I'm sorry for wasting anyones time on this. I reset the directory mode on /var/cache/samba/winbindd_privileged to 0750 and it's working. I found in the winbind.log from samba that winbind was unable to access the directory and was going into a hung state.
Thanks all for the help. Jim -----Original Message----- From: Jim Crippen [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 9:19 AM To: Squid-Users (E-mail) Subject: RE: [squid-users] ntlm_auth prompts for domain login The access logs do not show any domain\username in the logs as it never gets past the authentication. I get the standard 2 TCP_DENIED while it waits for authentication, then a third when I click Cancel. The test server shows the correct info in the logs. How exectly do you run ntlm_auth from the command line, I've tried but get this back: [2003/12/10 09:16:44, 10] lib/util.c:dump_data(1825) [000] B5 E8 68 B8 ��h� NA NT_STATUS_INVALID_PARAMETER Here's the auth_param section of my config: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10 auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 1 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours Here's a snippet from the access.log: 1071057348.017 1 192.168.12.50 TCP_DENIED/407 1746 GET http://www.yahoo.com/ - NONE/- text/html 1071057348.064 2 192.168.12.50 TCP_DENIED/407 1750 GET http://www.yahoo.com/ - NONE/- text/html 1071057348.069 5 192.168.12.50 TCP_DENIED/407 1680 GET http://www.yahoo.com/ - NONE/- text/html and here's what the cache.log shows on the failure: [2003/12/09 14:40:26, 10] lib/util.c:dump_data(1825) [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........ [010] 51 00 00 00 18 00 18 00 69 00 00 00 08 00 08 00 Q....... i....... [020] 40 00 00 00 04 00 04 00 48 00 00 00 05 00 05 00 @....... H....... [030] 4C 00 00 00 00 00 00 00 81 00 00 00 06 02 00 20 L....... ....... [040] 45 4C 49 54 45 48 4F 55 4A 49 4D 43 52 4F 57 41 ELITEHOU JIMCROWA [050] 4E 23 61 DB 35 2F 82 FE 01 24 62 C4 58 86 D1 85 N#a�5/.� .$b�X.�. [060] 2B F6 F6 5A 5A 21 AD 5A 80 98 44 CE 13 BB B4 E5 +��ZZ!�Z ..D�.��� [070] 19 5E AC 07 0F 01 CA 1D 37 50 15 F1 97 59 CF 79 .^�...�. 7P.�.Y�y [080] D5 � [2003/12/09 14:40:26, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(285) Got user=[JIMC] domain=[ELITEHOU] workstation=[ROWAN] len1=24 len2=24 2003/12/09 14:40:26| comm_poll: 1+0 FDs ready 2003/12/09 14:40:26| cbdataValid: 0x8209958 2003/12/09 14:40:26| helperStatefulHandleRead: 27 bytes from ntlmauthenticator #1. 2003/12/09 14:40:26| helperStatefulHandleRead: end of reply found 2003/12/09 14:40:26| cbdataValid: 0x83dc638 2003/12/09 14:40:26| cbdataValid: 0x83d84f0 2003/12/09 14:40:26| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED' 2003/12/09 14:40:26| authenticateValidateUser: Validated Auth_user request '0x83d83e0'. -----Original Message----- From: Dave Augustus [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 8:49 AM To: Jim Crippen Subject: RE: [squid-users] ntlm_auth prompts for domain login Hmmmm.... Check that Squid is getting auth info: Do your access logs have the username/domain information in them? Check that Squid's helper can auth properly: What happens when you run ntlm_auth from the command line? --Dave On Wed, 2003-12-10 at 08:42, Jim Crippen wrote: > Dave, > > All the wbinfo (-a,-u,-g,-t) work fine. The squid box is a member of the > domain as are the clients. Samba is working fine doing shared directories > using the NT authentication. As for the ACLs in squid, I'm going by IP > ranges, not NT groups. The part I don't get, it works fine on the other > box. I double checked and the /var/cache/samba/winbindd_privileged does > have the correct access for squid on it. > > Also, I am not using any RPMs from the OS install. I've removed them all and > built the apps from source on both servers. > > Thanks. > > Jim > > -----Original Message----- > From: Dave Augustus [mailto:[EMAIL PROTECTED] > Sent: Wednesday, December 10, 2003 8:23 AM > To: Jim Crippen > Cc: Squid-Users (E-mail) > Subject: Re: [squid-users] ntlm_auth prompts for domain login > > > Hi Jim, > > I would check: > > 1) can you authenticate from the squid box itself, for a given user, > using wbinfo -a ? > > 2) for Active Directory integration, I had to rebuild Samba3 using > kerberos 1.3.1. Redhat 9 installs with 1.2.7 which seemed to provide > inconsistent results. I don't know if this applies for you. > > 3) What does wbinfo -t, wbinfo -u wbinfo -g return? All three should > work. (I had a situation where -u/-g would work but not -t. Upgrading to > kerberos 1.3.1 and recompiling Samba3 fixed it.) > > 3) in squid.conf, are you using NT groups in Squid ACLs to allow access? > If so those groups must exist on the PDC/AD. > > 4) is the client a member of the same domain as the squid box? > > --Dave > > > > > On Wed, 2003-12-10 at 07:11, Jim Crippen wrote: > > Hi all, > > > > I am running into a problem with squid 2.5 STABLE4 using ntlm_auth. I > have > > successfully set this up on a test server with no issues and everything > > works transparently. I copied all the configs and set up samba and squid > > exactly as I did before on the production server and now IE 6.0 is > prompting > > for a domain login, which doesn't accept it if you enter the > > username/password/domain. On clicking the Cancel button, I get a page the > > states Cache Access Denied, and in the cache.log I see where the > > authentication returned NT_ACCESS_DENIED from the domain controller. Any > > ideas on what might cause this? Both servers are RedHat 7.3, Samba 3.0.0, > > Squid 2-5STABLE4. > > > > Thanks, > > > > Jim Crippen > > Sr LAN Administrator > > Elite Transportation > > [EMAIL PROTECTED] > > > >
