+ Post New Thread
Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 69
*nix Thread, Dansguardian on windows 2003 domain in Technical; if you add Code: winbind use default domain = yes in your smb.conf you shouldn't need to specify the domain...
  1. #16


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339

    Re: Dansguardian on windows 2003 domain

    if you add
    Code:
     winbind use default domain = yes
    in your smb.conf you shouldn't need to specify the domain

  2. #17

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    Thanks, Cybernerd. I'll keep that trick in mind.

  3. #18

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    I tried to update the Squid.conf file and got a few errors. I think I'm getting close!

    Code entered into squid.conf
    Code:
    auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
    auth_param ntlm children 5
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 2 minutes
     
    auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
    auth_param basic children 5
    auth_param basic realm Squid proxy-caching web server
    auth_param basic credentialsttl 5 hours
     
    acl NTLMUsers proxy_auth REQUIRED
    http_access allow all NTLMUsers
    When I reset and restarted Squid in Konsole, the following error messages appeared.

    Code:
    2007/06/16 12:39:24| unrecognised ntlm auth scheme parameter 'max_challenge_reuses'
    2007/06/16 12:39:24| unrecognised ntlm auth scheme parameter 'max_challenge_lifetime'
    2007/06/16 12:39:24| ACL name 'all' not defined!
    FATAL: Bungled squid.conf line 1888: http_access allow all NTLMUsers
    Squid Cache (Version 2.6.STABLE5): Terminated abnormally.
    Any ideas?

  4. #19

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    Code:
    auth_param ntlm max_challenge_reuses 0
    auth_param ntlm max_challenge_lifetime 2 minutes
    These only work on Squid 2.4. Use the following instead.

    Code:
    authenticate_ttl 180
    Also

    Code:
    http_access allow all NTLMUsers
    is wrong. It should be

    Code:
    http_access allow NTLMUsers

  5. #20

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    OK. One less error now

    When I reset squid with squid -z, I get the following message:
    Code:
    2007/06/16 14:08:00| WARNING: No units on 'authenticate_ttl 180', assuming 180.000000 second
    2007/06/16 14:08:00| Creating Swap Directories
    
    firewall:~ # /etc/init.d/squid start
    Starting WWW-proxy squid                                             done
    Something seems to have a problem right now. When I try to connect to a website on this linux box, but going through the proxy server, it does not accept network usernames and passwords. It just keeps asking for username and password and never accepting it.

    Also, I found a Kerberos test command (klist -e) and got the following error message:
    Code:
    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
    
    
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    Did I miss a step?

  6. #21

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    and try again.

  7. #22

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    No Konsole errors after I typed your revised command
    I then tried a klist -e and it had the following response, I'm guessing this is good.

    Code:
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: Administrator@DOMAIN
    
    Valid starting     Expires            Service principal
    06/16/07 20:42:24  06/17/07 06:42:05  krbtgt/DOMAIN@DOMAIN
            renew until 06/17/07 20:42:24, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
    
    
    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached
    I now tested the proxy server by changing the browser connection setting on the firewall computer (I know I have to manually enter the username) and it goes into an endless logon loop, continually asking for username/password and never accepting it. :?

  8. #23

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    First of all, I am very sorry that I had double posted the last message. I got that cleaned up now. (I had clicked quote rather than edit, like I had wanted to do and did not notice until just now.)

    I looked at the log files and think I might have found the problem on why it is not accepting the username and password for the domain, but have no clue how to fix it. Below is an excerpt from the Squid log.

    Code:
    Login for user [DOMAIN]\[administrator]@[DOMAIN] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.]
    2007/06/17 10:29:21| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'
    Anyone have any ideas?

  9. #24

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    @Geoff

    I'm not sure exactly what happened. I restarted the server, after I had been looking at the log files. I have changed all settings back that I had been tweaking. Something seems to be wrong now, though.

    -The Suse login screen no longer has the option to logon to the windows domain (not that I need that, I'm just afraid it might mean a larger Suse issue)
    -wbinfo -u now says error looking up domain users.
    -winbind now refuses to start. When I manually start it, it says WARNING: /var/run/samba/winbindd.pid FAILED.

    Do you have any ideas on where to start checking settings? It appears like the config files still reference the domain connection, like before.

    I really appreciate all the help you have given so far, and am hoping you might have an idea on this latest issue.

  10. #25

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    Code:
    Login for user [DOMAIN]\[administrator]@[DOMAIN] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/lib/samba/winbindd_privileged are set correctly.
    You must ensure squid has read/write access to the winbindd pipe.

  11. #26

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    OK--Here's the latest update on my system. Earlier, I tried to reset the permissions to grant squid access to winbind. However, in the process, something went very wrong and I now get the following error when I try to start winbind.

    Code:
    [2007/06/17 21:39:47, 0] lib/util_sock.c:create_pipe_sock(1285)
      invalid permissions on socket directory /var/lib/samba/winbindd_privileged
    open_winbind_socket: Resource temporarily unavailable
    Any tips on how to properly fix this? I have tried resetting the permissions to what the other folders are set to originally, and it still has the same error. I am really hoping I will not have to format the hard drive and start the Suse install from the beginning.

    Luckily, my VNC connection continues to work, so this is making my troubleshooting much easier.

  12. #27

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Dansguardian on windows 2003 domain

    change the group ownership of '/var/lib/samba/winbindd_privileged' to whatever group squid runs as (most likely 'squid' or 'proxy').

  13. #28

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    OK, it looks like I had a corrupt file somewhere. I reinstalled Samba and got it configured like before. I can now manually start winbind.

    However, when I try to change the permission settings (changing group to Squid) for the winbindd_privileged folder, winbind then stops and refuses to start itself, or be manually started.

    Please see my attached image. This is my current permission settings for the folder. Please let me know if you have any advice.
    Attached Images Attached Images

  14. #29
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    5,013
    Thank Post
    120
    Thanked 283 Times in 261 Posts
    Rep Power
    108

    Re: Dansguardian on windows 2003 domain

    According to geoff the owner should be the account that runs squid. The owner on your screenshot is root.

  15. #30

    Join Date
    Dec 2006
    Location
    US
    Posts
    300
    Thank Post
    64
    Thanked 17 Times in 16 Posts
    Rep Power
    18

    Re: Dansguardian on windows 2003 domain

    OK, I discovered that the reason winbind kept crashing was that the server needed a restart after I reinstalled Samba. The permissions have been corrected.

    However, when I try to access websites, I still get about 10-12 login prompts and it still does not accept the username/password.

    The log file shows that it is recording the username, which is was not before, so this appears to be a good sign.

    Do you think that http access is disabled for NTLM user ACL, or is it still a winbind problem?
    Attached Images Attached Images

SHARE:
+ Post New Thread
Page 2 of 5 FirstFirst 12345 LastLast

Similar Threads

  1. Blocking .EXE and COM etc on a new Windows 2003 Domain Help!
    By bigb3n in forum Network and Classroom Management
    Replies: 11
    Last Post: 22nd February 2013, 03:30 PM
  2. Upgrading 2003 SP1 domain controller to 2003 R2
    By Andi in forum Wireless Networks
    Replies: 4
    Last Post: 27th June 2007, 01:22 PM
  3. Replies: 10
    Last Post: 31st March 2007, 05:40 PM
  4. Replies: 3
    Last Post: 2nd February 2007, 10:09 AM
  5. Replies: 11
    Last Post: 10th November 2006, 06:42 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •