Solved

Authenticating with Samba for logging username in Squid access log

Posted on 2007-11-20
14
815 Views
Last Modified: 2013-12-16
Please review the following answered question for background on the situation:  http://www.experts-exchange.com/OS/Linux/Setup/Q_22957825.html

Currently, I have run through all the steps in the walk-through with success.  However, I am looking to find how to change the logformat to include the username of the authenticated user.  Or, is there another way?

I appreciate the assistance.
0
Comment
Question by:divinewind80
  • 8
  • 6
14 Comments
 
LVL 7

Expert Comment

by:killbrad
ID: 20353578
I thought this was the default?

might want to check out MySAR ->  sourceforge.net/mysar

very useful.

A couple other things:
http://yergler.net/blog/2005/11/08/custom-log-formats-with-squid/
http://dansguardian.org/
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20358544
That's more or less what I am finding.  But, for some reason, it does not work.  I have not received any errors when attempting to view a certain page... so, I'm not even sure if it is authenticating properly or not.

Right now, I have no access limitations... I am just trying to confirm that the username is logged.  Then, I will begin adding restrictions.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20359812
I'm going to assume you have this in your squid.conf:

access_log /var/log/squid/access.log squid

----

now..  look at the example from access.log below:
_____
1196185144.535     90 192.168.0.75 TCP_MISS/200 712 GET http://images.intellitxt.com/ast/ttips/1/bkg_gls_lt.gif - DIRECT/207.138.233.8 image/gif

1196185640.656     72 192.168.0.75 TCP_MISS/200 4736 GET http://images.intellitxt.com/ast/adobe/vmusa9132/AD043_TechCom_100x100.gif brad DIRECT/63.144.121.162 image/gif
______
notice how in the second item, after the URL of the file being accessed, instead of a DASH (-), it says 'brad'.  This is what you should see if you setup authentication correctly.

Sounds like you have a general 'allow' statement that is letting people bypass the auth requirement.

what auth method are you using?

Make sure you have something similar to:  

acl password proxy_auth REQUIRED
http_access allow password
http_access deny all

and NOT this:

acl our_networks src 192.168.0.1/24
http_access allow our_networks
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 
LVL 9

Author Comment

by:divinewind80
ID: 20366462
OK.  I got this to work.  However, I was only able to get it to work using the following:

auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=domain,dc=com" -D "cn=Administrator,cn=Users,dc=domain,dc=com" -w "password" -f sAMAccountName=%s -h 0.0.0.0 # real IP here auth_param basic children 5 auth_param basic realm SQUID auth_param basic credentialsttl 5 minutes

This requires a login.  I would prefer to have no login, which I understood NTLM requires none.  I tried the following:

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid auth_param basic credentialsttl 2 hours

I appreciate the assistance.
0
 
LVL 7

Accepted Solution

by:
killbrad earned 500 total points
ID: 20366898
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate on
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

0
 
LVL 9

Author Comment

by:divinewind80
ID: 20374017
I added the code you have shown, however, I am still receiving the login.  But, this time, I am unable to login with my Windows credentials.  The login rejects my username and password altogether.

Any ideas on this?
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20375414
Yeah, you need to make sure your Samba setup is correct...
Did you join this machine to the domain?
can you look in your samba log and see if you notice anything specific?  

here is a good idea of what you need for your smb.conf

[global]

# remember, capitalization counts.
# workgroup = NT-Domain-Name or Workgroup-Name
# for example, if you have domain.local, you would use:
   workgroup = DOMAIN
# this is the name you gave to the machine  ( you did join it to the domain, right?)
   netbios name = SQUID
   realm = DOMAIN.LOCAL
   server string = Squid

 
;   hosts allow = 192.168.1. 192.168.2. 127.

# Security mode.   You want Active Directory right?
   security = ads
   password server = pdc1.domain.local, bdc1.domain.local
   encrypt passwords = yes

# Most people will find that this option gives better performance.
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  local master = no
  domain master = false
  preferred master = False
 
  wins support = no
  dns proxy = no

#============================ Share Definitions ==============================
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/false
   winbind separator = /
   winbind uid = 10000-20000
   winbind gid = 10000-20000
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
[homes]
   comment = Home Directories
   browseable = no
   writable = yes

# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20376797
Below is my smb.config:

      workgroup = DOMAIN
        server string = Linux Samba Server
netbios name = ntproxy
realm = DOMAIN.COM
security = ADS
encrypt passwords = Yes
password server = 10.1.0.207, 10.1.0.203
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.1.0.207
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000

Overall, I don't see much difference between yours and mine.  Do you see an error?
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20397362
  winbind uid = 10000-20000
   winbind gid = 10000-20000

Are you actually hoping to use WINS?  

Also, did you join the computer to the domain?  net join ?
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20397383
Not necessarily.  All I am looking for is a successful logging of the username without a login prompt at the start of IE.  

Yes, I did join the domain using "net ads join".  All wbinfo -u, wbinfo -g, and wbinfo -t returns success.
0
 
LVL 7

Expert Comment

by:killbrad
ID: 20399608
What about running:

/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20427947
When I enter that nothing happens.  Basically the cursor just goes down one line.

What should I be expecting to see?
0
 
LVL 9

Author Comment

by:divinewind80
ID: 20471690
Since I have not received another response to this, I will accept an answer.  I was able to get the username to appear in the access.log... I will open another question regarding why the NTLM is not working.

Thanks.
0
 
LVL 9

Author Closing Comment

by:divinewind80
ID: 31427378
Thanks for the help.
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Rate limit for DNS queries 7 93
number in printf 13 42
I NEED A "BARE" LINUX ... 9 89
DB2 9.7 Grant Execute SP 4 12
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
Fine Tune your automatic Updates for Ubuntu / Debian
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question