'Re: [squid-users] Arch + Squid 4.7 + Active Directory Auth'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] Arch + Squid 4.7 + Active Directory Auth
From:       info () schroeffu ! ch
Date:       2019-05-29 7:23:38
Message-ID: fe965ebcc22245700b5f8d12b27508ae () schroeffu ! ch
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Hernan Saltiel,

I can tell you my working NTLM auth configuration for Squid 4.6 (will work for 4.7 \
too). My documentation is an ansible playbook created by myself for the need of our \
company, so I don't remember from where I got all the information for a working \
configuration. Whenever I have to re-install one of our 17+ proxies, I just run the \
playbook once on a provisioned server :#)

IMHO: Kerberos is better than NTLM, because Kerberos is a standard protocol while \
NTLM is Windows only. But my config below is for the moment also NTLM only. NTLM is \
easier to setup while KRB5 takes a little time to understand the keytab file \
generation things. About the wrapper in Squid: The names of this wrapper_files may \
changed and they are sometimes on other places. In my case the NTLM wrapper for \
Squid4 is /usr/lib/squid/ext_ldap_group_acl.

About NTLM and [mydomain][user01]@[MYPC] failed due to [Reading winbind reply \
failed!]: You should test if NTLM auth with winbind is working on your server before \
run ntlm auth in squid, with: wbinfo -g or wbinfo -u on the command line which must \
give you as an answer the users or groups from your AD (winbind > smb.conf). There is \
also somewhere a wrapper-file to check wbinfo with squid wrapper too, but i dont \
remember which it is.

So below is a working configuration (for me) on Ubuntu 18.04 server with squid 4.6 \
compiled from debian testing source (with ssl bump). 

- name: Install AD WinBind Authentification Packages
 apt:
 state: present
 name:
 - samba
 - winbind
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True
 - name: Upload smb.conf for WinBind
 template:
 src: smb.conf.j2
 dest: /etc/samba/smb.conf
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True

################################################################
#/etc/samba/smb.conf
################################################################
#======================= Global Settings =======================

[global]
netbios name = proxy01xx
workgroup = DOM-COMPANY
realm = companydomain.DE
server string =
security = ADS
encrypt passwords = true
log level = 3
log file = /var/log/samba/%m
wins support = no
preferred master = no
domain master = no
local master = no
template shell = /bin/false
template homedir = /home/%D/%U
winbind uid = 10000-20000
winbind gid = 10000-20000
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOM-COMPANY:backend = rid
idmap config DOM-COMPANY:schema_mode = rfc2307
idmap config DOM-COMPANY:range = 8000-80000
enhanced browsing = no
winbind use default domain = yes
winbind enum users = no
winbind enum groups = no
idmap cache time = 604800
idmap negative cache time = 20
winbind cache time = 600

password server = 192.168.xx.xx 172.16.x.x 172.16.x.x 172.16.x.x
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
################################################################
- name: Add "winbind" to /etc/nsswitch.conf at the end of passwd line
 replace:
 backup: yes
 dest: /etc/nsswitch.conf
 regexp: '^(group(?!.*bwinbindb).*)$'
 replace: '1 winbind'
 notify: restart winbind smbd
 when: activedirectory_winbind_authentification == True
 tags: nsswitch

################################################################
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat systemd winbind
group: compat systemd winbind
shadow: compat
gshadow: files

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
################################################################
- name: adding existing user "proxy" to group "winbindd_priv", via \
https://www.linuxquestions.org/questions/linux-server-73/prompts-password-for-squid-using-ntlm-673036/#post4977410
  user:
 name: proxy
 groups: winbindd_priv
 append: yes
 notify: restart squid
 when: activedirectory_winbind_authentification == True

################################################################
#/etc/group 
################################################################
#(...)
winbindd_priv:x:116:proxy
#(...)
#This is the only step I don't have yet in my ansible playbook automated, but its \
required once after installing winbind for sure: #Winbind join the server into the \
domain:  net ads join -U administrator
#test if winbind works:
wbinfo -g
wbinfo -u
- name: Upload squid.conf
 template:
 src: "{{ item }}.j2"
 dest: /etc/squid/{{ item }}
 owner: proxy
 group: proxy
 backup: yes
 with_items:
 - squid.conf
 notify: restart squid
 tags: squidconfonly
################################################################
#/etc/squid.conf 
#relevant content for NTLM auth
################################################################
######################################################### NTLM \
######################################################### # NTLM authentication, \
caching not neccessary, because the connection will be authenticated against the \
token auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp \
--use-cached-creds --offline-logon auth_param ntlm realm Proxy-Anmeldung NTLM: Bitte \
DomaeneBenutzername und Windows-Kennwort eingeben. auth_param ntlm children 50

#Allow fetch intermediate certs before required authentication (required when SSL \
Bump + proxy_auth REQUIRED) acl fetched_certificate transaction_initiator \
certificate-fetching cache allow fetched_certificate
cache deny all
http_access allow fetched_certificate

######################################################### Allow based on group \
membership ######################################################### # Authentication \
required, otherwise Login Pop-Up acl Authenticated_Users proxy_auth REQUIRED
http_access deny !Authenticated_Users

# Define external acl
external_acl_type ldap_group ipv4 ttl=3600 negative_ttl=1800 children-max=150 \
                children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -K -S -R \
                
-b "DC=companydomain,DC=de" 
-D "CN=anLDAPuserwithREADaccess,OU=Sonstige,DC=companydomain,DC=de" 
-w PASSWORDHERE 
-f "(&(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=companydomain,DC=de))" \
                
-h 192.168.xx.xx 172.16.xx.xx 172.16.xx.xx 172.16.xx.xx

## Get group "InternetAccess3" from AD/LDAP and use this group in squid.conf as \
"ldap_InternetAccess3" acl ldap_InternetAccess3 external ldap_group InternetAccess3

acl FTP_ports port 21
acl SSL_ports port 443
acl SSL_ports port 8443
acl SSH_ports port 22
acl Safe_ports port 21 #FTP
acl Safe_ports port 22 # SSH
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8443 # Plesk
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports !SSH_ports !FTP_ports

http_access allow ldap_InternetAccess3 !FTP_ports !SSH_ports !streaming \
!badfileending

http_access allow localhost manager
http_access deny manager
acl localdom dstdomain .ourcompany.de ourcompanydomain2.com
acl NOCACHE dstdomain ourcompany.de
no_cache allow NOCACHE
http_access allow localhost
http_access deny all
################################################################
Hope it helps. 
Good luck
Schroeffu
27. Mai 2019 16:16, "Hernan Saltiel" <hsaltiel@gmail.com \
(mailto:hsaltiel@gmail.com?to=%22Hernan%20Saltiel%22%20<hsaltiel@gmail.com>)> \
schrieb: Hi all, 
I'm trying to install a brand new Squid 4.7 on an Arch GNU/Linux (Kernel 5.0.7), \
authorizing its users against Active Directory, based on a Windows 2008 R2 Domain.  I \
configured samba4 on the Arch machine, and it looks working well. wbinfo commands get \
executed and with correct output.  But when using the Squid, I get all the time \
messages like:  2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for x86_64-pc-linux-gnu...
2019/05/27 04:08:12 kid1| Service Name: squid
2019/05/27 04:08:12 kid1| Process ID 7584
2019/05/27 04:08:12 kid1| Process Roles: worker
2019/05/27 04:08:12 kid1| With 1024 file descriptors available
2019/05/27 04:08:12 kid1| Initializing IP Cache...
2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7
2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from /etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from /etc/resolv.conf
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'negotiate_wrapper' \
processes 2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper' \
processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 \
'ntlm_auth' processes 2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No \
'ntlm_auth' processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: Starting \
0/10 'basic_ldap_auth' processes 2019/05/27 04:08:12 kid1| helperOpenServers: No \
'basic_ldap_auth' processes needed. 2019/05/27 04:08:12 kid1| helperOpenServers: \
Starting 0/5 'ext_ldap_group_acl' processes 2019/05/27 04:08:12 kid1| \
helperOpenServers: No 'ext_ldap_group_acl' processes needed. 2019/05/27 04:08:12 \
kid1| Logfile: opening log /var/log/squid/access.log 2019/05/27 04:08:12 kid1| \
WARNING: log name now starts with a module name. Use \
'stdio:/var/log/squid/access.log' 2019/05/27 04:08:12 kid1| Local cache digest \
enabled; rebuild/rewrite every 3600/3600 sec 2019/05/27 04:08:12 kid1| Store logging \
disabled 2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164 \
objects 2019/05/27 04:08:12 kid1| Target number of buckets: 1008
2019/05/27 04:08:12 kid1| Using 8192 Store buckets
2019/05/27 04:08:12 kid1| Max Mem size: 262144 KB
2019/05/27 04:08:12 kid1| Max Swap size: 0 KB
2019/05/27 04:08:12 kid1| Using Least Load store dir selection
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Finished loading MIME types and icons.
2019/05/27 04:08:12 kid1| HTCP Disabled.
2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0
2019/05/27 04:08:12 kid1| Adaptation support is off.
2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at local=[::]:3128 \
remote=[::] FD 12 flags=9 2019/05/27 04:08:13 kid1| storeLateRelease: released 0 \
objects 2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers...
2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10 'negotiate_wrapper' \
processes negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| \
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq \
negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| \
negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab \
negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22| \
                negotiate_kerberos_auth: INFO: Changed keytab to \
                MEMORY:negotiate_kerberos_auth_7586
directory_create_or_exist_strict: invalid ownership on directory \
                /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got NTLMSSP neg_flags=0xe2088297
Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304
Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind reply \
failed!] GENSEC login failed: NT_STATUS_UNSUCCESSFUL
2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user. Result: \
{result=BH, notes={message: NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}  Some \
questions I have:  1) About the message: 
directory_create_or_exist_strict: invalid ownership on directory \
                /var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context. 
Checking the permissions, it has 755, so I really do not understand why it 愀 showing \
this. Don't know if there is some ownership rule or something like this...  2) About \
the message:  Login for user [mydomain][user01]@[MYPC] failed due to [Reading winbind \
reply failed!]  I tried debugging Samba, but see no message indicating something \
here. Any help would be really appreciated.  3) Is there any example configuration \
for Squid 4 + Samba 4 + Active Directory? Sorry for this, but I see tons of \
information about Active Directory for Samba 4 and Squid3, but not much about the \
configuration I'm trying to have.  I see several differences, for instance: 
1) Use of "negotiate_wrapper". 
2) Several aspects of files located on /var/lib/squid, where I do not see the \
equivalence between them and the ones listed for Squid3, and visible on tons of \
documentation.  3) Some docs say NTLM is deprecated, some are still showing ntlm_auth \
on config files. This is why I really need to see if there is any example for this \
config...  Thanks a lot in advance for your time and attention, and best regards. 
--HeCSa


[Attachment #5 (text/html)]

<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8" /></head><body><div data-html-editor-font-wrapper="true" \
style="font-family: arial, sans-serif; font-size: 13px;">Hi Hernan Saltiel,<br><br>I \
can tell you my working NTLM auth configuration for Squid 4.6 (will work for 4.7 \
too). My documentation is an ansible playbook created by myself for the need of our \
company, so I don't remember from where I got all the information for a working \
configuration. Whenever I have to re-install one of our 17+ proxies, I just run the \
playbook once on a provisioned server :#)<br><br>IMHO: Kerberos is better than NTLM, \
because Kerberos is a standard protocol while NTLM is Windows only. But my config \
below is for the moment also NTLM only. NTLM is easier to setup while KRB5 takes a \
little time to understand the keytab file generation things.<br>About the wrapper in \
Squid: The names of this wrapper_files may changed and they are sometimes on other \
places. In my case the NTLM wrapper for Squid4 is \
/usr/lib/squid/ext_ldap_group_acl.<br><br>About NTLM and [mydomain]\[user01]@[MYPC] \
failed due to [Reading winbind reply failed!]: You should test if NTLM auth with \
winbind is working on your server before run ntlm auth in squid, with: wbinfo -g or \
wbinfo -u on the command line which must give you as an answer the users or groups \
from your AD (winbind &gt; smb.conf). There is also somewhere a wrapper-file to check \
wbinfo with squid wrapper too, but i dont remember which it is.<br><br>So below is a \
working configuration (for me) on Ubuntu 18.04 server with squid 4.6 compiled from \
debian testing source (with ssl bump). <br><br>- name: Install AD WinBind \
Authentification Packages<br> apt:<br> state: present<br> name:<br> - samba<br> - \
winbind<br> notify: restart winbind smbd<br> when: \
activedirectory_winbind_authentification == True<br><br><br><br><br><br> - name: \
Upload smb.conf for WinBind<br> template:<br> src: smb.conf.j2<br> dest: \
/etc/samba/smb.conf<br> notify: restart winbind smbd<br> when: \
activedirectory_winbind_authentification == \
True<br><br>################################################################<br>#/etc/ \
samba/smb.conf<br>################################################################<br>#======================= \
Global Settings =======================<br><br>[global]<br>netbios name = \
proxy01xx<br>workgroup = DOM-COMPANY<br>realm = companydomain.DE<br>server string \
=<br>security = ADS<br>encrypt passwords = true<br>log level = 3<br>log file = \
/var/log/samba/%m<br>wins support = no<br>preferred master = no<br>domain master = \
no<br>local master = no<br>template shell = /bin/false<br>template homedir = \
/home/%D/%U<br>winbind uid = 10000-20000<br>winbind gid = 10000-20000<br>idmap config \
* : backend = tdb<br>idmap config * : range = 3000-7999<br>idmap config \
DOM-COMPANY:backend = rid<br>idmap config DOM-COMPANY:schema_mode = rfc2307<br>idmap \
config DOM-COMPANY:range = 8000-80000<br>enhanced browsing = no<br>winbind use \
default domain = yes<br>winbind enum users = no<br>winbind enum groups = no<br>idmap \
cache time = 604800<br>idmap negative cache time = 20<br>winbind cache time = \
600<br><br>password server = 192.168.xx.xx 172.16.x.x 172.16.x.x 172.16.x.x<br>load \
printers = no<br>printing = bsd<br>printcap name = /dev/null<br>disable spoolss = \
yes<br>################################################################<br><br><br><br><br><br>- \
name: Add "winbind" to /etc/nsswitch.conf at the end of passwd line<br> replace:<br> \
backup: yes<br> dest: /etc/nsswitch.conf<br> regexp: \
'^(group(?!.*\bwinbind\b).*)$'<br> replace: '\1 winbind'<br> notify: restart winbind \
smbd<br> when: activedirectory_winbind_authentification == True<br> tags: \
nsswitch<br><br>################################################################<br># \
/etc/nsswitch.conf<br>#<br># Example configuration of GNU Name Service Switch \
functionality.<br># If you have the `glibc-doc-reference' and `info' packages \
installed, try:<br># `info libc "Name Service Switch"' for information about this \
file.<br><br>passwd: compat systemd winbind<br>group: compat systemd \
winbind<br>shadow: compat<br>gshadow: files<br><br>hosts: files dns<br>networks: \
files<br><br>protocols: db files<br>services: db files<br>ethers: db files<br>rpc: db \
files<br><br>netgroup: \
nis<br>################################################################<br><br><br><br><br>- \
name: adding existing user "proxy" to group "winbindd_priv", via \
https://www.linuxquestions.org/questions/linux-server-73/prompts-password-for-squid-using-ntlm-673036/#post4977410<br> \
user:<br> name: proxy<br> groups: winbindd_priv<br> append: yes<br> notify: restart \
squid<br> when: activedirectory_winbind_authentification == \
True<br><br>################################################################<br>#/etc/group \
<br>################################################################<br>#(...)<br>winbindd_priv:x:116:proxy<br>#(...)<br><br><br><br>#This \
is the only step I don't have yet in my ansible playbook automated, but its required \
once after installing winbind for sure:<br>#Winbind join the server into the domain: \
<br>net ads join -U administrator<br>#test if winbind works:<br>wbinfo -g<br>wbinfo \
-u<br><br><br><br>- name: Upload squid.conf<br> template:<br> src: "{{ item \
}}.j2"<br> dest: /etc/squid/{{ item }}<br> owner: proxy<br> group: proxy<br> backup: \
yes<br> with_items:<br> - squid.conf<br> notify: restart squid<br> tags: \
squidconfonly<br><br><br>################################################################<br>#/etc/squid.conf \
<br>#relevant content for NTLM \
auth<br>################################################################<br>######################################################### \
NTLM #########################################################<br># NTLM \
authentication, caching not neccessary, because the connection will be authenticated \
against the token<br>auth_param ntlm program /usr/bin/ntlm_auth \
--helper-protocol=squid-2.5-ntlmssp --use-cached-creds --offline-logon<br>auth_param \
ntlm realm Proxy-Anmeldung NTLM: Bitte Domaene\Benutzername und Windows-Kennwort \
eingeben.<br>auth_param ntlm children 50<br><br>#Allow fetch intermediate certs \
before required authentication (required when SSL Bump + proxy_auth REQUIRED)<br>acl \
fetched_certificate transaction_initiator certificate-fetching<br>cache allow \
fetched_certificate<br>cache deny all<br>http_access allow \
fetched_certificate<br><br>######################################################### \
Allow based on group membership \
#########################################################<br># Authentication \
required, otherwise Login Pop-Up<br>acl Authenticated_Users proxy_auth \
REQUIRED<br>http_access deny !Authenticated_Users<br><br># Define external \
acl<br>external_acl_type ldap_group ipv4 ttl=3600 negative_ttl=1800 children-max=150 \
children-startup=10 %LOGIN /usr/lib/squid/ext_ldap_group_acl -K -S -R \<br>-b \
"DC=companydomain,DC=de" \<br>-D \
"CN=anLDAPuserwithREADaccess,OU=Sonstige,DC=companydomain,DC=de" \<br>-w PASSWORDHERE \
\<br>-f "(&amp;(objectclass=user)(sAMAccountName=%v)(memberof=CN=%a,CN=Users,DC=companydomain,DC=de))" \
\<br>-h 192.168.xx.xx 172.16.xx.xx 172.16.xx.xx 172.16.xx.xx<br><br>## Get group \
"InternetAccess3" from AD/LDAP and use this group in squid.conf as \
"ldap_InternetAccess3"<br>acl ldap_InternetAccess3 external ldap_group \
InternetAccess3<br><br>acl FTP_ports port 21<br>acl SSL_ports port 443<br>acl \
SSL_ports port 8443<br>acl SSH_ports port 22<br>acl Safe_ports port 21 #FTP<br>acl \
Safe_ports port 22 # SSH<br>acl Safe_ports port 80 # http<br>acl Safe_ports port 443 \
# https<br>acl Safe_ports port 70 # gopher<br>acl Safe_ports port 210 # wais<br>acl \
Safe_ports port 280 # http-mgmt<br>acl Safe_ports port 488 # gss-http<br>acl \
Safe_ports port 591 # filemaker<br>acl Safe_ports port 777 # multiling http<br>acl \
Safe_ports port 8443 # Plesk<br>acl CONNECT method CONNECT<br>http_access deny \
!Safe_ports<br>http_access deny CONNECT !SSL_ports !SSH_ports \
!FTP_ports<br><br>http_access allow ldap_InternetAccess3 !FTP_ports !SSH_ports \
!streaming !badfileending<br><br>http_access allow localhost manager<br>http_access \
deny manager<br>acl localdom dstdomain .ourcompany.de ourcompanydomain2.com<br>acl \
NOCACHE dstdomain ourcompany.de<br>no_cache allow NOCACHE<br>http_access allow \
localhost<br>http_access deny \
all<br>################################################################<br><br><br>Hope \
it helps. <br>Good luck<br>Schroeffu<br><br><br><br>27. Mai 2019 16:16, "Hernan \
Saltiel" &lt;<a target="_blank" tabindex="-1" \
href="mailto:hsaltiel@gmail.com?to=%22Hernan%20Saltiel%22%20&lt;hsaltiel@gmail.com&gt;">hsaltiel@gmail.com</a>&gt; \
schrieb:<br> <blockquote><div><div><div dir="ltr"> <div>Hi all,</div> <div>I'm trying \
to install a brand new Squid 4.7 on an Arch GNU/Linux (Kernel 5.0.7), authorizing its \
users against Active Directory, based on a Windows 2008 R2 Domain.</div> <div>I \
configured samba4 on the Arch machine, and it looks working well. wbinfo commands get \
executed and with correct output.</div> <div>But when using the Squid, I get all the \
time messages like:</div> <div></div> <div>2019/05/27 04:08:12 kid1| Set Current \
Directory to /var/spool/squid<br>2019/05/27 04:08:12 kid1| Starting Squid Cache \
version 4.7 for x86_64-pc-linux-gnu...<br>2019/05/27 04:08:12 kid1| Service Name: \
squid<br>2019/05/27 04:08:12 kid1| Process ID 7584<br>2019/05/27 04:08:12 kid1| \
Process Roles: worker<br>2019/05/27 04:08:12 kid1| With 1024 file descriptors \
available<br>2019/05/27 04:08:12 kid1| Initializing IP Cache...<br>2019/05/27 \
04:08:12 kid1| DNS Socket created at [::], FD 7<br>2019/05/27 04:08:12 kid1| DNS \
Socket created at 0.0.0.0, FD 10<br>2019/05/27 04:08:12 kid1| Adding domain \
ciabernal.local from /etc/resolv.conf<br>2019/05/27 04:08:12 kid1| Adding domain \
ciabernal.local from /etc/resolv.conf<br>2019/05/27 04:08:12 kid1| Adding nameserver \
192.168.32.5 from /etc/resolv.conf<br>2019/05/27 04:08:12 kid1| helperOpenServers: \
Starting 0/10 'negotiate_wrapper' processes<br>2019/05/27 04:08:12 kid1| \
helperStatefulOpenServers: No 'negotiate_wrapper' processes needed.<br>2019/05/27 \
04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth' processes<br>2019/05/27 \
04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth' processes \
needed.<br>2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 \
'basic_ldap_auth' processes<br>2019/05/27 04:08:12 kid1| helperOpenServers: No \
'basic_ldap_auth' processes needed.<br>2019/05/27 04:08:12 kid1| helperOpenServers: \
Starting 0/5 'ext_ldap_group_acl' processes<br>2019/05/27 04:08:12 kid1| \
helperOpenServers: No 'ext_ldap_group_acl' processes needed.<br>2019/05/27 04:08:12 \
kid1| Logfile: opening log /var/log/squid/access.log<br>2019/05/27 04:08:12 kid1| \
WARNING: log name now starts with a module name. Use \
'stdio:/var/log/squid/access.log'<br>2019/05/27 04:08:12 kid1| Local cache digest \
enabled; rebuild/rewrite every 3600/3600 sec<br>2019/05/27 04:08:12 kid1| Store \
logging disabled<br>2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated \
20164 objects<br>2019/05/27 04:08:12 kid1| Target number of buckets: \
1008<br>2019/05/27 04:08:12 kid1| Using 8192 Store buckets<br>2019/05/27 04:08:12 \
kid1| Max Mem size: 262144 KB<br>2019/05/27 04:08:12 kid1| Max Swap size: 0 \
KB<br>2019/05/27 04:08:12 kid1| Using Least Load store dir selection<br>2019/05/27 \
04:08:12 kid1| Set Current Directory to /var/spool/squid<br>2019/05/27 04:08:12 kid1| \
Finished loading MIME types and icons.<br>2019/05/27 04:08:12 kid1| HTCP \
Disabled.<br>2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0<br>2019/05/27 \
04:08:12 kid1| Adaptation support is off.<br>2019/05/27 04:08:12 kid1| Accepting HTTP \
Socket connections at local=[::]:3128 remote=[::] FD 12 flags=9<br>2019/05/27 \
04:08:13 kid1| storeLateRelease: released 0 objects<br>2019/05/27 04:08:22 kid1| \
Starting new negotiateauthenticator helpers...<br>2019/05/27 04:08:22 kid1| \
helperOpenServers: Starting 1/10 'negotiate_wrapper' \
processes<br>negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22| \
negotiate_kerberos_auth: INFO: Starting version \
3.1.0sq<br>negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22| \
negotiate_kerberos_auth: INFO: Setting keytab to \
FILE:/etc/krb5.keytab<br>negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 \
04:08:22| negotiate_kerberos_auth: INFO: Changed keytab to \
MEMORY:negotiate_kerberos_auth_7586<br>directory_create_or_exist_strict: invalid \
ownership on directory /var/cache/samba/msg.lock<br>cmdline_messaging_context: Unable \
to initialize messaging context.<br>lp_load_ex: refreshing parameters<br>Initialising \
global parameters<br>rlimit_max: increasing rlimit_max (1024) to minimum Windows \
limit (16384)<br>Processing section "[Global]"<br>GENSEC backend 'gssapi_spnego' \
registered<br>GENSEC backend 'gssapi_krb5' registered<br>GENSEC backend \
'gssapi_krb5_sasl' registered<br>GENSEC backend 'spnego' registered<br>GENSEC backend \
'schannel' registered<br>GENSEC backend 'naclrpc_as_system' registered<br>GENSEC \
backend 'sasl-EXTERNAL' registered<br>GENSEC backend 'ntlmssp' registered<br>GENSEC \
backend 'ntlmssp_resume_ccache' registered<br>GENSEC backend 'http_basic' \
registered<br>GENSEC backend 'http_ntlm' registered<br>GENSEC backend \
'http_negotiate' registered<br>GENSEC backend 'krb5' registered<br>GENSEC backend \
'fake_gssapi_krb5' registered<br>Got NTLMSSP neg_flags=0xe2088297<br>Got \
user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304<br>Login for user \
[mydomain]\[user01]@[MYPC] failed due to [Reading winbind reply failed!]<br>GENSEC \
login failed: NT_STATUS_UNSUCCESSFUL<br>2019/05/27 04:08:22 kid1| ERROR: Negotiate \
Authentication validating user. Result: {result=BH, notes={message: \
NT_STATUS_UNSUCCESSFUL NT_STATUS_UNSUCCESSFUL; }}</div> <div></div> <div>Some \
questions I have:</div> <div></div> <div>1) About the message:</div> <div></div> \
<div>directory_create_or_exist_strict: invalid ownership on directory \
/var/cache/samba/msg.lock<br>cmdline_messaging_context: Unable to initialize \
messaging context.</div> <div></div> <div>Checking the permissions, it has 755, so I \
really do not understand why it 愀 showing this. Don't know if there is some \
ownership rule or something like this...</div> <div></div> <div>2) About the \
message:</div> <div></div> <div>Login for user [mydomain]\[user01]@[MYPC] failed due \
to [Reading winbind reply failed!]</div> <div></div> <div>I tried debugging Samba, \
but see no message indicating something here. Any help would be really \
appreciated.</div> <div></div> <div>3) Is there any example configuration for Squid 4 \
+ Samba 4 + Active Directory? Sorry for this, but I see tons of information about \
Active Directory for Samba 4 and Squid3, but not much about the configuration I'm \
trying to have.</div> <div>I see several differences, for instance:</div> <div></div> \
<div>1) Use of "negotiate_wrapper".</div> <div>2) Several aspects of files located on \
/var/lib/squid, where I do not see the equivalence between them and the ones listed \
for Squid3, and visible on tons of documentation.</div> <div>3) Some docs say NTLM is \
deprecated, some are still showing ntlm_auth on config files. This is why I really \
need to see if there is any example for this config...</div> <div></div> <div>Thanks \
a lot in advance for your time and attention, and best regards.</div> <div> \
<br>--<div dir="ltr" data-smartmail="gmail_signature">HeCSa</div> </div> \
</div></div></div></blockquote> <br><br><signature></signature> </div></body></html>


[Attachment #6 (text/plain)]

_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic