[Samba] Problem with ntlm autentication in squid

Silvio Aparecido silvio.aparecido at bluepex.com
Mon Oct 7 05:12:54 MDT 2013 

On 10/04/2013 08:26 AM, Silvio Aparecido wrote:
> Hi
>
> I'm having a little problem after logging into domain via samba, after a
> few minutes the squid no longer authenticates the users through single
> sign on and keeps asking for authentication in the browser without stopping.
>
> below is my settings and error logs.*
> **
> smb.conf*
>
> [global]
> workgroup = SALE
> netbios name = utmadm
> server string = PROXY SERVER
> load printers = no
> log file = /var/log/samba34/log.%m
> pid directory = /var/run/samba34
> max log size = 500
> realm = sale.br
> security = ads
> auth methods = winbind
> winbind separator = |
> encrypt passwords = yes
> winbind cache time = 300
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> idmap uid = 10000-50000
> idmap gid = 10000-50000
> local master = no
> os level = 233
> domain master = no
> preferred master = no
> domain logons = no
> wins server = 192.168.8.202
> dns proxy = no
> ldap ssl = no
> client use spnego = no
> server signing = auto
> client signing = auto
> log level = 3 auth:10 winbind:10
> *
> krb5.conf*
>
> [libdefaults]
> default_realm = SALE.BR
> clockskew = 300
> [realms]
> SALE.BR = {
>           kdc = 192.168.0.1
>           default_domain = domain.local
>           admin_server = 192.168.0.1
> }
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
>
> [appdefaults]
> pam = {
>           ticket_lifetime = 1d
>           renew_lifetime = 1d
>           forwardable = true
>           proxiable = false
>           retain_after_close = false
>           minimum_uid = 1
>
> *squid.conf*
>
> # Do not edit manually !
> http_port 192.168.0.1:8080
> icp_port 0
>
> pid_filename /var/run/squid.pid
> cache_effective_user proxy
> cache_effective_group proxy
> error_directory /usr/local/etc/squid/errors/English
> icon_directory /usr/local/etc/squid/icons
> visible_hostname localhost
> cache_mgr admin at localhost
> access_log /var/squid/logs/access.log
> cache_log /var/squid/logs/cache.log
> referer_log /var/squid/logs/referer.log
> logfile_rotate 0
> cache_store_log none
> shutdown_lifetime 3 seconds
> # Allow local network(s) on interface(s)
> acl localnet src  192.168.0.0/255.255.255.0
> uri_whitespace strip
> dns_nameservers 208.67.222.222
> cache_mem 8 MB
> maximum_object_size_in_memory 32 KB
> memory_replacement_policy heap GDSF
> cache_replacement_policy heap LFUDA
> cache_dir ufs /var/squid/cache 100 16 256
> minimum_object_size 0 KB
> maximum_object_size 4 KB
> offline_mode off
> cache_swap_low 90
> cache_swap_high 95
>
> url_rewrite_program /usr/local/bin/redirector
> url_rewrite_children 50
>
> # Setup some default acls
> acl all src 0.0.0.0/0.0.0.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 5080
> 3128 1025-65535 5080 81 80 443 21 20
> acl sslports port 443 563 5080 5080 81 80 443 21 20
> acl manager proto cache_object
> acl purge method PURGE
> acl connect method CONNECT
> acl dynamic urlpath_regex cgi-bin \?
> acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
> acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
> cache deny dynamic
> http_access allow manager localhost
> http_access deny manager
> http_access allow purge localhost
> http_access deny purge
> http_access deny !safeports
> http_access deny CONNECT !sslports
>
> # Always allow localhost connections
> http_access allow localhost
>
> request_body_max_size 0 KB
> reply_body_max_size 0 deny all
> delay_pools 1
> delay_class 1 2
> delay_parameters 1 -1/-1 -1/-1
> delay_initial_bucket_level 100
> delay_access 1 allow all
>
> # Custom options
> tcp_outgoing_address 192.168.0.1
> auth_param ntlm keep_alive on
>
> # These hosts do not have any restrictions
> http_access allow unrestricted_hosts
> # Always allow access to whitelist domains
> http_access allow whitelist
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 45
> auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic casesensitive off
> authenticate_cache_garbage_interval 10 seconds
> auth_param basic children 45
> auth_param basic realm Please enter your credentials to access the proxy
> auth_param basic credentialsttl 600 minutes
> acl password proxy_auth REQUIRED
> http_access allow unrestricted_hosts
> http_access allow password localnet
> # Default block all to be sure
> http_access deny all
>
> My winbind_privileged
>
> drwxr-x---   2 root  proxy   512B Oct  2 10:00 winbindd_privileged
>
> Error logs:
>
> [2013/10/01 19:39:44,  0]
> utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
>     NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user
> via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
>
>     Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to
> [Access denied]
> 2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
> via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
> [2013/10/01 19:37:35,  0]
> utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
>     NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>
> [2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request)
>     NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>
> [2013/10/01 10:30:12,  3] utils/ntlm_auth.c:329(check_plaintext_auth)
>     NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)
>
>
>
no one have an idea?

More information about the samba mailing list