[squid-users] Problems with WB_Groups and Squid 3.0 PRE3

[Riccardo Fontana]

I'm having some difficult to implemenet Group Authentication via Winbind 
and Samba with Squid 3.0 PRE3.

I've compiled Samba 2.2.8 with the following settings

./configure  --with-winbind --with-winbind-auth-challenge 
--with-winbind-ldap-hack

And I successfully joined my Linux box (RedHat 7.3 with 2.4.18-3 Kernel) 
to my NT Domain.

Here is the smb.conf file that I'm using:
---------------------------------
[global]
        workgroup = DOMAINNAME
        security = domain
        encrypt passwords = yes
        password server = *
        wins server = <Wins servers IP Adresses>
        template homedir = /home/%D/%U
        template shell = /bin/bash
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind enum users = yes
        winbind enum groups = yes
[test]
        comment = For testing only, please
        path = /usr/local/samba/tmp
        read only = no
        guest ok = yes
----------------------------------
All tests with wbinfo went OK.

Then I compiled Squid with the following configuration:

Squid Cache: Version 3.0-PRE3-20030924
configure options: '--prefix=/usr/local/squid' '--enable-useragent-log' 
'--enable-snmp' '--enable-cache-digests' 
'--enable-default-err-language=Italian' '--disable-ident-lookups' 
'--enable-delay-pools' '--enable-auth=ntlm' 
'--enable-external-acl-helpers=winbind_group' 
'--enable-ntlm-authentication' '--enable-ntlm-auth-helpers=SMB fakeauth 
no_check winbind' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--libexecdir=/usr/lib/squid' '--datadir=/usr/lib/squid' 
'--sysconfdir=/etc/squid' '--localstatedir=/var/spool/squid' 
'--libdir=/usr/lib/squid' '--mandir=/usr/man' 
'--with-samba=/root/samba-2.2.8a/source'

I tested wb_group helper with -d option and it went OK:
/usr/lib/squid/wb_group -d
DOMAIN\\username grouptocheck
Then I configured the following lines inside my squid.conf

auth_param ntlm program /usr/lib/squid/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 20
auth_param ntlm max_challenge_lifetime 15 minutes
external_acl_type wb_group concurrency=5 ttl=900 %LOGIN 
/usr/lib/squid/wb_group

acl webaccess external wb_group -i "/etc/squid/webaccess"
http_access allow webaccess
When I try to browse Internet with SQUID I obtain the following line 
inside winbindd and IE receive a REJECTED page.

[2003/09/26 12:49:03, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(146)
  [14259]: pam auth crap domain: DOMAIN user: USERNAME
This instead is what I see if I try to use the wb_group helper from 
command line as descripted above:

/wb_group[14310](wb_check_group.c:367): Got 'DOMAIN\\USERNAME WebAccess' 
from Squid (length: 26).
[2003/09/26 12:50:17, 3] nsswitch/winbindd_group.c:winbindd_getgroups(790)
  [14310]: getgroups DOMAIN\USERNAME

What I'm doing wrong ?