Hello, I'm a Squid user since years but just today I have to configure our company's main proxy for user authentication / authorization, so I'm a newbie about NTLM auth, proxy_auth, winbindd and so on ;-)
Client users are on win2k/xp machines in a Windows 2000 mixed-mode domain (I've few others samba servers in the net). I followed the good instructions of Squid doc about configuring Samba (2.2.8a) and winbindd for a Squid (2.5-stable3) box but I'm experiencing some weird -to me at least- problems. Random users got blocked and not only the few my policy should block. Box is a FreeBSD 4.8-rel machine. As said, I'm using Samba's winbindd as authenticator and it seems to be correctly installed and configured since "wbinfo -t" and "wbinfo -a" both work correctly. Here is my ACL setup in squid.conf: ================================================ acl playstos src 192.168.9.0/24 acl playdest dst 192.168.9.0/24 #to allow particular services acl tomsn dstdomain .msn.com .msn.it .passport.com .msads.net acl autosrvs dstdomain .ravantivirus.com #useless currently acl playauth proxy_auth REQUIRED # experiment : this to just deny user called Sara acl lusers proxy_auth sara # scheduled access for "lusers" users acl pauseA time MTWHF 9:30-10:00 acl pauseB time MTWHF 13:30-14:00 acl pauseC time MTWHF 18:00-19:00 acl pauseWE time SA # per Simone acl nosimo dstdomain .morula.org acl sisimo srcdomain morula.playstos.ldr blastula.playstos.ldr arcadia.playstos.ldr eraser.playstos.ldr # Here are standard squid.conf ACLs #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT =================================================== and here is http_access setup: =================================================== #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend to uncomment the following to protect innocent # web applications running on the proxy server who think that the only # one who can access services on "localhost" is a local user http_access deny to_localhost # HERE are my own settings http_access allow playdest http_access allow tomsn http_access allow autosrvs #if I comment out the following line all works fine (iit of course does not authenticate users but everything else works ok) http_access deny lusers !pauseA !pauseB !pauseC !pauseWE http_access allow sisimo http_access deny nosimo # catch everything else http_access allow playstos # And finally deny all other access to this proxy http_access deny all ==================================================== Here are the relevant parts of my smb.conf , if interested: ==================================================== workgroup = PLAYSTOS security = domain password server = PITAGORA PLATONE FILESERVER encrypt passwords = yes winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes winbind cache time = 10 winbind enum users = yes winbind enum groups = yes ==================================================== Finally here are my squid.conf's auth_param settings ==================================================== auth_param ntlm program /usr/local/libexec/wb_ntlmauth auth_param ntlm children 10 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/local/libexec/wb_auth auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 minutes ==================================================== My problem is that I got a bunch of apparently random denies of actually authorized users! The above setup should allow access to EVERY user of my Win2K domain BUT user called "sara", and in those "pauseX" hours allow her too, but this is not the behaviour I see. Many other users are blocked with "407" errors, not just "sara" and not just in those hours. Where my ACLs/http_access lines are wrong ? What I missed ? I really hope someone could help me ! :-) Every hints is welcome ! Many thanks in advance! Alessandro de Manzano Senior Network Manager Playstos - TIMA S.p.A. Corso Sempione 63 20149 Milano, Italy tel.: +39-023314153 fax: +39-02315678 email: [EMAIL PROTECTED] http://www.playstos.com
