# Problema SQUID

## istrice00

Ciao a tutti,ho un grosso problema con Squid,e non riesco a risolverlo.  :Sad: 

Ho installato Samba 3.0.22-r2 e Squid 2.5.13.

Il mio obiettivo e'gestire i gruppi di dominio (NT)per la navigazione,in pratica ho creato 2 gruppi nel dominio: MI_Proxy1 (no internet) e MI_Proxy2 (full internet).Il problema e'che quando cerco di aprire un sito si apre la finestra di popup che mi chiede utenza e password anche se l'utente e'inserito nel gruppo corretto

Ecco l'errore:

```
The following error was encountered:

    * Cache Access Denied. 

Sorry, you are not currently allowed to request:

    http://www.google.it/

from this cache until you have authenticated yourself.
```

Ho fatto la Join al dominio con Samba,e se faccio wbinfo -g,riesco a visualizzare i gruppi di dominio.

Ecco il mio squid.conf e l'smb.conf   :Arrow: 

```
SQUID.CONF 

http_port 10.1.20.x:80

visible_hostname Squid.MYDOMAIN-MI

logfile_rotate 12

cache_access_log none

cache_store_log none

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 5

auth_param ntlm max_challenge_reuses 0

auth_param ntlm max_challenge_lifetime 2 minutes

auth_param ntlm use_ntlm_negotiate on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

external_acl_type wb_group concurrency=5 ttl=900 %LOGIN /usr/lib/squid/wbinfo_group.pl

#Autenticazione gruppi

acl password proxy_auth REQUIRED

acl internetfull external wb_group -i "/etc/squid/etc/MI_Proxy2"

acl nointernet external wb_group -i "/etc/squid/etc/MI_Proxy1"

acl time_acl time M T W H F 8:30-19:00

http_access allow password internetfull

#Configurazione porte

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl locallans src 10.1.0.0/255.255.0.0

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563 8444

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow locallans

http_access deny all
```

```
SMB.CONF

[global]

        workgroup = MYDOMAIN-MI

        netbios name = SQUID

        realm = DOM.MYDOMAIN.IT

        server string = Linux Samba Server SQUID

        security = domain

        encrypt passwords = yes

        password server = Server1, Server2

        log file = /var/log/samba/%m.log

        max log size = 0

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        preferred master = False

        local master = No

        domain master = False

        dns proxy = No

        wins server = Server1, Server3, Server2

        winbind separator = @

        winbind enum users = yes

        winbind enum groups = yes

        winbind use default domain = yes

        idmap uid = 16777216-33554431

        idmap gid = 16777216-33554431
```

Grazie!  :Smile: 

----------

## .:chrome:.

io andrei subito a guardare i log.

in quelli di squid non dovresti trovare gran ché, a parte l'access denied, ma se non altro potresti vedere per quale motivo ciò avviene, vale a dire se effettivamente la password è errata, o se non riesce a verificarla, nel qual caso il problema è dell'helper.

se è un problema dell'helper non c'è molto da dire: ricontrolla la configurazione; se invece ti viene detto che la password è errata, controlla nei log di samba.

just a little hint: a seconda di come configuri il dominio può essere che per effettuare un login corretto tu devva usare la stringa DOMINIO\utente o utente@DOMINIO o utente:DOMINIO

----------

## istrice00

 *k.gothmog wrote:*   

> io andrei subito a guardare i log.
> 
> in quelli di squid non dovresti trovare gran ché, a parte l'access denied, ma se non altro potresti vedere per quale motivo ciò avviene, vale a dire se effettivamente la password è errata, o se non riesce a verificarla, nel qual caso il problema è dell'helper.
> 
> se è un problema dell'helper non c'è molto da dire: ricontrolla la configurazione; se invece ti viene detto che la password è errata, controlla nei log di samba.
> ...

 

Grazie per le info!  :Wink: 

Ho guardato i vari log

smbd.log

```
[2006/05/18 09:00:06, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(195)

  startsmbfilepwent_internal: file /var/lib/samba/private/smbpasswd did not exist. File successfully created.

[2006/05/24 10:08:27, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

[2006/05/24 10:08:27, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

[2006/05/24 10:20:25, 0] lib/util_sock.c:get_peer_addr(1225)

  getpeername failed. Error was Transport endpoint is not connected

```

winbindd.log

```
[2006/05/24 10:07:23, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

[2006/05/24 10:08:27, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

[2006/05/24 10:08:27, 0] lib/util_sock.c:write_data(557)

  write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer

[2006/05/24 10:08:27, 0] lib/util_sock.c:send_smb(765)

  Error writing 4 bytes to client. -1. (Connection reset by peer)

[2006/05/24 10:08:36, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

[2006/05/24 10:09:34, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

[2006/05/24 10:19:26, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

[2006/05/24 10:20:25, 0] lib/util_sock.c:write_data(557)

  write_data: write failure in writing to client 10.1.7.193. Error Connection reset by peer

[2006/05/24 10:20:25, 0] lib/util_sock.c:send_smb(765)

  Error writing 4 bytes to client. -1. (Connection reset by peer)

[2006/05/24 10:20:25, 0] auth/auth_util.c:make_server_info_info3(1297)

  make_server_info_info3: pdb_init_sam failed!

```

access.log di SQUID

```

1148393294.074     84 10.1.4.10 TCP_DENIED/407 1773 GET http://www.google.it/ - NONE/- text/html

1148393294.122     33 10.1.4.10 TCP_DENIED/407 1921 GET http://www.google.it/ - NONE/- text/html

1148393294.127      5 10.1.4.10 TCP_DENIED/407 1773 GET http://www.google.it/ - NONE/- text/html

1148393299.331      1 10.1.4.10 TCP_DENIED/407 1921 GET http://www.google.it/ - NONE/- text/html

1148393299.342     11 10.1.4.10 TCP_DENIED/407 1773 GET http://www.google.it/ - NONE/- text/html

1148393304.952      1 10.1.4.10 TCP_DENIED/407 1773 GET http://www.google.it/ rrossi NONE/- text/html

1148393372.122     59 10.1.4.10 TCP_DENIED/407 1842 GET http://forums.gentoo.org/viewforum-f-41.html - NONE/- text/html

1148393372.193     29 10.1.4.10 TCP_DENIED/407 1990 GET http://forums.gentoo.org/viewforum-f-41.html - NONE/- text/html

1148393372.207     13 10.1.4.10 TCP_DENIED/407 1842 GET http://forums.gentoo.org/viewforum-f-41.html - NONE/- text/html

1148393638.589     41 10.1.4.10 TCP_DENIED/407 1791 GET http://www.google.it/webhp? - NONE/- text/html

1148393638.607     10 10.1.4.10 TCP_DENIED/407 1939 GET http://www.google.it/webhp? - NONE/- text/html

1148393638.618     11 10.1.4.10 TCP_DENIED/407 1791 GET http://www.google.it/webhp? - NONE/- text/html

1148393644.361      2 10.1.4.10 TCP_DENIED/407 1939 GET http://www.google.it/webhp? - NONE/- text/html

1148393644.367      6 10.1.4.10 TCP_DENIED/407 1791 GET http://www.google.it/webhp? - NONE/- text/html
```

Cache.log

```
 Login for user [mydomain-mi]\[r.rossi]@[rossiworkstation] failed due to [winbind client not authorized to use winbindd_pam_auth_cr$

[2006/05/24 16:11:55, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)

  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

2006/05/24 16:11:55| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

[2006/05/24 16:12:28, 0] utils/ntlm_auth.c:winbind_pw_check(429)

  Login for user []\[mydomain-mi]\[r.rossi]@[rossiworkstation] failed due to [winbind client not authorized to use winbindd_pam_auth_cr$

2006/05/24 16:12:28| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

[2006/05/24 16:12:28, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)

  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2006/05/24 16:15:47, 0] utils/ntlm_auth.c:winbind_pw_check(429)

  Login for user [mydomain-MI]\[mydomain-mi]\[r.rossi]@[rossiworkstation] failed due to [winbind client not authorized to use winbindd_pam_auth_cra$

2006/05/24 16:15:47| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

[2006/05/24 16:15:47, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)

  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

[2006/05/24 16:16:00, 0] utils/ntlm_auth.c:winbind_pw_check(429)

  Login for user [mydomain-MI]\[mydomain-mi]\[r.rossi]@[rossiworkstation] failed due to [winbind client not authorized to use winbindd_pam_auth_cra$

[2006/05/24 16:16:00, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)

  NTLMSSP BH: NT_STATUS_ACCESS_DENIED

2006/05/24 16:16:00| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

```

ho impostato i permessi in questo modo

drwxr-x---  2 root samba   4096 2006-05-24 10:22 winbindd_privileged

Accetto consigli!  :Very Happy: 

----------

## .:chrome:.

ma... samba funziona? hai avuto modo di provarlo?

----------

## istrice00

 *k.gothmog wrote:*   

> ma... samba funziona? hai avuto modo di provarlo?

 

Ho provato a testare la configurazione con :

```
squid ~ # wbinfo -t

checking the trust secret via RPC calls succeeded
```

```
squid ~ # wbinfo -D MYDOMAIN-MI

Name              : MYDOMAIN-MI

Alt_Name          :

SID               : S-1-5-21-1374188882-1371227389-1777090905

Active Directory  : No

Native            : No

Primary           : Yes

Sequence          : 90459
```

```
squid ~ # wbinfo --sequence

MYDOMAIN : 6672

NISGROUP : DISCONNECTED

SQUID : 1

BUILTIN : 1

MYDOMAIN-MI : 90459
```

tutto ok tranne questi errori:

```
squid ~ # wbinfo -a MYDOMAIN-MI\\rrossi%password

plaintext password authentication failed

error code was NT_STATUS_NO_SUCH_USER (0xc0000064)

error messsage was: No such user

Could not authenticate user MYDOMAIN-MI\rrossi%password with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_NO_SUCH_USER (0xc0000064)

error messsage was: No such user

Could not authenticate user MYDOMAIN-MI\rrossi with challenge/response
```

Se invece tolgo il dominio, l'utente viene riconosciuto correttamente

```
squid ~ # wbinfo -a rrossi%password

plaintext password authentication succeeded

challenge/response password authentication succeeded

```

Usando wbinfo -u e -g riesco ad ottenere la lista degli utenti e dei gruppi.

----------

