Squid authenticating against ADS without prompting the user

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid authenticating against ADS without prompting the user

Darren Maskowitz
The hard drive on the Squid proxy just died, and I'm trying to get the
replacement to work. The proxy was running on Fedora Core 3 using
Squid 2 and Samba 3.x. The replacement is running Fedora Core 6 and
Squid 2.6 STABLE7 and Samba 3.0.23. I have managed to join the
replacement to and have it authenticate against our Active Directory
Domain here. However unlike it's predecessor it prompts the user for
name and password the first time. Unfortunately I didn't setup the
original and the admin that did the setup is no longer here. Can
anyone give me some pointers to what I might have missed configuring?
Reply | Threaded
Open this post in threaded view
|

Re: Squid authenticating against ADS without prompting the user

Ian Barnes-4
Hi Darren,

Can you provide a copy of the squid.conf as well as the smb.conf and
the commands you ran to join the server to the domain?

Thanks
Ian

On 9/7/07, Darren Maskowitz <[hidden email]> wrote:

> The hard drive on the Squid proxy just died, and I'm trying to get the
> replacement to work. The proxy was running on Fedora Core 3 using
> Squid 2 and Samba 3.x. The replacement is running Fedora Core 6 and
> Squid 2.6 STABLE7 and Samba 3.0.23. I have managed to join the
> replacement to and have it authenticate against our Active Directory
> Domain here. However unlike it's predecessor it prompts the user for
> name and password the first time. Unfortunately I didn't setup the
> original and the admin that did the setup is no longer here. Can
> anyone give me some pointers to what I might have missed configuring?
>
Reply | Threaded
Open this post in threaded view
|

Re: Squid authenticating against ADS without prompting the user

Darren Maskowitz
Here's parsed versions of the conf files:

Squid.conf

http_port 80
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 32 MB
maximum_object_size 1048576 KB
cache_dir ufs /var/spool/squid 3072 16 256
logformat squid  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 20
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param basic children 15
auth_param basic realm computronix.com
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl all src 0.0.0.0/0.0.0.0
acl windowsupdate dstdomain .microsoft.com .windowsupdate.com
acl AuthorizedUsers proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl squidmeister src 206.75.5.44/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 80 443 563 1494 2598
acl Safe_ports port 80 # http
acl Safe_ports port 81          # Autorpm.org
acl Safe_ports port 89          # Oracle Technical Forums
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access allow manager squidmeister
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow all AuthorizedUsers
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all


And smb.conf

[global]
        workgroup = NTDOMAIN
        realm = DOMAIN.COM
        server string = CX Canada's SQUID Web Proxy
        security = ADS
        password server = 206.75.5.19
        log file = /var/log/samba/%m.log
        max log size = 500
        preferred master = No
        domain master = No
        dns proxy = No
        idmap uid = 16777216-33554431
        idmap gid = 16777216-33554431
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes

The command I used to join to the domain was: net ads join -U accountname.
I also found today that it is only Vista users (there are 2 of us
using vista to find out if we can deploy it here yet, and I am one of
them) that is getting prompted to authenticate. Also Squid will not
authenticate through the windows prompt, however the firefox prompt is
accepted and I can browse with that.

Thanks,
Darren

On 9/6/07, Ian <[hidden email]> wrote:

> Hi Darren,
>
> Can you provide a copy of the squid.conf as well as the smb.conf and
> the commands you ran to join the server to the domain?
>
> Thanks
> Ian
>
> On 9/7/07, Darren Maskowitz <[hidden email]> wrote:
> > The hard drive on the Squid proxy just died, and I'm trying to get the
> > replacement to work. The proxy was running on Fedora Core 3 using
> > Squid 2 and Samba 3.x. The replacement is running Fedora Core 6 and
> > Squid 2.6 STABLE7 and Samba 3.0.23. I have managed to join the
> > replacement to and have it authenticate against our Active Directory
> > Domain here. However unlike it's predecessor it prompts the user for
> > name and password the first time. Unfortunately I didn't setup the
> > original and the admin that did the setup is no longer here. Can
> > anyone give me some pointers to what I might have missed configuring?
> >
>