Solved

Authenticating with Samba for logging username in Squid access log

Posted on 2007-11-20
14
806 Views
Last Modified: 2013-12-16
Please review the following answered question for background on the situation:  http://www.experts-exchange.com/OS/Linux/Setup/Q_22957825.html

Currently, I have run through all the steps in the walk-through with success.  However, I am looking to find how to change the logformat to include the username of the authenticated user.  Or, is there another way?

I appreciate the assistance.
0
Comment
Question by:divinewind80
  • 8
  • 6
14 Comments
 
LVL 7

Expert Comment

by:killbrad
ID: 20353578
I thought this was the default?

might want to check out MySAR ->  sourceforge.net/mysar

very useful.

A couple other things:
http://yergler.net/blog/2005/11/08/custom-log-formats-with-squid/
http://dansguardian.org/
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20358544
That's more or less what I am finding.  But, for some reason, it does not work.  I have not received any errors when attempting to view a certain page... so, I'm not even sure if it is authenticating properly or not.

Right now, I have no access limitations... I am just trying to confirm that the username is logged.  Then, I will begin adding restrictions.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20359812
I'm going to assume you have this in your squid.conf:

access_log /var/log/squid/access.log squid

----

now..  look at the example from access.log below:
_____
1196185144.535     90 192.168.0.75 TCP_MISS/200 712 GET http://images.intellitxt.com/ast/ttips/1/bkg_gls_lt.gif - DIRECT/207.138.233.8 image/gif

1196185640.656     72 192.168.0.75 TCP_MISS/200 4736 GET http://images.intellitxt.com/ast/adobe/vmusa9132/AD043_TechCom_100x100.gif brad DIRECT/63.144.121.162 image/gif
______
notice how in the second item, after the URL of the file being accessed, instead of a DASH (-), it says 'brad'.  This is what you should see if you setup authentication correctly.

Sounds like you have a general 'allow' statement that is letting people bypass the auth requirement.

what auth method are you using?

Make sure you have something similar to:  

acl password proxy_auth REQUIRED
http_access allow password
http_access deny all

and NOT this:

acl our_networks src 192.168.0.1/24
http_access allow our_networks
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20366462
OK.  I got this to work.  However, I was only able to get it to work using the following:

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=Administrator,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h 0.0.0.0 # real IP here auth_param basic children 5 auth_param basic realm SQUID auth_param basic credentialsttl 5 minutes

This requires a login.  I would prefer to have no login, which I understood NTLM requires none.  I tried the following:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid auth_param basic credentialsttl 2 hours

I appreciate the assistance.
0
 
LVL 7

Accepted Solution

by:
killbrad earned 500 total points
ID: 20366898
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

0
 
LVL 9

Author Comment

by:divinewind80
ID: 20374017
I added the code you have shown, however, I am still receiving the login.  But, this time, I am unable to login with my Windows credentials.  The login rejects my username and password altogether.

Any ideas on this?
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20375414
Yeah, you need to make sure your Samba setup is correct...
Did you join this machine to the domain?
can you look in your samba log and see if you notice anything specific?  

here is a good idea of what you need for your smb.conf

[global]

# remember, capitalization counts.
# workgroup = NT-Domain-Name or Workgroup-Name
# for example, if you have domain.local, you would use:
   workgroup = DOMAIN
# this is the name you gave to the machine  ( you did join it to the domain, right?)
   netbios name = SQUID
   realm = DOMAIN.LOCAL
   server string = Squid

 
;   hosts allow = 192.168.1. 192.168.2. 127.

# Security mode.   You want Active Directory right?
   security = ads
   password server = pdc1.domain.local, bdc1.domain.local
   encrypt passwords = yes

# Most people will find that this option gives better performance.
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  local master = no
  domain master = false
  preferred master = False
 
  wins support = no
  dns proxy = no

#============================ Share Definitions ==============================
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/false
   winbind separator = /
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 9

Author Comment

by:divinewind80
ID: 20376797
Below is my smb.config:

      workgroup = DOMAIN
        server string = Linux Samba Server
netbios name = ntproxy
realm = DOMAIN.COM
security = ADS
encrypt passwords = Yes
password server = 10.1.0.207, 10.1.0.203
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.1.0.207
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000

Overall, I don't see much difference between yours and mine.  Do you see an error?
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20397362
  winbind uid = 10000-20000
   winbind gid = 10000-20000

Are you actually hoping to use WINS?  

Also, did you join the computer to the domain?  net join ?
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20397383
Not necessarily.  All I am looking for is a successful logging of the username without a login prompt at the start of IE.  

Yes, I did join the domain using "net ads join".  All wbinfo -u, wbinfo -g, and wbinfo -t returns success.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20399608
What about running:

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20427947
When I enter that nothing happens.  Basically the cursor just goes down one line.

What should I be expecting to see?
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20471690
Since I have not received another response to this, I will accept an answer.  I was able to get the username to appear in the access.log... I will open another question regarding why the NTLM is not working.

Thanks.
0
 
LVL 9

Author Closing Comment

by:divinewind80
ID: 31427378
Thanks for the help.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now