Ok this is not really a bug, it's more a lack of information or if you like an opinion request. I have here a SAMBA-PDC + LDAP working great, then i remenber to add squid with the domain authentication, I did all the necessary configs and end up with this error: 2005/05/11 11:07:55| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' [2005/05/11 11:07:58, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [MOONORG]\[RNUNO]@[PC0009] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.] [2005/05/11 11:07:58, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED witch was simply resonved with a: chgrp squid /var/cache/samba/winbindd_privileged should we warn the users about this? or maybe include a samba USE flag? I leave it at your consideration. regards, RNuno Reproducible: Always Steps to Reproduce: 1. 2. 3.
squid supports a plethora of authentication methods. If the message is targeted to a specific kind of authentication, you should provide a step by step procedure. do you have a suggestion of how the warning message should sound? is it short enough? if not, I suggest to post a howto document in forum.
Well it's target to winbind authentication. That's why I sugested a samba flag or maybe winbind? the procedure is this: 1. We already have a Samba PDC up and running in another machine. 2. on the PROXY machine we do: USE="winbind" emerge squid samba 3. edit /etc/squid/squid.conf to your needs and add the following: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 20 minutes auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours acl AuthorizedUsers proxy_auth REQUIRED http_access allow all AuthorizedUsers 4. edit /etc/samba/smb.conf and add the following: [global] workgroup = YOURDOMAIN netbios name = Squid server string = Squid Server security = domain encrypt passwords = Yes password server = pdcserver log level = 2 log file = /var/log/samba/%m.log max log size = 0 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 preferred master = False local master = No domain master = False dns proxy = No wins server = winsserver winbind separator = / template homedir = /dev/null template shell = /dev/null winbind enum users = yes winbind enum groups = yes winbind use default domain = yes idmap uid = 10000-20000 idmap gid = 10000-20000 5. start samba and add it to the domain: net join -W YOURDOMAIN -U root 6. test it: wbinfo -t; wbinfo -u; 7. chgrp squid /var/cache/samba/winbindd_privileged 8. squid -z; /etc/init.d/squid start and your set :) Now about the message, maybe if we had a samba/winbind USE flag on the ebuild we should post someting like: * To winbind auth work with your squid your should change the * /var/cache/samba/winbindd_privileged group to the same one * you use in the cache_effective_group option on your squid.conf what do you think?
fixed in squid-2.5.10 maybe you should write a howto on forums.g.o
