Page 2 of 2

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 8th, 2016, 8:52 am
by Submarine
I found this in the cach.log logfile under /var/log/squid:

Got user=[username] domain=[domainname] workstation=[server] len1=24 len2=24
Winbindd lookupname failed to resolve "domainname+Internetzugriff" into a SID!
Got NTLMSSP neg_flags=0xa2088207
ntlm_auth --username=domainname+username
works fine. I give the password and get a
NT_STATUS_OK: Success (0x0)
Then I tested this:
[root@firewall etc]# ntlm_auth --username=domainname+administrator --require-membership-of=domainname+Internetzugriff
password:
NT_STATUS_OK: Success (0x0)
wbinfo --separator
+
Everything ok. There is probably an error in a script or conf-file? Something that dont use the correct separator?

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 8th, 2016, 11:07 am
by Submarine
Oh, maybe the quotes are the problem? It seams that any script adds the quotes to the domain und username. Can any developer verify that?
Winbindd lookupname failed to resolve "domainname+Internetzugriff" into a SID!

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 13th, 2016, 3:46 pm
by Ruddimaster
I have the same issue since 103

Code: Select all

ntlm_auth --username=domainname+username
-> NT_STATUS_OK: Success (0x0)

Code: Select all

Got user=[Username] domain=[DOMAINNAME] workstation=[Mein_Rechner] len1=24 len2=24
Winbindd lookupname failed to resolve "DOMAINNAME+Domain_Group" into a SID!
Login for user [DOMAINNAME]\[Username]@[Mein_Rechner] failed due to [unknown error (NULL)]

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 13th, 2016, 4:22 pm
by Ruddimaster
Submarine you have absolutely right.
After digging several docs I removed the quotes in the squid.conf

Code: Select all

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=Domain+Internet_Gruppe
and now it works again... till someone have saved the config-web-site... :-\

I hope somone of the dev-guys change this bug in 104...

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 15th, 2016, 6:54 am
by Submarine
Yes, it works with me when I remove the quotes. But what happens when you have a space in your group name?

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 30th, 2016, 9:07 am
by lastresort
I have the fault can also reconstruct.
If you edit the /etc/squid/squid.conf and remove the "in front of the command and at the end of them it works fine.
But if you make a save and restart or reload, the wrong config is there again.

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: September 29th, 2016, 6:46 am
by Submarine
I reported this bug 15.08.2016 and it seams that nobody works on it. Have a look at https://bugzilla.ipfire.org/show_bug.cgi?id=11166

Also a change in Samba could be the reason but I feel not good when there is nobody at work for this problem. This error could be a reason why to not use IPFire in companys. I am happy to use open source and I am glad that there are some guys they did go away from close source systems where you don't know what happens in the background. But in details not unimportant things of IPFire are very slow to be fixed.

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: October 13th, 2016, 2:57 pm
by hulot
Please look in bugzilla #11166. I wrote a comment. Perhaps that solves the problem.

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 12th, 2017, 10:09 am
by Ruddimaster
Is this problem solved? The link to the bugtracker is also untouched.
Or are the guys gone to an other solution?

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 14th, 2017, 5:41 am
by Submarine
I don't really know. Because of this bug we don't use IPFire anymore in production environment.

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 14th, 2017, 7:10 am
by Ruddimaster
What solution do you use now?

Re: Webproxy with ADS and SSO not working (Help Please)

Posted: August 14th, 2017, 7:46 am
by Submarine
Different solutions. One older IPFire only for the SSO to block users without an internet access and a WatchGuard for the DMZ. And a few other for other services. But maybe IPFire will be replaced by a Linux server with Squid.