticates the users through single
sign on and keeps asking for authentication in the browser without stopping.

below is my settings and error logs.*
**
smb.conf*

[global]
workgroup = SALE
netbios name = utmadm
server string = PROXY SERVER
load printers = no
log file = /var/log/samba34/log.%m
pid directory = /var/run/samba34
max log size = 500
realm = sale.br
security = ads
auth methods = winbind
winbind separator = |
encrypt passwords = yes
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-50000
idmap gid = 10000-50000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.8.202
dns proxy = no
ldap ssl = no
client use spnego = no
server signing = auto
client signing = auto
log level = 3 auth:10 winbind:10
*
krb5.conf*

[libdefaults]
default_realm = SALE.BR
clockskew = 300
[realms]
SALE.BR = {
         kdc = 192.168.0.1
         default_domain = domain.local
         admin_server = 192.168.0.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.domain.local = DOMAIN.LOCAL

[appdefaults]
pam = {
         ticket_lifetime = 1d
         renew_lifetime = 1d
         forwardable = true
         proxiable = false
         retain_after_close = false
         minimum_uid = 1

*squid.conf*

# Do not edit manually !
http_port 192.168.0.1:8080
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin at localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
referer_log /var/squid/logs/referer.log
logfile_rotate 0
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/255.255.255.0
uri_whitespace strip
dns_nameservers 208.67.222.222
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95

url_rewrite_program /usr/local/bin/redirector
url_rewrite_children 50

# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 5080
3128 1025-65535 5080 81 80 443 21 20
acl sslports port 443 563 5080 5080 81 80 443 21 20
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# Custom options
tcp_outgoing_address 192.168.0.1
auth_param ntlm keep_alive on

# These hosts do not have any restrictions
http_access allow unrestricted_hosts
# Always allow access to whitelist domains
http_access allow whitelist
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 45
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
auth_param basic children 45
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 600 minutes
acl password proxy_auth REQUIRED
http_access allow unrestricted_hosts
http_access allow password localnet
# Default block all to be sure
http_access deny all

My winbind_privileged

drwxr-x---   2 root  proxy   512B Oct  2 10:00 winbindd_privileged

Error logs:

[2013/10/01 19:39:44,  0]
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

   Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to
[Access denied]
2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2013/10/01 19:37:35,  0]
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2013/10/01 10:30:12,  3] utils/ntlm_auth.c:329(check_plaintext_auth)
   NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)





More information about the samba mailing list