[squid-users] Arch + Squid 4.7 + Active Directory Auth

Hernan Saltiel hsaltiel at gmail.com
Mon May 27 14:15:22 UTC 2019 

Hi all,
    I'm trying to install a brand new Squid 4.7 on an Arch GNU/Linux
(Kernel 5.0.7), authorizing its users against Active Directory, based on a
Windows 2008 R2 Domain.
    I configured samba4 on the Arch machine, and it looks working well.
wbinfo commands get executed and with correct output.
    But when using the Squid, I get all the time messages like:

2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Starting Squid Cache version 4.7 for
x86_64-pc-linux-gnu...
2019/05/27 04:08:12 kid1| Service Name: squid
2019/05/27 04:08:12 kid1| Process ID 7584
2019/05/27 04:08:12 kid1| Process Roles: worker
2019/05/27 04:08:12 kid1| With 1024 file descriptors available
2019/05/27 04:08:12 kid1| Initializing IP Cache...
2019/05/27 04:08:12 kid1| DNS Socket created at [::], FD 7
2019/05/27 04:08:12 kid1| DNS Socket created at 0.0.0.0, FD 10
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from
/etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding domain ciabernal.local from
/etc/resolv.conf
2019/05/27 04:08:12 kid1| Adding nameserver 192.168.32.5 from
/etc/resolv.conf
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10
'negotiate_wrapper' processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'negotiate_wrapper'
processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10 'ntlm_auth'
processes
2019/05/27 04:08:12 kid1| helperStatefulOpenServers: No 'ntlm_auth'
processes needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/10
'basic_ldap_auth' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'basic_ldap_auth' processes
needed.
2019/05/27 04:08:12 kid1| helperOpenServers: Starting 0/5
'ext_ldap_group_acl' processes
2019/05/27 04:08:12 kid1| helperOpenServers: No 'ext_ldap_group_acl'
processes needed.
2019/05/27 04:08:12 kid1| Logfile: opening log /var/log/squid/access.log
2019/05/27 04:08:12 kid1| WARNING: log name now starts with a module name.
Use 'stdio:/var/log/squid/access.log'
2019/05/27 04:08:12 kid1| Local cache digest enabled; rebuild/rewrite every
3600/3600 sec
2019/05/27 04:08:12 kid1| Store logging disabled
2019/05/27 04:08:12 kid1| Swap maxSize 0 + 262144 KB, estimated 20164
objects
2019/05/27 04:08:12 kid1| Target number of buckets: 1008
2019/05/27 04:08:12 kid1| Using 8192 Store buckets
2019/05/27 04:08:12 kid1| Max Mem  size: 262144 KB
2019/05/27 04:08:12 kid1| Max Swap size: 0 KB
2019/05/27 04:08:12 kid1| Using Least Load store dir selection
2019/05/27 04:08:12 kid1| Set Current Directory to /var/spool/squid
2019/05/27 04:08:12 kid1| Finished loading MIME types and icons.
2019/05/27 04:08:12 kid1| HTCP Disabled.
2019/05/27 04:08:12 kid1| Squid plugin modules loaded: 0
2019/05/27 04:08:12 kid1| Adaptation support is off.
2019/05/27 04:08:12 kid1| Accepting HTTP Socket connections at
local=[::]:3128 remote=[::] FD 12 flags=9
2019/05/27 04:08:13 kid1| storeLateRelease: released 0 objects
2019/05/27 04:08:22 kid1| Starting new negotiateauthenticator helpers...
2019/05/27 04:08:22 kid1| helperOpenServers: Starting 1/10
'negotiate_wrapper' processes
negotiate_kerberos_auth.cc(489): pid=7586 :2019/05/27 04:08:22|
negotiate_kerberos_auth: INFO: Starting version 3.1.0sq
negotiate_kerberos_auth.cc(548): pid=7586 :2019/05/27 04:08:22|
negotiate_kerberos_auth: INFO: Setting keytab to FILE:/etc/krb5.keytab
negotiate_kerberos_auth.cc(572): pid=7586 :2019/05/27 04:08:22|
negotiate_kerberos_auth: INFO: Changed keytab to
MEMORY:negotiate_kerberos_auth_7586
directory_create_or_exist_strict: invalid ownership on directory
/var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Global]"
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Got NTLMSSP neg_flags=0xe2088297
Got user=[user01] domain=[mydomain] workstation=[MYPC] len1=24 len2=304
Login for user [mydomain]\[user01]@[MYPC] failed due to [Reading winbind
reply failed!]
GENSEC login failed: NT_STATUS_UNSUCCESSFUL
2019/05/27 04:08:22 kid1| ERROR: Negotiate Authentication validating user.
Result: {result=BH, notes={message: NT_STATUS_UNSUCCESSFUL
NT_STATUS_UNSUCCESSFUL; }}

    Some questions I have:

1) About the message:

directory_create_or_exist_strict: invalid ownership on directory
/var/cache/samba/msg.lock
cmdline_messaging_context: Unable to initialize messaging context.

    Checking the permissions, it has 755, so I really do not understand why
it´s showing this. Don't know if there is some ownership rule or something
like this...

2) About the message:

Login for user [mydomain]\[user01]@[MYPC] failed due to [Reading winbind
reply failed!]

    I tried debugging Samba, but see no message indicating something here.
Any help would be really appreciated.

3) Is there any example configuration for Squid 4 + Samba 4 + Active
Directory? Sorry for this, but I see tons of information about Active
Directory for Samba 4 and Squid3, but not much about the configuration I'm
trying to have.
    I see several differences, for instance:

1) Use of "negotiate_wrapper".
2) Several aspects of files located on /var/lib/squid, where I do not see
the equivalence between them and the ones listed for Squid3, and visible on
tons of documentation.
3) Some docs say NTLM is deprecated, some are still showing ntlm_auth on
config files. This is why I really need to see if there is any example for
this config...

    Thanks a lot in advance for your time and attention, and best regards.

-- 
HeCSa
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20190527/48fec5d5/attachment.html>

More information about the squid-users mailing list