[squid-users] winbindd authentication

For first I'm a little bit ashamed of the helpers documentation problems.
For a begginer is impossible to make NT authentication work only with squid user guides or FAQs, expecially for latests helpers.

After that I think that another big problem for beginners, is tha no helper program has the simple --help or -? or -h semantic to make possible to see wich arg can be passed to the program.

I'm wanna write tutorials and documentation to set up these kind of authentication, also samba integration... naturally if someone tell me what to do...

After these constructive polemics I start my problem:

I'm using slackware 8.1 running kernel 2.4.18 and squid 2.5.PRE7 today snapshot.

I wanna use winbindd to authenticate my squid users...

Ok, I've installed samba with the winbindd, correctly changed nsswitch.conf to make possible to auth users with nss_winbind.
I've correctly configured my smb.conf, these are the most important configuration:

;*******************section global*****************

[global]

password server = MASTER BDC

; password server = *

wins server = 192.168.5.1 192.168.0.1

update encrypted = Yes

security = domain

encrypt passwords = Yes

workgroup = MYDOMAIN

preferred master = no

;*********** winbindd **********

; winbind separator = \

template homedir = /home/%D/%U

template shell = /bin/bash

winbind uid = 10000-20000

winbind gid = 10000-20000

winbind enum users = yes

winbind enum groups = yes

Ok I've correctly joined my domain, winbindd is running and i can see my domain users and my domain groups by wbinfo.

After that here my salient squid.conf configuration:

auth_param ntlm program /home/squid/squid25/libexec/wb_ntlmauth

auth_param ntlm children 5

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_lifetime 2 minutes

acl federico proxy_auth REQUIRED

http_access allow federico

http_access deny all

Ok now I start squid by doing "squid -D -N -d 5" , and I can see this from cache.log:

2002/06/26 18:20:28| Starting Squid Cache version 2.5.PRE7-20020625 for i686-pc-linux-gnu...

2002/06/26 18:20:28| Process ID 173

2002/06/26 18:20:28| With 1024 file descriptors available

2002/06/26 18:20:28| DNS Socket created at 0.0.0.0, port 32771, FD 5

2002/06/26 18:20:28| Adding nameserver 192.168.5.1 from /etc/resolv.conf

2002/06/26 18:20:28| helperStatefulOpenServers: Starting 5 'wb_ntlmauth' processes

(wb_ntlmauth)[174](wb_ntlm_auth.c:348): target domain is MYDOMAIN

(wb_ntlmauth)[175](wb_ntlm_auth.c:348): target domain is MYDOMAIN

(wb_ntlmauth)[176](wb_ntlm_auth.c:348): target domain is MYDOMAIN

(wb_ntlmauth)[178](wb_ntlm_auth.c:348): target domain is MYDOMAIN

(wb_ntlmauth)[177](wb_ntlm_auth.c:348): target domain is MYDOMAIN

2002/06/26 18:20:28| Unlinkd pipe opened on FD 15

2002/06/26 18:20:28| Swap maxSize 102400 KB, estimated 7876 objects

2002/06/26 18:20:28| Target number of buckets: 393

2002/06/26 18:20:28| Using 8192 Store buckets

2002/06/26 18:20:28| Max Mem size: 8192 KB

2002/06/26 18:20:28| Max Swap size: 102400 KB

2002/06/26 18:20:28| Rebuilding storage in /home/squid/squid25//var/cache (CLEAN)

2002/06/26 18:20:28| Using Least Load store dir selection

2002/06/26 18:20:28| Set Current Directory to /home/squid/squid25//var/cache

2002/06/26 18:20:28| Loaded Icons.

2002/06/26 18:20:28| Accepting HTTP connections at 0.0.0.0, port 8080, FD 17.

2002/06/26 18:20:28| Accepting ICP messages at 0.0.0.0, port 3130, FD 18.

2002/06/26 18:20:28| Accepting SNMP messages on port 3401, FD 19.

2002/06/26 18:20:28| WCCP Disabled.

2002/06/26 18:20:28| Pinger socket opened on FD 21

2002/06/26 18:20:28| Ready to serve requests.

2002/06/26 18:20:28| Done reading /home/squid/squid25//var/cache swaplog (58 entries)

2002/06/26 18:20:28| Finished rebuilding storage from disk.

2002/06/26 18:20:28| 58 Entries scanned

2002/06/26 18:20:28| 0 Invalid entries.

2002/06/26 18:20:28| 0 With invalid flags.

2002/06/26 18:20:28| 58 Objects loaded.

2002/06/26 18:20:28| 0 Objects expired.

2002/06/26 18:20:28| 0 Objects cancelled.

2002/06/26 18:20:28| 0 Duplicate URLs purged.

2002/06/26 18:20:28| 0 Swapfile clashes avoided.

2002/06/26 18:20:28| Took 0.3 seconds ( 187.0 objects/sec).

2002/06/26 18:20:28| Beginning Validation Procedure

2002/06/26 18:20:28| Completed Validation Procedure

2002/06/26 18:20:28| Validated 58 Entries

2002/06/26 18:20:28| store_swap_size = 388k

2002/06/26 18:20:29| storeLateRelease: released 0 objects

Now I open my IE6 configured for NTLM native authentication and I point my proxy asking a site, here what I can see from my access.log
1025108432.785 1 192.168.5.12 TCP_DENIED/407 1313 GET http://freshmeat.net/ - NONE/- text/html

No other log problem, from tcpdump, strace and other I can see that all seems ok. But I can't understand where is the problem.

Other authentication, such as smb_auth msnt_auth or work correctly. I need winbindd to make awful password prompt to not pop-up on user connections.

any help will be apreciated.

Cheers, Federico.

- Nemo me impune lacessit -
         Ego^pFe @*NET
Received on Wed Jun 26 2002 - 09:34:27 MDT