[squid-users] ntlm_auth + wbinfo_group.pl from Gökhan Makinist on 2006-04-10 (squid-users)

From: Gökhan Makinist <gmakinist@dont-contact.us>
Date: Mon, 10 Apr 2006 10:50:55 +0200

Hi,

sorry for my bad english!

my system:
suse linux 10
Squid Cache: Version 2.5.STABLE10
samba (smbd) Version 3.0.20b-3.1-SUSE
wbinfo_group.pl is patched with http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE12-wbinfo_group.patch.

I'm trying to get the authentication by the ADS 2003 server. I generate a group called PROXYALLOW. the user gmktest is in this group.

my squid.conf:
Code:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --debug-level=10
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off

external_acl_type wbinfo_group ttl=5 children=30 %LOGIN /usr/sbin/wbinfo_group.pl

acl INET_FULLACCESS external wbinfo_group PROXYALLOW

http_access allow INET_FULLACCESS

There is no error with wbinfo_group.pl.
I mofified wbinfo_group.pl, so I can see whats happening when squid does his job. All the debug output are written in a file.
But ther is something wrong with squid.when I open the IE and open a URL. Squid gets the request but it dosen't give an answer back to the IE. The IE waits and waits .....

here are my logs:

cache.log:
Code:

2006/04/07 10:05:25| aclMatchExternal: wbinfo_group user not authenticated (-1)
2006/04/07 10:05:25| The request GET http://www.hallo.de/ is DENIED, because it matched 'INET_FULLACCESS'
2006/04/07 10:05:25| storeEntryValidLength: 285 bytes too big; '850B7CCB7D1B3DDE6366247CDFD362FF'
2006/04/07 10:05:25| aclMatchExternal: wbinfo_group user not authenticated (-1)
2006/04/07 10:05:25| aclMatchExternal: wbinfo_group user not authenticated (-1)
2006/04/07 10:05:25| The request GET http://www.hallo.de/ is DENIED, because it matched 'INET_FULLACCESS'
2006/04/07 10:05:25| storeEntryValidLength: 350 bytes too big; '6E4786733558412DBE239D72C85B01DB'
2006/04/07 10:05:25| clientReadRequest: FD 52: no data to process ((11) Resource temporarily unavailable)
2006/04/07 10:05:25| aclMatchExternal: wbinfo_group user not authenticated (-1)
[2006/04/07 10:05:25, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606)
  Got user=[GMKTEST] domain=[DOMAIN] workstation=[IT-VM-B] len1=24 len2=24
[2006/04/07 10:05:25, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(319)
  NTLMSSP Sign/Seal - Initialising with flags:
[2006/04/07 10:05:25, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
  Got NTLMSSP neg_flags=0x00000216
2006/04/07 10:05:25| authenticateAuthUserRequestSetIp: user 'gmktest' has been seen at a new IP address (192.168.100.73)
2006/04/07 10:05:25| aclMatchExternal: wbinfo_group("gmktest PROXYALLOW") = lookup needed
2006/04/07 10:05:25| externalAclLookup: lookup in 'wbinfo_group' for 'gmktest PROXYALLOW'
2006/04/07 10:05:25| external_acl_cache_add: Adding 'gmktest PROXYALLOW' = -1

AND here the OUTPUT of my changed wbinfo_group.pl:
Code:

Got gmktest PROXYALLOW from squid
User: -gmktest-
Group: -PROXYALLOW-
SID: -S-1-5-21-xxxxxx-xxxxxxxx-xxxxxxx-xx02-
GID: -1007-
Sending OK to squid

OUTPUT /var/log/samba/log.wb-DOMAIN
Code:

[2006/04/07 10:05:25, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(604)
  [21989]: pam auth crap domain: DOMAIN user: GMKTEST
[2006/04/07 10:05:25, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695)
  [21989]: lookupname DOMAIN+PROXYALLOW
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
  rpc: name_to_sid name=DOMAIN\PROXYALLOW
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
  name_to_sid [rpc] PROXYALLOW for domain DOMAIN
[2006/04/07 10:05:25, 3] nsswitch/winbindd_async.c:winbindd_dual_lookupname(695)
  [21989]: lookupname DOMAINE+gmktest
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(257)
  rpc: name_to_sid name=DOMAINE\gmktest
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:msrpc_name_to_sid(265)
  name_to_sid [rpc] gmktest for domain DOMAIN
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:lookup_usergroups(419)
  rpc: lookup_usergroups sid=S-1-5-21-xxxxx-xxxxxx-xxxxxxxxx-xxxx
[2006/04/07 10:05:25, 3] nsswitch/winbindd_async.c:winbindd_dual_getsidaliases(847)
  [21989]: getsidaliases
[2006/04/07 10:05:25, 3] nsswitch/winbindd_rpc.c:msrpc_lookup_useraliases(497)
  rpc: lookup_useraliases

the user gmktest is in the

Where is the problem?

thx
Goekhan
_______________________________________________________________
SMS schreiben mit WEB.DE FreeMail - einfach, schnell und
kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192
Received on Mon Apr 10 2006 - 02:51:09 MDT

This archive was generated by hypermail pre-2.1.9 : Mon May 01 2006 - 12:00:02 MDT