fatima riadi
2005-Apr-07 09:47 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
Hi everybody,
I setup squid-2.5.STABLE9 with samba-3.0.13 to use
winbind authentication over a Windows 2003 Active
Directory.
Web users' authentication from my proxy server box
succeedes.
But when a remote user try to authenticate himself,
authentication failes and Squid return the
following:
authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH
NT_STATUS_ACCESS_DENIED'
I configured samba with (--with-ads --with-ldap
--with-winbind --with-winbind-auth-challenge).
And I configure squid with
(--enable-auth="ntlm,basic"
--enable-basic-auth-helpers="winbind"
--enable-ntlm-auth-helpers="winbind").
I edited my smb.conf and my krb5.conf files to much
my AD domain settings.
I joined the domain.
My squid.conf file containes the following:
auth_param ntlm program
/usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program
/usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web
server
auth_param basic credentialsttl 2 hours
acl authUsers proxy_auth REQUIRED
http_access allow authUsers
http_access deny all
Someone told that this is basicly a samba error.
Does anyone have an idea?
Thanks in advance.
__________________________________________________________________
D?couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos
mails !
Cr?ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Andrew Bartlett
2005-Apr-07 12:03 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
On Thu, 2005-04-07 at 11:47 +0200, fatima riadi wrote:> Hi everybody, > > I setup squid-2.5.STABLE9 with samba-3.0.13 to use > winbind authentication over a Windows 2003 Active > Directory. > Web users' authentication from my proxy server box > succeedes. > But when a remote user try to authenticate himself, > authentication failes and Squid return the > following: > authenticateNTLMHandleReply: Error validating user > via NTLM. Error returned 'BH > NT_STATUS_ACCESS_DENIED'Are the permissions on the winbind privileged pipe correct, what does the winbindd.log say?> I configured samba with (--with-ads --with-ldap > --with-winbind --with-winbind-auth-challenge).--with-winbind-auth-challenge doesn't exist any more. It was a Samba 2.2 hack, the privileged pipe dir handled the access control to this now.> And I configure squid with > (--enable-auth="ntlm,basic" > --enable-basic-auth-helpers="winbind" > --enable-ntlm-auth-helpers="winbind").These last two options build helpers in the squid sources which are incompatible with Samba 3.0. They should not be built or used. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050407/97c8fc4b/attachment.bin
fatima riadi
2005-Apr-07 14:15 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
Thank you for your reply.> Are the permissions on the winbind privileged pipe > correct, what does > the winbindd.log say?log.winbindd does not report any error. I set squid as group owner of the winbindd_privileged file. Permissions I found in the documentation (750)didn't work. I then set 777 as permission, the problem disapeares!> --with-winbind-auth-challenge doesn't exist any > more. It was a Samba > 2.2 hack, the privileged pipe dir handled the access > control to this now. > > > And I configure squid with > > (--enable-auth="ntlm,basic" > > --enable-basic-auth-helpers="winbind" > > --enable-ntlm-auth-helpers="winbind"). > > These last two options build helpers in the squid > sources which are > incompatible with Samba 3.0. They should not be > built or used.Do you think that I have to rebuild Samba and squid avoiding latter options? Authentication works well now! __________________________________________________________________ D?couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Cr?ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Possibly Parallel Threads
- Problem with squid+ntlm+samba
- [newbie] SQUID/SAMBA problems with NTLM_Auth
- RE: [squid-users] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01; ticket number 48293
- Binding an ip address to an username with SQUID passwod file (SOLVED)
- IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01