RE: [squid-users] NTLM & Domain Membership Issue

This is a discussion on RE: [squid-users] NTLM & Domain Membership Issue within the Squid Users forums, part of the Web Server and Related Forums category; --=======53665C4C======= Content-Type: text/plain; x-avg-checked=avg-ok-4062684B; charset=us-ascii; format=flowed Content-Transfer-Encoding: 8bit ...


Go Back   Usenet Forums > Web Server and Related Forums > Squid Users

Reload this Page RE: [squid-users] NTLM & Domain Membership Issue

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 07-30-2003
Serassio Guido
 
Posts: n/a
Default RE: [squid-users] NTLM & Domain Membership Issue
--=======53665C4C=======
Content-Type: text/plain; x-avg-checked=avg-ok-4062684B; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 8bit

Hi Jay,

Sorry for the delayed response, but now I'm very busy.

At 07.16 27/07/2003, Jay Turner wrote:



> > -----Original Message-----
> > From: Serassio Guido [mailto:guido.serassio@acmeconsulting.it]
> > Sent: Saturday, 26 July 2003 3:20 PM
> > To: jturner@bsis.com.au
> > Cc: squid-users@squid-cache.org
> > Subject: Re: [squid-users] NTLM & Domain Membership Issue
> >
> >
> > Hi,
> >
> > At 08.05 26/07/2003, Jay Turner wrote:
> >
> > >Hi All,
> > >
> > >I am experiencing an unusual problem with NTLM and Domain Membership..
> > >
> > >Environment:
> > >Red Hat 7.3
> > >Squid2.5-STABLE2
> > >Samba 2.2.7-3.7.3 (Red Hat)
> > >Windows 2000 AD server (Native Mode with Pre-2000 compatibility)
> > >WinXP SP1, IE6 SP1 + all current patches applied
> > >
> > >Background:
> > >I have deployed Squid and NTLM a number of times now so I have a bit of
> > >experience installing & trouble shooting it.
> > >Winbindd is working correctly from the command line with wbinfo -t, -u,
> > >-g, -r and -a all performing correctly.
> > >wb_auth from the command line also works correctly and so does wb_group
> > >So from what I can see Winbindd is working fine.
> > >
> > >If have a client computer (Win2000 or WinXP) that is on the network, but
> > >not a member of the domain and I access the
> > >proxy, I receive an authentication window. This is correct as NTLM will
> > >fail as it is not a member of the domain and fall
> > >back to Basic. I can enter a valid username/password/domain and then
> > >access the proxy correctly. Cache and access.log all report the correct
> > >behaviour as I expect.
> > >
> > >As soon as I add this client computer to become a member of the domain,
> > >everything stops working.
> > >NTLM authentication does not work, and neither does Basic
> > authentication.
> > >The browser sits there for a second then displays
> > >the standard IE 'Page cannot be found'.
> > >
> > >I have increased debugging on Authentication in squid.conf and run
> > >winbindd in debug mode (winbindd -i -d 3) to try and establish the
> > >problem. When a client on the domain requests a page cache.log reports
> > >"authenticateValidateUser: Validating Auth_user request '0x8413238'"
> > >"authenticateValidateUser: Validated Auth_user request '0x8413238'"
> > >"User not fully authenticated"
> > >
> > >But nothing is being recorded by Winbindd (as opposed to when it works).
> > >
> > >This message could hold the key, but I'm not entirely sure where
> > I should
> > >look next for this.
> > >
> > >
> > >
> > >I have reams of log files with debugging turned right up which I
> > can post
> > >specific sections of if required, but I'm not going to post all of them
> > >now for people to wade through.
> > >
> > >I commented out wb_ntlmauth in squid.conf and tried using just
> > wb_auth to
> > >see if I could get the basic auth to work and that did the same thing..
> > >
> > >The interesting thing is that I brought this server back to my
> > office and
> > >changed it's IP address and made it a member of our Windows NT4
> > domain and
> > >then using the same Win XP client from the other network (it's a laptop)
> > >it works perfectly!!
> > >
> > >This leads me to believe that there must be something in the way
> > their AD
> > >is setup that might be causing this problem??
> > >
> > >Any advice will be greatly appreciated.
> >
> > Some tips:
> >
> > - Do You have restarted Squid after disabling NTLM authentication ?
> > - an AD replication problem ? Samba should use always the DC that acts as
> > PDC emulator
> > - some strange behaviour of DNS caching
> >
> > Hoping to help you
> >
> > Regards
> >
> > Guido
>
>Hi Guido,
>
>1)I don't specifically remember restarting Squid, but I would have
>definately issued a 'squid -k reconfigure'.
>Is it necessary when dealing with winbind to actually issue 'service squid
>restart'?

If I'm not wrong, when the authentication schema are changed, squid should
be restarted.

>2)I'm not a Windows 2000 admin (which makes this harder) so while I
>understand what you are saying, I'm not sure how
> it might affect me and this install. I believe there is only one AD server
>that authenticates user logins in this network
> but I will follow that up
>
>3) It's funny you mention DNS caching because I did notice some strange DNS
>behaviour onsite.

It's not so funny, AD domains are DNS based and Microsoft DNS sometimes is
very strange ....

>While trying to isolate the problem I noticed by using netstat that
>connections were being opened from the Squid server webcache port to the
>netbios name of the computer that *wasn't* a member of the domain without a
>problem. It was correctly identifying it's netbios name and it returing
>responses.
>
>When the other computer *was* a member of the domain (at this point I had
>one 2000 machine that *wasn't* a member of the domain working, in
>conjunction with another computer that was WinXP and *was* on the domain and
>not working) netstat was showing connections being opened from the Squid
>webcache port to a computer with a netbios name that doesn't even exist
>anymore.
>The Win2000 admin removed this old entry from the DNS cache but it didn't
>seem to make a difference. Perhaps we didn't allow enough time for it to
>replicate? The strange thing was that from the Squid server command line you
>could not ping the netbios named computer because it said it could not
>resolve the host name, yet Squid was still trying to establish connections
>to it. (the connection netstat status was TIME_WAIT from memory).
>
>In an attempt to combat a possible DNS issue I statically assigned the IP
>address of the working Win2000 machine to the not working domain member
>WinXP machine, but still no good. I also changed the IP address of the Squid
>server as the IP address it had originally was an old IP address that still
>had a DNS entry for the server that used to have this addresses name.

Do You use WINS too on your network ? And if the answer is Yes, do You have
WINS lookup enabled in your DNS ?

If the WINS database is consistent, see Netbios Domain Name object 1Ch,
Samba can use it, see smb,conf.

Regards

Guido



-
================================================== ======
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/

--=======53665C4C=======--

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 11:41 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0