[squid-users] Problems with squi3
squid3 at treenet.co.nz
Mon Nov 30 07:41:36 UTC 2015
On 30/11/2015 5:44 p.m., Marcio Demetrio Bacci wrote:
> I have the following problem with squid3 (3.1) on samba4:
> In /var/log/squid3/cache.log appear this information:
> 2015/11/29 23:53:53| storeLateRelease: released 0 objects
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
This is not a problem with Squid.
This is a problem with the client delivering credentials for a DOMAIN
which is not one of yours.
> Could not lookup name domain^users
Apparently they are logging in with credentials such as
"domain^users/Bob" instead of "EMPRESA/Bob"
> failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM
> Could not convert sid to gid
Which in turn means that they cannot be a member of any group within
your DC's domain/realm.
> The followings commands returned "Success"
> wbinfo -g
> wbinfo -u
> wbinfo -i <domainuser>
> getent passwd
> kinit user at DOMAIN
> klist -l
> hostname -f
> hostname -d
> hostname -s
> net ads testjoin
> ntlm_auth --help-protocol=squid-2.5-basic --domain=empresa
You appear to be setting up for Kerberos authentication.
Then using Basic authentication with the Samba helper.
> Here is my* smb.conf*
> netbios name = DC1
> workgroup = EMPRESA
> security = ads
> realm = EMPRESA.COM
> encrypt passwords = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> preferred master = no
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config CMB:backend = ad
> idmap config CMB:schema_mode = rfc2307
> idmap config CMB:range = 10000-9999999
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
So what is that default domain?
Could it be "domain^ysers" by chance?
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> vfs objects = acl_xattr
> map acl inherit = Yes
> store dos attributes = Yes
> username map = /etc/samba/user.map
> Following the authentication block of my *squid.conf*
> # NTLM
> auth_param ntlm program /usr/bin/ntlm_auth
> auth_param ntlm children 20
> auth_param ntlm keep_alive on
> # BASIC
> auth_param basic program /usr/bin/ntlm_auth
> auth_param basic children 5
> auth_param basic realm "WEB PROXY"
> auth_param basic credentialsttl 8 hours
> external_acl_type ad_group %LOGIN /usr/lib/squid3/wbinfo_group.pl
> My *krb5.conf*
Negotiate authentication is not configured in your squid.conf. Kerberos
details are irrelevant.
More information about the squid-users