thr3ads.net - samba - [Samba] Problem with squid+ntlm+samba [Oct 2013]

If this information is useful, please help other people find it:
Share via:

Silvio Giunge Silva

2013-Oct-02 13:14 UTC

[Samba] Problem with squid+ntlm+samba

Hello,
I'm having a little problem after logging into domain via samba, after a few
minutes the squid no longer authenticates the users through single sign on and
keeps asking for authentication in the browser without stopping.
below is my settings and error logs.
smb.conf
[global]workgroup = SALEnetbios name = utmadmserver string = PROXY SERVERload
printers = nolog file = /var/log/samba34/log.%mpid directory =
/var/run/samba34max log size = 500realm = sale.brsecurity = adsauth methods =
winbindwinbind separator = |encrypt passwords = yeswinbind cache time =
300winbind enum users = yeswinbind enum groups = yeswinbind use default domain =
yesidmap uid = 10000-50000idmap gid = 10000-50000local master = noos level =
233domain master = nopreferred master = nodomain logons = nowins server =
192.168.8.202dns proxy = noldap ssl = noclient use spnego = noserver signing =
autoclient signing = autolog level = 3 auth:10 winbind:10
krb5.conf
[libdefaults]default_realm = SALE.BRclockskew = 300[realms]SALE.BR = {       
kdc = 192.168.0.1        default_domain = domain.local        admin_server =
192.168.0.1}[logging]kdc = FILE:/var/log/krb5/krb5kdc.logadmin_server =
FILE:/var/log/krb5/kadmind.logdefault = SYSLOG:NOTICE:DAEMON
[domain_realm].domain.local = DOMAIN.LOCAL
[appdefaults]pam = {        ticket_lifetime = 1d        renew_lifetime = 1d     
forwardable = true        proxiable = false        retain_after_close = false   
minimum_uid = 1
squid.conf
# Do not edit manually !http_port 192.168.0.1:8080icp_port 0
pid_filename /var/run/squid.pidcache_effective_user proxycache_effective_group
proxyerror_directory /usr/local/etc/squid/errors/Englishicon_directory
/usr/local/etc/squid/iconsvisible_hostname localhostcache_mgr admin at
localhostaccess_log /var/squid/logs/access.logcache_log
/var/squid/logs/cache.logreferer_log /var/squid/logs/referer.loglogfile_rotate
0cache_store_log noneshutdown_lifetime 3 seconds# Allow local network(s) on
interface(s)acl localnet src  192.168.0.0/255.255.255.0uri_whitespace
stripdns_nameservers 208.67.222.222cache_mem 8 MBmaximum_object_size_in_memory
32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap
LFUDAcache_dir ufs /var/squid/cache 100 16 256minimum_object_size 0
KBmaximum_object_size 4 KBoffline_mode offcache_swap_low 90cache_swap_high 95
url_rewrite_program /usr/local/bin/redirectorurl_rewrite_children 50
# Setup some default aclsacl all src 0.0.0.0/0.0.0.0acl localhost src
127.0.0.1/255.255.255.255acl safeports port 21 70 80 210 280 443 488 563 591 631
777 901 5080 3128 1025-65535 5080 81 80 443 21 20acl sslports port 443 563 5080
5080 81 80 443 21 20acl manager proto cache_objectacl purge method PURGEacl
connect method CONNECTacl dynamic urlpath_regex cgi-bin \?acl unrestricted_hosts
src "/var/squid/acl/unrestricted_hosts.acl"acl whitelist dstdom_regex
-i "/var/squid/acl/whitelist.acl"cache deny dynamichttp_access allow
manager localhosthttp_access deny managerhttp_access allow purge
localhosthttp_access deny purgehttp_access deny !safeportshttp_access deny
CONNECT !sslports
# Always allow localhost connectionshttp_access allow localhost
request_body_max_size 0 KBreply_body_max_size 0 deny alldelay_pools 1delay_class
1 2delay_parameters 1 -1/-1 -1/-1delay_initial_bucket_level 100delay_access 1
allow all
# Custom optionstcp_outgoing_address 192.168.0.1auth_param ntlm keep_alive on
# These hosts do not have any restrictionshttp_access allow unrestricted_hosts#
Always allow access to whitelist domainshttp_access allow whitelistauth_param
ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 45auth_param basic
program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basicauth_param
basic casesensitive offauthenticate_cache_garbage_interval 10 secondsauth_param
basic children 45auth_param basic realm Please enter your credentials to access
the proxyauth_param basic credentialsttl 600 minutesacl password proxy_auth
REQUIREDhttp_access allow unrestricted_hostshttp_access allow password localnet#
Default block all to be surehttp_access deny all
My winbind_privileged
drwxr-x---   2 root  proxy   512B Oct  2 10:00 winbindd_privileged
Error logs:
[2013/10/01 19:39:44,  0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) 
NTLMSSP BH: NT_STATUS_ACCESS_DENIED2013/10/01 19:39:44|
authenticateNTLMHandleReply: Error validating user via NTLM. Error returned
'BH NT_STATUS_ACCESS_DENIED'
  Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to [Access
denied]2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'[2013/10/01
19:37:35,  0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)  NTLMSSP BH:
NT_STATUS_ACCESS_DENIED
[2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request)  NTLMSSP
BH: NT_STATUS_ACCESS_DENIED
[2013/10/01 10:30:12,  3] utils/ntlm_auth.c:329(check_plaintext_auth) 
NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)

Silvio Giunge Silva

2013-Oct-02 13:30 UTC

head link

[Samba] Problem with squid+ntlm+samba

Hello,

I'm having a little problem after logging into domain via samba, after a few
minutes the squid no longer authenticates the users through single sign on and
keeps asking for authentication in the browser without stopping.
below is my settings and error logs.
smb.conf
[global]workgroup = SALEnetbios name = utmadmserver string = PROXY SERVERload
printers = nolog file = /var/log/samba34/log.%mpid directory =
/var/run/samba34max log size = 500realm = sale.brsecurity = adsauth methods =
winbindwinbind separator = |encrypt passwords = yeswinbind cache time =
300winbind enum users = yeswinbind enum groups = yeswinbind use default domain =
yesidmap uid = 10000-50000idmap gid = 10000-50000local master = noos level =
233domain master = nopreferred master = nodomain logons = nowins server =
192.168.8.202dns proxy = noldap ssl = noclient use spnego = noserver signing =
autoclient signing = autolog level = 3 auth:10 winbind:10
krb5.conf
[libdefaults]default_realm = SALE.BRclockskew = 300[realms]SALE.BR = {       
kdc = 192.168.0.1        default_domain = domain.local        admin_server =
192.168.0.1}[logging]kdc = FILE:/var/log/krb5/krb5kdc.logadmin_server =
FILE:/var/log/krb5/kadmind.logdefault = SYSLOG:NOTICE:DAEMON
[domain_realm].domain.local = DOMAIN.LOCAL
[appdefaults]pam = {        ticket_lifetime = 1d        renew_lifetime = 1d     
forwardable = true        proxiable = false        retain_after_close = false   
minimum_uid = 1
squid.conf
# Do not edit manually !http_port 192.168.0.1:8080icp_port 0
pid_filename /var/run/squid.pidcache_effective_user proxycache_effective_group
proxyerror_directory /usr/local/etc/squid/errors/Englishicon_directory
/usr/local/etc/squid/iconsvisible_hostname localhostcache_mgr admin at
localhostaccess_log /var/squid/logs/access.logcache_log
/var/squid/logs/cache.logreferer_log /var/squid/logs/referer.loglogfile_rotate
0cache_store_log noneshutdown_lifetime 3 seconds# Allow local network(s) on
interface(s)acl localnet src  192.168.0.0/255.255.255.0uri_whitespace
stripdns_nameservers 208.67.222.222cache_mem 8 MBmaximum_object_size_in_memory
32 KBmemory_replacement_policy heap GDSFcache_replacement_policy heap
LFUDAcache_dir ufs /var/squid/cache 100 16 256minimum_object_size 0
KBmaximum_object_size 4 KBoffline_mode offcache_swap_low 90cache_swap_high 95
url_rewrite_program /usr/local/bin/redirectorurl_rewrite_children 50
# Setup some default aclsacl all src 0.0.0.0/0.0.0.0acl localhost src
127.0.0.1/255.255.255.255acl safeports port 21 70 80 210 280 443 488 563 591 631
777 901 5080 3128 1025-65535 5080 81 80 443 21 20acl sslports port 443 563 5080
5080 81 80 443 21 20acl manager proto cache_objectacl purge method PURGEacl
connect method CONNECTacl dynamic urlpath_regex cgi-bin \?acl unrestricted_hosts
src "/var/squid/acl/unrestricted_hosts.acl"acl whitelist dstdom_regex
-i "/var/squid/acl/whitelist.acl"cache deny dynamichttp_access allow
manager localhosthttp_access deny managerhttp_access allow purge
localhosthttp_access deny purgehttp_access deny !safeportshttp_access deny
CONNECT !sslports
# Always allow localhost connectionshttp_access allow localhost
request_body_max_size 0 KBreply_body_max_size 0 deny alldelay_pools 1delay_class
1 2delay_parameters 1 -1/-1 -1/-1delay_initial_bucket_level 100delay_access 1
allow all
# Custom optionstcp_outgoing_address 192.168.0.1auth_param ntlm keep_alive on
# These hosts do not have any restrictionshttp_access allow unrestricted_hosts#
Always allow access to whitelist domainshttp_access allow whitelistauth_param
ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 45auth_param basic
program /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-basicauth_param
basic casesensitive offauthenticate_cache_garbage_interval 10 secondsauth_param
basic children 45auth_param basic realm Please enter your credentials to access
the proxyauth_param basic credentialsttl 600 minutesacl password proxy_auth
REQUIREDhttp_access allow unrestricted_hostshttp_access allow password localnet#
Default block all to be surehttp_access deny all
My winbind_privileged
drwxr-x---   2 root  proxy   512B Oct  2 10:00 winbindd_privileged
Error logs:
[2013/10/01 19:39:44,  0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request) 
NTLMSSP BH: NT_STATUS_ACCESS_DENIED2013/10/01 19:39:44|
authenticateNTLMHandleReply: Error validating user via NTLM. Error returned
'BH NT_STATUS_ACCESS_DENIED'
  Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to [Access
denied]2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'[2013/10/01
19:37:35,  0] utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)  NTLMSSP BH:
NT_STATUS_ACCESS_DENIED
[2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request)  NTLMSSP
BH: NT_STATUS_ACCESS_DENIED
[2013/10/01 10:30:12,  3] utils/ntlm_auth.c:329(check_plaintext_auth) 
NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)

Silvio Aparecido

2013-Oct-02 13:47 UTC

head link

[Samba] Problem with squid+ntlm+samba

Hello,

first, sorry by duplicated email, my last have write errors

I'm having a little problem after logging into domain via samba, after a 
few minutes the squid no longer authenticates the users through single 
sign on and keeps asking for authentication in the browser without stopping.

below is my settings and error logs.

smb.conf

[global]
workgroup = SALE
netbios name = utmadm
server string = PROXY SERVER
load printers = no
log file = /var/log/samba34/log.%m
pid directory = /var/run/samba34
max log size = 500
realm = sale.br
security = ads
auth methods = winbind
winbind separator = |
encrypt passwords = yes
winbind cache time = 300
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-50000
idmap gid = 10000-50000
local master = no
os level = 233
domain master = no
preferred master = no
domain logons = no
wins server = 192.168.8.202
dns proxy = no
ldap ssl = no
client use spnego = no
server signing = auto
client signing = auto
log level = 3 auth:10 winbind:10

krb5.conf

[libdefaults]
default_realm = SALE.BR
clockskew = 300
[realms]
SALE.BR = {
         kdc = 192.168.0.1
         default_domain = domain.local
         admin_server = 192.168.0.1
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON

[domain_realm]
.domain.local = DOMAIN.LOCAL

[appdefaults]
pam = {
         ticket_lifetime = 1d
         renew_lifetime = 1d
         forwardable = true
         proxiable = false
         retain_after_close = false
         minimum_uid = 1

squid.conf

# Do not edit manually !
http_port 192.168.0.1:8080
icp_port 0

pid_filename /var/run/squid.pid
cache_effective_user proxy
cache_effective_group proxy
error_directory /usr/local/etc/squid/errors/English
icon_directory /usr/local/etc/squid/icons
visible_hostname localhost
cache_mgr admin at localhost
access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
referer_log /var/squid/logs/referer.log
logfile_rotate 0
cache_store_log none
shutdown_lifetime 3 seconds
# Allow local network(s) on interface(s)
acl localnet src  192.168.0.0/255.255.255.0
uri_whitespace strip
dns_nameservers 208.67.222.222
cache_mem 8 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap GDSF
cache_replacement_policy heap LFUDA
cache_dir ufs /var/squid/cache 100 16 256
minimum_object_size 0 KB
maximum_object_size 4 KB
offline_mode off
cache_swap_low 90
cache_swap_high 95

url_rewrite_program /usr/local/bin/redirector
url_rewrite_children 50

# Setup some default acls
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 5080 
3128 1025-65535 5080 81 80 443 21 20
acl sslports port 443 563 5080 5080 81 80 443 21 20
acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
acl dynamic urlpath_regex cgi-bin \?
acl unrestricted_hosts src "/var/squid/acl/unrestricted_hosts.acl"
acl whitelist dstdom_regex -i "/var/squid/acl/whitelist.acl"
cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports

# Always allow localhost connections
http_access allow localhost

request_body_max_size 0 KB
reply_body_max_size 0 deny all
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_initial_bucket_level 100
delay_access 1 allow all

# Custom options
tcp_outgoing_address 192.168.0.1
auth_param ntlm keep_alive on

# These hosts do not have any restrictions
http_access allow unrestricted_hosts
# Always allow access to whitelist domains
http_access allow whitelist
auth_param ntlm program /usr/local/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 45
auth_param basic program /usr/local/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic casesensitive off
authenticate_cache_garbage_interval 10 seconds
auth_param basic children 45
auth_param basic realm Please enter your credentials to access the proxy
auth_param basic credentialsttl 600 minutes
acl password proxy_auth REQUIRED
http_access allow unrestricted_hosts
http_access allow password localnet
# Default block all to be sure
http_access deny all

My winbind_privileged

drwxr-x---   2 root  proxy   512B Oct  2 10:00 winbindd_privileged

Error logs:

[2013/10/01 19:39:44,  0] 
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2013/10/01 19:39:44| authenticateNTLMHandleReply: Error validating user 
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

   Login for user [SALE]\[wellington.gomes]@[TI-06] failed due to 
[Access denied]
2013/10/01 19:37:35| authenticateNTLMHandleReply: Error validating user 
via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2013/10/01 19:37:35,  0] 
utils/ntlm_auth.c:833(manage_squid_ntlmssp_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2013/10/01 19:36:52, 10] utils/ntlm_auth.c:2190(manage_squid_request)
   NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2013/10/01 10:30:12,  3] utils/ntlm_auth.c:329(check_plaintext_auth)
   NT_STATUS_ACCESS_DENIED: Access denied (0xc0000022)

Reasonably Related Threads

Search for more seemingly similar threads

samba - Oct 2013 - Problem with squid+ntlm+samba

[Samba] Problem with squid+ntlm+samba

[Samba] Problem with squid+ntlm+samba

[Samba] Problem with squid+ntlm+samba

Reasonably Related Threads