Thanks, Cybernerd. I'll keep that trick in mind.
if you addin your smb.conf you shouldn't need to specify the domainCode:winbind use default domain = yes
Thanks, Cybernerd. I'll keep that trick in mind.
I tried to update the Squid.conf file and got a few errors. I think I'm getting close!
Code entered into squid.conf
When I reset and restarted Squid in Konsole, the following error messages appeared.Code:auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 5 hours acl NTLMUsers proxy_auth REQUIRED http_access allow all NTLMUsers
Any ideas?Code:2007/06/16 12:39:24| unrecognised ntlm auth scheme parameter 'max_challenge_reuses' 2007/06/16 12:39:24| unrecognised ntlm auth scheme parameter 'max_challenge_lifetime' 2007/06/16 12:39:24| ACL name 'all' not defined! FATAL: Bungled squid.conf line 1888: http_access allow all NTLMUsers Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
These only work on Squid 2.4. Use the following instead.Code:auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes
is wrong. It should beCode:http_access allow all NTLMUsers
Code:http_access allow NTLMUsers
OK. One less error now
When I reset squid with squid -z, I get the following message:
Something seems to have a problem right now. When I try to connect to a website on this linux box, but going through the proxy server, it does not accept network usernames and passwords. It just keeps asking for username and password and never accepting it.Code:2007/06/16 14:08:00| WARNING: No units on 'authenticate_ttl 180', assuming 180.000000 second 2007/06/16 14:08:00| Creating Swap Directories firewall:~ # /etc/init.d/squid start Starting WWW-proxy squid done
Also, I found a Kerberos test command (klist -e) and got the following error message:
Did I miss a step?Code:klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
and try again.Code:kinit Administrator@YOURDOMAIN.YOURTLD
No Konsole errors after I typed your revised command
I then tried a klist -e and it had the following response, I'm guessing this is good.
I now tested the proxy server by changing the browser connection setting on the firewall computer (I know I have to manually enter the username) and it goes into an endless logon loop, continually asking for username/password and never accepting it. :?Code:Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@DOMAIN Valid starting Expires Service principal 06/16/07 20:42:24 06/17/07 06:42:05 krbtgt/DOMAIN@DOMAIN renew until 06/17/07 20:42:24, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached
First of all, I am very sorry that I had double posted the last message. I got that cleaned up now. (I had clicked quote rather than edit, like I had wanted to do and did not notice until just now.)
I looked at the log files and think I might have found the problem on why it is not accepting the username and password for the domain, but have no clue how to fix it. Below is an excerpt from the Squid log.
Anyone have any ideas?Code:Login for user [DOMAIN]\[administrator]@[DOMAIN] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.] 2007/06/17 10:29:21| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
I'm not sure exactly what happened. I restarted the server, after I had been looking at the log files. I have changed all settings back that I had been tweaking. Something seems to be wrong now, though.
-The Suse login screen no longer has the option to logon to the windows domain (not that I need that, I'm just afraid it might mean a larger Suse issue)
-wbinfo -u now says error looking up domain users.
-winbind now refuses to start. When I manually start it, it says WARNING: /var/run/samba/winbindd.pid FAILED.
Do you have any ideas on where to start checking settings? It appears like the config files still reference the domain connection, like before.
I really appreciate all the help you have given so far, and am hoping you might have an idea on this latest issue.
You must ensure squid has read/write access to the winbindd pipe.Code:Login for user [DOMAIN]\[administrator]@[DOMAIN] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.
OK--Here's the latest update on my system. Earlier, I tried to reset the permissions to grant squid access to winbind. However, in the process, something went very wrong and I now get the following error when I try to start winbind.
Any tips on how to properly fix this? I have tried resetting the permissions to what the other folders are set to originally, and it still has the same error. I am really hoping I will not have to format the hard drive and start the Suse install from the beginning.Code:[2007/06/17 21:39:47, 0] lib/util_sock.c:create_pipe_sock(1285) invalid permissions on socket directory /var/lib/samba/winbindd_privileged open_winbind_socket: Resource temporarily unavailable
Luckily, my VNC connection continues to work, so this is making my troubleshooting much easier.
change the group ownership of '/var/lib/samba/winbindd_privileged' to whatever group squid runs as (most likely 'squid' or 'proxy').
OK, it looks like I had a corrupt file somewhere. I reinstalled Samba and got it configured like before. I can now manually start winbind.
However, when I try to change the permission settings (changing group to Squid) for the winbindd_privileged folder, winbind then stops and refuses to start itself, or be manually started.
Please see my attached image. This is my current permission settings for the folder. Please let me know if you have any advice.
According to geoff the owner should be the account that runs squid. The owner on your screenshot is root.
OK, I discovered that the reason winbind kept crashing was that the server needed a restart after I reinstalled Samba. The permissions have been corrected.
However, when I try to access websites, I still get about 10-12 login prompts and it still does not accept the username/password.
The log file shows that it is recording the username, which is was not before, so this appears to be a good sign.
Do you think that http access is disabled for NTLM user ACL, or is it still a winbind problem?
There are currently 1 users browsing this thread. (0 members and 1 guests)