[squid-users] Problems with squi3

Amos Jeffries squid3 at treenet.co.nz
Mon Nov 30 07:41:36 UTC 2015


On 30/11/2015 5:44 p.m., Marcio Demetrio Bacci wrote:
> Hi,
> 
> I have the following problem with squid3 (3.1) on samba4:
> 
> In  /var/log/squid3/cache.log  appear this information:
> 
> 2015/11/29 23:53:53| storeLateRelease: released 0 objects
> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND

This is not a problem with Squid.

This is a problem with the client delivering credentials for a DOMAIN
which is not one of yours.

> Could not lookup name domain^users

Apparently they are logging in with credentials such as
"domain^users/Bob" instead of "EMPRESA/Bob"

> failed to call wbcStringToSid: WBC_ERR_INVALID_PARAM
> Could not convert sid  to gid

Which in turn means that they cannot be a member of any group within
your DC's domain/realm.



> 
> The followings commands returned "Success"
> wbinfo -g
> wbinfo -u
> wbinfo -i <domainuser>
> getent passwd
> kinit user at DOMAIN
> klist -l
> hostname -f
> hostname -d
> hostname -s
> net ads testjoin
> ntlm_auth --help-protocol=squid-2.5-basic --domain=empresa
> --username=domain-user

You appear to be setting up for Kerberos authentication.
Then using Basic authentication with the Samba helper.

> 
> Here is my* smb.conf*
> 
> [global]
>   netbios name = DC1
>   workgroup = EMPRESA
>   security = ads
>   realm = EMPRESA.COM
>   encrypt passwords = yes
>   dedicated keytab file = /etc/krb5.keytab
>   kerberos method = secrets and keytab
>   preferred master = no
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config CMB:backend = ad
>   idmap config CMB:schema_mode = rfc2307
>   idmap config CMB:range = 10000-9999999
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes

So what is that default domain?
 Could it be "domain^ysers" by chance?


>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
> 
>   vfs objects = acl_xattr
>   map acl inherit = Yes
>   store dos attributes = Yes
>   username map = /etc/samba/user.map
> 
> 
> Following the authentication block of my *squid.conf*
> 
> ...
> # NTLM
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 20
> auth_param ntlm keep_alive on
> 
> 
> # BASIC
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm "WEB PROXY"
> auth_param basic credentialsttl 8 hours
> 
> external_acl_type ad_group %LOGIN /usr/lib/squid3/wbinfo_group.pl
> ...
> 
> My *krb5.conf*
> 
> #KERBEROS
> 

Negotiate authentication is not configured in your squid.conf. Kerberos
details are irrelevant.


Amos


More information about the squid-users mailing list