divinewind80
asked on
Authenticating with Samba for logging username in Squid access log
Please review the following answered question for background on the situation: https://www.experts-exchange.com/questions/22957825/Samba-net-ads-join-error.html
Currently, I have run through all the steps in the walk-through with success. However, I am looking to find how to change the logformat to include the username of the authenticated user. Or, is there another way?
I appreciate the assistance.
Currently, I have run through all the steps in the walk-through with success. However, I am looking to find how to change the logformat to include the username of the authenticated user. Or, is there another way?
I appreciate the assistance.
ASKER
That's more or less what I am finding. But, for some reason, it does not work. I have not received any errors when attempting to view a certain page... so, I'm not even sure if it is authenticating properly or not.
Right now, I have no access limitations... I am just trying to confirm that the username is logged. Then, I will begin adding restrictions.
Right now, I have no access limitations... I am just trying to confirm that the username is logged. Then, I will begin adding restrictions.
I'm going to assume you have this in your squid.conf:
access_log /var/log/squid/access.log squid
----
now.. look at the example from access.log below:
_____
1196185144.535 90 192.168.0.75 TCP_MISS/200 712 GET http://images.intellitxt.com/ast/ttips/1/bkg_gls_lt.gif - DIRECT/207.138.233.8 image/gif
1196185640.656 72 192.168.0.75 TCP_MISS/200 4736 GET http://images.intellitxt.com/ast/adobe/vmusa9132/AD043_TechCom_100x100.gif brad DIRECT/63.144.121.162 image/gif
______
notice how in the second item, after the URL of the file being accessed, instead of a DASH (-), it says 'brad'. This is what you should see if you setup authentication correctly.
Sounds like you have a general 'allow' statement that is letting people bypass the auth requirement.
what auth method are you using?
Make sure you have something similar to:
acl password proxy_auth REQUIRED
http_access allow password
http_access deny all
and NOT this:
acl our_networks src 192.168.0.1/24
http_access allow our_networks
access_log /var/log/squid/access.log squid
----
now.. look at the example from access.log below:
_____
1196185144.535 90 192.168.0.75 TCP_MISS/200 712 GET http://images.intellitxt.com/ast/ttips/1/bkg_gls_lt.gif - DIRECT/207.138.233.8 image/gif
1196185640.656 72 192.168.0.75 TCP_MISS/200 4736 GET http://images.intellitxt.com/ast/adobe/vmusa9132/AD043_TechCom_100x100.gif brad DIRECT/63.144.121.162 image/gif
______
notice how in the second item, after the URL of the file being accessed, instead of a DASH (-), it says 'brad'. This is what you should see if you setup authentication correctly.
Sounds like you have a general 'allow' statement that is letting people bypass the auth requirement.
what auth method are you using?
Make sure you have something similar to:
acl password proxy_auth REQUIRED
http_access allow password
http_access deny all
and NOT this:
acl our_networks src 192.168.0.1/24
http_access allow our_networks
ASKER
OK. I got this to work. However, I was only able to get it to work using the following:
auth_param basic program /usr/lib/squid/squid_ldap_
This requires a login. I would prefer to have no login, which I understood NTLM requires none. I tried the following:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.
I appreciate the assistance.
auth_param basic program /usr/lib/squid/squid_ldap_
This requires a login. I would prefer to have no login, which I understood NTLM requires none. I tried the following:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.
I appreciate the assistance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I added the code you have shown, however, I am still receiving the login. But, this time, I am unable to login with my Windows credentials. The login rejects my username and password altogether.
Any ideas on this?
Any ideas on this?
Yeah, you need to make sure your Samba setup is correct...
Did you join this machine to the domain?
can you look in your samba log and see if you notice anything specific?
here is a good idea of what you need for your smb.conf
[global]
# remember, capitalization counts.
# workgroup = NT-Domain-Name or Workgroup-Name
# for example, if you have domain.local, you would use:
workgroup = DOMAIN
# this is the name you gave to the machine ( you did join it to the domain, right?)
netbios name = SQUID
realm = DOMAIN.LOCAL
server string = Squid
; hosts allow = 192.168.1. 192.168.2. 127.
# Security mode. You want Active Directory right?
security = ads
password server = pdc1.domain.local, bdc1.domain.local
encrypt passwords = yes
# Most people will find that this option gives better performance.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = false
preferred master = False
wins support = no
dns proxy = no
#=========================
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
Did you join this machine to the domain?
can you look in your samba log and see if you notice anything specific?
here is a good idea of what you need for your smb.conf
[global]
# remember, capitalization counts.
# workgroup = NT-Domain-Name or Workgroup-Name
# for example, if you have domain.local, you would use:
workgroup = DOMAIN
# this is the name you gave to the machine ( you did join it to the domain, right?)
netbios name = SQUID
realm = DOMAIN.LOCAL
server string = Squid
; hosts allow = 192.168.1. 192.168.2. 127.
# Security mode. You want Active Directory right?
security = ads
password server = pdc1.domain.local, bdc1.domain.local
encrypt passwords = yes
# Most people will find that this option gives better performance.
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
local master = no
domain master = false
preferred master = False
wins support = no
dns proxy = no
#=========================
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
# NOTE: If you have a BSD-style print system there is no need to
# specifically define each individual printer
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
ASKER
Below is my smb.config:
workgroup = DOMAIN
server string = Linux Samba Server
netbios name = ntproxy
realm = DOMAIN.COM
security = ADS
encrypt passwords = Yes
password server = 10.1.0.207, 10.1.0.203
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.1.0.207
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
Overall, I don't see much difference between yours and mine. Do you see an error?
workgroup = DOMAIN
server string = Linux Samba Server
netbios name = ntproxy
realm = DOMAIN.COM
security = ADS
encrypt passwords = Yes
password server = 10.1.0.207, 10.1.0.203
preferred master = False
local master = No
domain master = False
dns proxy = No
wins server = 10.1.0.207
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
Overall, I don't see much difference between yours and mine. Do you see an error?
winbind uid = 10000-20000
winbind gid = 10000-20000
Are you actually hoping to use WINS?
Also, did you join the computer to the domain? net join ?
winbind gid = 10000-20000
Are you actually hoping to use WINS?
Also, did you join the computer to the domain? net join ?
ASKER
Not necessarily. All I am looking for is a successful logging of the username without a login prompt at the start of IE.
Yes, I did join the domain using "net ads join". All wbinfo -u, wbinfo -g, and wbinfo -t returns success.
Yes, I did join the domain using "net ads join". All wbinfo -u, wbinfo -g, and wbinfo -t returns success.
What about running:
/usr/bin/ntlm_auth --helper-protocol=squid-2.
/usr/bin/ntlm_auth --helper-protocol=squid-2.
ASKER
When I enter that nothing happens. Basically the cursor just goes down one line.
What should I be expecting to see?
What should I be expecting to see?
ASKER
Since I have not received another response to this, I will accept an answer. I was able to get the username to appear in the access.log... I will open another question regarding why the NTLM is not working.
Thanks.
Thanks.
ASKER
Thanks for the help.
might want to check out MySAR -> sourceforge.net/mysar
very useful.
A couple other things:
http://yergler.net/blog/2005/11/08/custom-log-formats-with-squid/
http://dansguardian.org/