Hi all,
I'm a Linux noob. I've managed to get Linux, Samba, and Squid working
without bugging anybody. I've run into one hiccup that I'm unable to
figure out.
I'm requiring ntlm authentication for Squid which works great, but I've
had a few calls (and experienced it once myself) where Squid is
prompting for authentication after a user has been surfing already.
I'm hoping somebody will have some insight for me!
Thanks!
Roger Riggins
Here is my environment:
Red Hat Enterprise Linux ES release 3 (Taroon Update 5)
squid-2.5.STABLE3-6.3E.9
samba-3.0.9-1.3E.3 (connected to AD)
Clients are Windows Server 2003 Citrix sessions
Here are my configs:
************************************************
squid.conf:
************************************************
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off
[root@cache01 public]# vi squid.conf
[root@cache01 public]# cat squid.conf
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl AuthorizedUsers proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow all AuthorizedUsers
http_access allow manager localhost
http_access deny manager
http_access allow Safe_ports
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
visible_hostname cache01
coredump_dir /var/spool/squid
redirector_bypass off
************************************************
smb.conf
************************************************
[global]
workgroup = DOMAIN
netbios name = cache01
server string = cache01 cache server
security = ads
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
password server = *
encrypt passwords = yes
realm = domain.local
[public]
path = /usr/local/public
comment = public share
read only = no
************************************************
nsswitch.conf
************************************************
passwd: files winbind
shadow: files winbind
group: files winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
************************************************
krb5.conf
************************************************
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319-290-5687
http://www.lsiowa.org
Received on Wed Jul 27 2005 - 11:32:51 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Aug 01 2005 - 12:00:03 MDT