fatima riadi
2005-Apr-07 09:47 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
Hi everybody, I setup squid-2.5.STABLE9 with samba-3.0.13 to use winbind authentication over a Windows 2003 Active Directory. Web users' authentication from my proxy server box succeedes. But when a remote user try to authenticate himself, authentication failes and Squid return the following: authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' I configured samba with (--with-ads --with-ldap --with-winbind --with-winbind-auth-challenge). And I configure squid with (--enable-auth="ntlm,basic" --enable-basic-auth-helpers="winbind" --enable-ntlm-auth-helpers="winbind"). I edited my smb.conf and my krb5.conf files to much my AD domain settings. I joined the domain. My squid.conf file containes the following: auth_param ntlm program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl authUsers proxy_auth REQUIRED http_access allow authUsers http_access deny all Someone told that this is basicly a samba error. Does anyone have an idea? Thanks in advance. __________________________________________________________________ D?couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Cr?ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Andrew Bartlett
2005-Apr-07 12:03 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
On Thu, 2005-04-07 at 11:47 +0200, fatima riadi wrote:> Hi everybody, > > I setup squid-2.5.STABLE9 with samba-3.0.13 to use > winbind authentication over a Windows 2003 Active > Directory. > Web users' authentication from my proxy server box > succeedes. > But when a remote user try to authenticate himself, > authentication failes and Squid return the > following: > authenticateNTLMHandleReply: Error validating user > via NTLM. Error returned 'BH > NT_STATUS_ACCESS_DENIED'Are the permissions on the winbind privileged pipe correct, what does the winbindd.log say?> I configured samba with (--with-ads --with-ldap > --with-winbind --with-winbind-auth-challenge).--with-winbind-auth-challenge doesn't exist any more. It was a Samba 2.2 hack, the privileged pipe dir handled the access control to this now.> And I configure squid with > (--enable-auth="ntlm,basic" > --enable-basic-auth-helpers="winbind" > --enable-ntlm-auth-helpers="winbind").These last two options build helpers in the squid sources which are incompatible with Samba 3.0. They should not be built or used. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20050407/97c8fc4b/attachment.bin
fatima riadi
2005-Apr-07 14:15 UTC
[Samba] Samba-Squid-AD: Error returned 'BH NT_STATUS_ACCESS_DENIED'
Thank you for your reply.> Are the permissions on the winbind privileged pipe > correct, what does > the winbindd.log say?log.winbindd does not report any error. I set squid as group owner of the winbindd_privileged file. Permissions I found in the documentation (750)didn't work. I then set 777 as permission, the problem disapeares!> --with-winbind-auth-challenge doesn't exist any > more. It was a Samba > 2.2 hack, the privileged pipe dir handled the access > control to this now. > > > And I configure squid with > > (--enable-auth="ntlm,basic" > > --enable-basic-auth-helpers="winbind" > > --enable-ntlm-auth-helpers="winbind"). > > These last two options build helpers in the squid > sources which are > incompatible with Samba 3.0. They should not be > built or used.Do you think that I have to rebuild Samba and squid avoiding latter options? Authentication works well now! __________________________________________________________________ D?couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Cr?ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Maybe Matching Threads
- Problem with squid+ntlm+samba
- [newbie] SQUID/SAMBA problems with NTLM_Auth
- RE: [squid-users] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01; ticket number 48293
- Binding an ip address to an username with SQUID passwod file (SOLVED)
- IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01