squid + ad+samba+winbind
I am trying to configure the proxy for single sign on.only the users in the internet group will have direct access to the internet but other have to provide the user id and password to get an internet access.
The squid.conf configuration
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.
auth_param basic children 15
auth_param basic realm squid proxy-caching web server
auth_param ntlm keep_alive on
acl AuthorizedUsers proxy_auth REQUIRED
#external_acl_type ADS %LOGIN /usr/sbin/wbinfo_group.pl
external_acl_type nt_group %LOGIN /usr/sbin/wbinfo_group.pl
acl dpto external nt_group Holding Internet Users
http_access allow dpto
http_access allow AuthorizedUsers
..........................
I am getting this error in /var/log/messages
fetch_ldap_pw: neither ldap secret retrieved!
Sep 2 14:41:30 proxy-server smbd[5751]: [2013/09/02 14:41:30.814622, 0] lib/smbldap.c:1180(smbldap
Sep 2 14:41:30 proxy-server smbd[5751]: ldap_connect_system: Failed to retrieve password from secrets.tdb
--------------------------
I can verify the wbinfo -u and wbinfo -g and wbinfo -t all is good.please help
The squid.conf configuration
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.
auth_param basic children 15
auth_param basic realm squid proxy-caching web server
auth_param ntlm keep_alive on
acl AuthorizedUsers proxy_auth REQUIRED
#external_acl_type ADS %LOGIN /usr/sbin/wbinfo_group.pl
external_acl_type nt_group %LOGIN /usr/sbin/wbinfo_group.pl
acl dpto external nt_group Holding Internet Users
http_access allow dpto
http_access allow AuthorizedUsers
..........................
I am getting this error in /var/log/messages
fetch_ldap_pw: neither ldap secret retrieved!
Sep 2 14:41:30 proxy-server smbd[5751]: [2013/09/02 14:41:30.814622, 0] lib/smbldap.c:1180(smbldap
Sep 2 14:41:30 proxy-server smbd[5751]: ldap_connect_system: Failed to retrieve password from secrets.tdb
--------------------------
I can verify the wbinfo -u and wbinfo -g and wbinfo -t all is good.please help
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
First you should be using --helper-protocol=squid-2.
The other issue is whether you pushed via GPO that NTLM should be used and trusted by the LAN browsers.
Comment out the realm and the keepalive directives for basic.
What guide are you following to set this up.
There is a test for ntlm_auth to make sure it returns a valid response.
The other issue is whether you pushed via GPO that NTLM should be used and trusted by the LAN browsers.
Comment out the realm and the keepalive directives for basic.
What guide are you following to set this up.
There is a test for ntlm_auth to make sure it returns a valid response.
ASKER
i have checked the ntlm_auth it is working fine with AD users. and squid is working fine for all the users either they are on domain or workgroup.
what should i do if i want
log in prompt only for the users who are not on domain when they try to access the internet through proxy.
what should i do if i want
log in prompt only for the users who are not on domain when they try to access the internet through proxy.
Did you configure samba/winbind to default to use AD domain or not.
the setup you have is fine, the difficulty might be what they enter at the login prompt.
i.e. domain+username
password?
or username
password?
If you set the use domain true, then username/password will be validated based on the configuration within /etc/nsswitch.conf.
Your /usr/sbin/wbinfo_group.pl is ldap based, is that working correctly. The other issue deals with when squid runs this script, it does not have the rights to external files where you may have stored the credentials that the script uses to authenticate to the LDAP server. or your LDAP server does not allow anonymous queries and the squid user is not authorized to access it.
the setup you have is fine, the difficulty might be what they enter at the login prompt.
i.e. domain+username
password?
or username
password?
If you set the use domain true, then username/password will be validated based on the configuration within /etc/nsswitch.conf.
Your /usr/sbin/wbinfo_group.pl is ldap based, is that working correctly. The other issue deals with when squid runs this script, it does not have the rights to external files where you may have stored the credentials that the script uses to authenticate to the LDAP server. or your LDAP server does not allow anonymous queries and the squid user is not authorized to access it.
ASKER
Thanx for the reply.............
when i execute the wbinfo_group.pl script with the user name "abc" which is in the internet group on active diarectory i found the following errors
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name Holding
failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM
Could not convert sid to gid
User: -abc-
Group: -xxxx
SID: --
GID: --
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user abc
Sending OK to squid
OK
when i execute the wbinfo_group.pl script with the user name "abc" which is in the internet group on active diarectory i found the following errors
failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup name Holding
failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM
Could not convert sid to gid
User: -abc-
Group: -xxxx
SID: --
GID: --
failed to call wbcGetGroups: WBC_ERR_DOMAIN_NOT_FOUND
Could not get groups for user abc
Sending OK to squid
OK
Linux
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.
71K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
auth_param basic program /usr/sbin/squid_ldap_auth -d -b "vd=holdin.loc,o=holding,d
auth_param basic children 5
auth_param basic realm web-proxy
auth_param basic credentialsttl 1 minutes
auth_param basic casesensitive off
i have attached the samba and squid configuration files.
i have a one group on Active directory for internet users "Internet Users".
Please help me i am strucked from last many days
squid.txt
smb.docx