/etc/init.d/squid restart
* Restarting Squid HTTP proxy squid
2009/08/18 14:04:15| Invalid Proxy Auth ACL 'acl
AuthorizedUsers proxy_auth REQUIRED' because no authentication schemes
are fully configured.
FATAL: Bungled squid.conf line 39: acl AuthorizedUsers proxy_auth REQUIRED
Squid Cache (Version 2.6.STABLE18): Terminated abnormally.
[fail]
squid.conf
root_at_sunbox:/var/log/squid# more /etc/squid/squid.conf
visible_hostname sunbox
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hosts_file /etc/hosts
http_port 100.100.100.50:3128
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 631 # cups
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl Safe_ports port 993 # IMAP
acl Safe_ports port 587 # SMTP
acl Safe_ports port 22 # SSH
acl purge method PURGE
acl special_urls url_regex "/etc/squid/squid-noblock.acl"
acl extndeny url_regex -i "/etc/squid/blocks.files.acl"
acl malware_block_list url_regex -i "/etc/squid/malware_block_list.txt"
acl badurl url_regex -i teen orkut youtube sex mp3 mp4 exe
acl lan src 192.168.1.0 100.100.100.0/24
acl stud ident_regex babu
acl download method GET
acl CONNECT method CONNECT
acl AuthorizedUsers proxy_auth REQUIRED
cache_mem 100 MB
#redirect_program /usr/bin/squidGuard –c /etc/squid/squidGuard.conf
ident_lookup_access allow all
http_access deny all
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access allow special_urls
http_access deny extndeny download
http_access deny extndeny
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny badurl
http_access deny malware_block_list
deny_info http://malware.hiperlinks.com.br/denied.shtml malware_block_list
http_access allow localhost
http_access allow lan
http_reply_access allow all
http_access allow AuthorizedUsers
http_access deny all
icp_access allow all
coredump_dir /var/spool/squid
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
# ntlm_auth from Samba 3 supports NTLM NEGOTIATE packet
auth_param ntlm use_ntlm_negotiate on
# warning: basic authentication sends passwords plaintext
# a network sniffer can and will discover passwords
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Thanks
Avinash
On Tue, Aug 18, 2009 at 12:33 PM, Chris
Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
> checking the trust secret via RPC calls succeeded means the secret is good, they changed the wording a while back, glad you're working
>
> chris
>
> Kind Regards,
> Christopher Boczko
> Server Support Analyst - IT Shared Services
> HomeServe
> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>
> DDI: 01482 677272
> Mob: 07967 059241
>
> www.homeserve.com
> www.chemdry.co.uk
>
> DDI: 01482 677272
> Mob: 07967 059241
>
> www.homeserve.com
> www.chemdry.co.uk
>
>
> -----Original Message-----
> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
> Sent: 17 August 2009 16:38
> To: Chris Boczko
> Subject: Re: [squid-users] Need help in integrating squid and samba
>
> Chris,
>
> Please don't get bugged, wbinfo -g is working now ..
> wbinfo -g
> BUILTIN\administrators
> BUILTIN\users
>
> and even wbinfo -t
>
> wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> but it didn't give the out "the secret is good" . I have no idea how
> this is working all of a sudden, it didn't work a little while ago!
>
> Regards,
> Avinash
>
>
>
> On Mon, Aug 17, 2009 at 8:58 PM, Avinash Rao<avinash.aol_at_gmail.com> wrote:
>> Yes, Squid and Samba(PDC) are running on the same server.
>>
>> wbinfo -g won't work as i have not created any of the NT Domain Groups
>> is that necessary? Coz, i have a very simple samba configuration.
>>
>> I went through the link and made changes to nsswitch conf.
>>
>> wbinfo -set-auth-user=Administrator%'password'
>> Could not lookup sid Administrator%password
>>
>> But, I could join the domain, i just entered net join and entered the
>> current users password and it said joined the domain!
>> wbinfo -u
>> Error looking up domain users
>>
>> Thanks again
>> Avinash
>>
>>
>>
>> On Mon, Aug 17, 2009 at 8:29 PM, Chris
>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>> Right ok,
>>>
>>> So squid is running samba (as a pdc) and squid as a cache?
>>>
>>> Can you try running wbinfo -g, and if that doesn't work, try running wbinfo --set-auth-user=Administrator%'YourPassword' (see: http://www.debian-administration.org/article/Question_Winbind_on_samba_PDC), the run wbinfo -g again
>>>
>>> Kind Regards,
>>> Christopher Boczko
>>> Server Support Analyst - IT Shared Services
>>> HomeServe
>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>
>>> DDI: 01482 677272
>>> Mob: 07967 059241
>>>
>>> www.homeserve.com
>>> www.chemdry.co.uk
>>>
>>> DDI: 01482 677272
>>> Mob: 07967 059241
>>>
>>> www.homeserve.com
>>> www.chemdry.co.uk
>>>
>>>
>>> -----Original Message-----
>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>> Sent: 17 August 2009 15:56
>>> To: Chris Boczko
>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>
>>> Yes its on the squid server and its a PDC and the passwd backend is tdbsam
>>>
>>>
>>>
>>> On Mon, Aug 17, 2009 at 8:22 PM, Chris
>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>> This is on the squid server?
>>>>
>>>> Its trying to be a pdc
>>>>
>>>>
>>>> domain logons = yes
>>>> os level = 65
>>>> prefered master = yes
>>>> domain master = yes
>>>> local master = yes
>>>>
>>>> Kind Regards,
>>>> Christopher Boczko
>>>> Server Support Analyst - IT Shared Services
>>>> HomeServe
>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>
>>>> DDI: 01482 677272
>>>> Mob: 07967 059241
>>>>
>>>> www.homeserve.com
>>>> www.chemdry.co.uk
>>>>
>>>> DDI: 01482 677272
>>>> Mob: 07967 059241
>>>>
>>>> www.homeserve.com
>>>> www.chemdry.co.uk
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>> Sent: 17 August 2009 15:51
>>>> To: Chris Boczko
>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>
>>>> smb.conf
>>>>
>>>> [global]
>>>> workgroup = abc
>>>> server string = Samba on SUN
>>>> max log size = 500
>>>> log level = 1
>>>> interfaces = eth2 100.100.100.251
>>>> bind interfaces only = True
>>>>
>>>> log file = /var/log/samba/log.%m
>>>> max log size = 1000
>>>>
>>>> domain logons = yes
>>>> os level = 65
>>>> prefered master = yes
>>>> domain master = yes
>>>> local master = yes
>>>>
>>>> winbind uid = 10000-20000
>>>> winbind gid = 10000-20000
>>>> winbind use default domain = yes
>>>>
>>>> add machine script = /usr/sbin/useradd -s /bin/false -d /home/nobody %u
>>>> dns proxy =No
>>>> hosts allow = 127. 100.100.100.
>>>> wins support = Yes
>>>> passdb backend = smbpasswd
>>>>
>>>> encrypt passwords = true
>>>> smb passwd file = /etc/samba/smbpasswd
>>>> security = user
>>>> netbios name = sunbox
>>>> username map = /etc/samba/smbusers
>>>>
>>>> [homes]
>>>> comment = Home Dir
>>>> read only = NO
>>>> browseable = NO
>>>> valid users = %S
>>>> path = %H
>>>> directory mask = 0700
>>>> create mask = 0700
>>>>
>>>>
>>>> [share]
>>>> comment = test share
>>>> path = /sambashare
>>>> valid users = nimda
>>>> create mask = 0765
>>>>
>>>>
>>>> Cheers
>>>> Avinash
>>>>
>>>>
>>>> On Mon, Aug 17, 2009 at 8:04 PM, Chris
>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>> Ah, make a little more sense, but i'm afraid my only experience is with windows as a active directory controller and samba linking to that, but i can still take a look at your smb.conf if you would like
>>>>>
>>>>> Kind Regards,
>>>>> Christopher Boczko
>>>>> Server Support Analyst - IT Shared Services
>>>>> HomeServe
>>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>>
>>>>> DDI: 01482 677272
>>>>> Mob: 07967 059241
>>>>>
>>>>> www.homeserve.com
>>>>> www.chemdry.co.uk
>>>>>
>>>>> DDI: 01482 677272
>>>>> Mob: 07967 059241
>>>>>
>>>>> www.homeserve.com
>>>>> www.chemdry.co.uk
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>> Sent: 17 August 2009 15:30
>>>>> To: Chris Boczko
>>>>> Cc: squid-users_at_squid-cache.org
>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>
>>>>> Dear Christopher,
>>>>>
>>>>> Thank you for your reply.
>>>>>
>>>>> I am not using Active Directory, I am using a samba as a PDC (NT4) and
>>>>> its a simple configuration. All clients are WinXP and they login to
>>>>> the domain and i just want to control their access to internet that is
>>>>> all.
>>>>>
>>>>> And there is no other Windows NT domain machine in my network, its
>>>>> just this ubuntu server running squid and samba!
>>>>>
>>>>> If i am right? wbinfo -t will not work coz, i don't have a windows NT
>>>>> domain machine and no trust exists. But, how do i control, restrict or
>>>>> allow internet access for samba domain users through squid?
>>>>>
>>>>> Many Thanks
>>>>> Avinash
>>>>>
>>>>>
>>>>> On Mon, Aug 17, 2009 at 7:50 PM, Chris
>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>> Yes,
>>>>>>
>>>>>> If you are using active directory 2000/2003/2008, you'll need to configure krb5 first
>>>>>>
>>>>>> Please see http://ubuntuforums.org/showthread.php?t=91510 , but you only need to follow steps 1-3, then 7-9
>>>>>>
>>>>>> Then run
>>>>>>
>>>>>> Wbinfo -t to check the trust and
>>>>>> Wbinfo -g to list groups
>>>>>>
>>>>>> Kind Regards,
>>>>>> Christopher Boczko
>>>>>> Server Support Analyst - IT Shared Services
>>>>>> HomeServe
>>>>>> Chemdry UK, Colonial House, Swinemoor Lane, Beverley, HU17 0LS
>>>>>>
>>>>>> DDI: 01482 677272
>>>>>> Mob: 07967 059241
>>>>>>
>>>>>> www.homeserve.com
>>>>>> www.chemdry.co.uk
>>>>>>
>>>>>> DDI: 01482 677272
>>>>>> Mob: 07967 059241
>>>>>>
>>>>>> www.homeserve.com
>>>>>> www.chemdry.co.uk
>>>>>>
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>> Sent: 17 August 2009 14:57
>>>>>> To: Chris Boczko
>>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>>
>>>>>> root_at_sunbox: net join -U user
>>>>>> Password:
>>>>>> Creation of workstation account failed
>>>>>> Unable to join domain abc
>>>>>>
>>>>>> user_at_sunbox:/usr/lib/squid$ net join -U user1
>>>>>> [2009/08/17 19:24:05, 0] passdb/secrets.c:secrets_init(66)
>>>>>> Failed to open /var/lib/samba/secrets.tdb
>>>>>> [2009/08/17 19:24:05, 0] utils/net_rpc.c:rpc_oldjoin_internals(309)
>>>>>> error storing domain sid for abc
>>>>>>
>>>>>> No, I haven't configured krb5. Do we need all this just to control
>>>>>> internet access for samba domain users?
>>>>>>
>>>>>> Avinash
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 17, 2009 at 7:19 PM, Chris
>>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>>> Have you run net join on the squid server (from the command line), and have you configured krb5?
>>>>>>>
>>>>>>> Does kinit (user)@(domain).(domain) work?
>>>>>>>
>>>>>>> Kind Regards,
>>>>>>> Christopher Boczko
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>>> Sent: 17 August 2009 14:47
>>>>>>> To: Chris Boczko
>>>>>>> Subject: Re: [squid-users] Need help in integrating squid and samba
>>>>>>>
>>>>>>> Samba Version:
>>>>>>>
>>>>>>> dpkg -l | grep samba
>>>>>>> ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and printer server fo
>>>>>>> ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used by both
>>>>>>> the server a
>>>>>>>
>>>>>>> Ubuntu 8.04 Server 64-bit.
>>>>>>>
>>>>>>> Net Join? You mean from a windows client? I have only winXP clients
>>>>>>> and they are all configured to login to the domain.
>>>>>>>
>>>>>>> Avinash
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Mon, Aug 17, 2009 at 7:07 PM, Chris
>>>>>>> Boczko<Christopher.Boczko_at_chemdry.co.uk> wrote:
>>>>>>>> Have you tried rejoining the domain using
>>>>>>>>
>>>>>>>> Net join ?
>>>>>>>>
>>>>>>>> Then testing the join with
>>>>>>>>
>>>>>>>> Wbinfo -t
>>>>>>>>
>>>>>>>> Also, which version of debian / samba / ad are you running?
>>>>>>>>
>>>>>>>> Kind Regards,
>>>>>>>> Christopher Boczko
>>>>>>>>
>>>>>>>> -----Original Message-----
>>>>>>>> From: Avinash Rao [mailto:avinash.aol_at_gmail.com]
>>>>>>>> Sent: 17 August 2009 14:25
>>>>>>>> To: squid-users_at_squid-cache.org
>>>>>>>> Subject: Fwd: [squid-users] Need help in integrating squid and samba
>>>>>>>>
>>>>>>>> Thanks for the quick response.
>>>>>>>> And, yes i will install squid using apt-get install command.
>>>>>>>> The basic winbindd functionality "wbinfo -t": is not successful
>>>>>>>>
>>>>>>>> wbinfo -t
>>>>>>>> checking the trust secret via RPC calls failed
>>>>>>>> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
>>>>>>>> Could not check secret
>>>>>>>>
>>>>>>>> Even, wbinfo -a mydomain\\myuser%mypasswd is unsuccessful
>>>>>>>>
>>>>>>>> Wondering how i should proceed without this?
>>>>>>>>
>>>>>>>> Avinash
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Aug 17, 2009 at 1:15 PM, Amos Jeffries<squid3_at_treenet.co.nz> wrote:
>>>>>>>>> [re-inserting squid-users mailing list]
>>>>>>>>>
>>>>>>>>> Avinash Rao wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Mon, Aug 17, 2009 at 11:30 AM, Amos Jeffries <squid3_at_treenet.co.nz
>>>>>>>>>> <mailto:squid3_at_treenet.co.nz>> wrote:
>>>>>>>>>>
>>>>>>>>>> Avinash Rao wrote:
>>>>>>>>>>
>>>>>>>>>> Dear all,
>>>>>>>>>>
>>>>>>>>>> I am new here and i would like to know the correct procedure for
>>>>>>>>>> compiling squid to integrate with samba.
>>>>>>>>>> I am doing this on a Ubuntu 8.04 Server 64-bit edition and i
>>>>>>>>>> have all
>>>>>>>>>> the updates installed. Infact, i have installed samba through
>>>>>>>>>> apt-get
>>>>>>>>>> install and is configured as a PDC.
>>>>>>>>>>
>>>>>>>>>> dpkg -l | grep samba
>>>>>>>>>> ii samba 3.0.28a-1ubuntu4.8 a LanManager-like file and
>>>>>>>>>> printer server fo
>>>>>>>>>> ii samba-common 3.0.28a-1ubuntu4.8 Samba common files used
>>>>>>>>>> by both
>>>>>>>>>> the server a
>>>>>>>>>>
>>>>>>>>>> I am in need of controlling internet access for samba domain users
>>>>>>>>>> through squid. I read the documentation and it says Squid must be
>>>>>>>>>> built with the configure options:
>>>>>>>>>>
>>>>>>>>>> --enable-auth="ntlm,basic"
>>>>>>>>>> --enable-basic-auth-helpers="
>>>>>>>>>> winbind"
>>>>>>>>>> --enable-ntlm-auth-helpers="winbind"
>>>>>>>>>>
>>>>>>>>>> According to the documentation,
>>>>>>>>>> --------
>>>>>>>>>> Samba 3.x
>>>>>>>>>> ---------
>>>>>>>>>> Things are much easier under the 3.x versions of Samba. Smbd is no
>>>>>>>>>> longer required to manage the machine's trust account, and there
>>>>>>>>>> is
>>>>>>>>>> no need to patch any utilities.
>>>>>>>>>> The Samba team has incorporated functionality to change the machine
>>>>>>>>>> trust account password in the new "net" command. A simple daily
>>>>>>>>>> cron
>>>>>>>>>> job scheduling "net rpc changetrustpw" is all that is needed.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I went through the squid documentation and the configure options
>>>>>>>>>> are
>>>>>>>>>> vast. All i want is normal squid operations but with samba
>>>>>>>>>> integration. Do I have to specify other options for normal squid
>>>>>>>>>> operations?? What is the correct procedure and which version of
>>>>>>>>>> squid
>>>>>>>>>> suits well for the version of samba i am using? I have used
>>>>>>>>>> squid but
>>>>>>>>>> never compiled. My requirement with samba is PDC, winxp clients,
>>>>>>>>>> users home directories are mapped as they login to the domain, a
>>>>>>>>>> common share for all users and a printer if needed.
>>>>>>>>>>
>>>>>>>>>> Many Thanks,
>>>>>>>>>> Avinash
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This covers the NTLM auth via Samba requirements.
>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
>>>>>>>>>>
>>>>>>>>>> This covers the Active Directory (kerberos/negotiate auth)
>>>>>>>>>> requirements:
>>>>>>>>>>
>>>>>>>>>> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Amos
>>>>>>>>>> -- Please be using
>>>>>>>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>>>>>>>> Current Beta Squid 3.1.0.13
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Amos,
>>>>>>>>>>
>>>>>>>>>> Thanks for the reply.
>>>>>>>>>>
>>>>>>>>>> I read the documentation, and it says, "
>>>>>>>>>>
>>>>>>>>>> As Samba-3.x has it's own authentication helper there is no need to build
>>>>>>>>>> any of the Squid authentication helpers for use with Samba-3.x (and the
>>>>>>>>>> helpers provided by Squid won't work if you do). You do however need to
>>>>>>>>>> enable support for the NTLM scheme if you plan on using this. Also you may
>>>>>>>>>> want to use the wbinfo_group helper for group lookups
>>>>>>>>>>
>>>>>>>>>> --enable-auth="ntlm,basic"
>>>>>>>>>> --enable-external-acl-helpers="wbinfo_group"
>>>>>>>>>>
>>>>>>>>>> Does this mean that squid has to be compiled with the above options? I
>>>>>>>>>> am sorry if this sounds very basic. Also, my requirement, i should be able
>>>>>>>>>> to restrict few users samba users from accessing the internet through at
>>>>>>>>>> certain times and not necessary authentication. Will the above options
>>>>>>>>>> help.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Avinash
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> The Squid packages available for Ubuntu already have those helpers built-in
>>>>>>>>> and installed along with the package. All you need is the configuration file
>>>>>>>>> changes.
>>>>>>>>>
>>>>>>>>> If you are building your own Squid from raw source code, you may need to add
>>>>>>>>> them.
>>>>>>>>>
>>>>>>>>> For someone who does not know the very basics I would seriously advise
>>>>>>>>> staying with the pre-packaged versions of Squid until you know what you are
>>>>>>>>> doing.
>>>>>>>>> --> apt-get install squid
>>>>>>>>>
>>>>>>>>> Then change the /etc/squid.conf file as needed.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Amos
>>>>>>>>> --
>>>>>>>>> Please be using
>>>>>>>>> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>>>>>>>> Current Beta Squid 3.1.0.13
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
Received on Tue Aug 18 2009 - 14:55:27 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 18 2009 - 12:00:03 MDT