Webproxy with ADS and SSO not working (Help Please)

Questions to IPFire Addons.
Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » August 8th, 2016, 8:52 am

I found this in the cach.log logfile under /var/log/squid:

Got user=[username] domain=[domainname] workstation=[server] len1=24 len2=24
Winbindd lookupname failed to resolve "domainname+Internetzugriff" into a SID!
Got NTLMSSP neg_flags=0xa2088207
ntlm_auth --username=domainname+username
works fine. I give the password and get a
NT_STATUS_OK: Success (0x0)
Then I tested this:
[root@firewall etc]# ntlm_auth --username=domainname+administrator --require-membership-of=domainname+Internetzugriff
password:
NT_STATUS_OK: Success (0x0)
wbinfo --separator
+
Everything ok. There is probably an error in a script or conf-file? Something that dont use the correct separator?

Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » August 8th, 2016, 11:07 am

Oh, maybe the quotes are the problem? It seams that any script adds the quotes to the domain und username. Can any developer verify that?
Winbindd lookupname failed to resolve "domainname+Internetzugriff" into a SID!

Ruddimaster
Posts: 24
Joined: August 23rd, 2011, 3:56 pm
Location: Aachen

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Ruddimaster » August 13th, 2016, 3:46 pm

I have the same issue since 103

Code: Select all

ntlm_auth --username=domainname+username
-> NT_STATUS_OK: Success (0x0)

Code: Select all

Got user=[Username] domain=[DOMAINNAME] workstation=[Mein_Rechner] len1=24 len2=24
Winbindd lookupname failed to resolve "DOMAINNAME+Domain_Group" into a SID!
Login for user [DOMAINNAME]\[Username]@[Mein_Rechner] failed due to [unknown error (NULL)]

Ruddimaster
Posts: 24
Joined: August 23rd, 2011, 3:56 pm
Location: Aachen

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Ruddimaster » August 13th, 2016, 4:22 pm

Submarine you have absolutely right.
After digging several docs I removed the quotes in the squid.conf

Code: Select all

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=Domain+Internet_Gruppe
and now it works again... till someone have saved the config-web-site... :-\

I hope somone of the dev-guys change this bug in 104...

Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » August 15th, 2016, 6:54 am

Yes, it works with me when I remove the quotes. But what happens when you have a space in your group name?

lastresort
Posts: 7
Joined: April 25th, 2011, 12:26 pm

Re: Webproxy with ADS and SSO not working (Help Please)

Post by lastresort » August 30th, 2016, 9:07 am

I have the fault can also reconstruct.
If you edit the /etc/squid/squid.conf and remove the "in front of the command and at the end of them it works fine.
But if you make a save and restart or reload, the wrong config is there again.

Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » September 29th, 2016, 6:46 am

I reported this bug 15.08.2016 and it seams that nobody works on it. Have a look at https://bugzilla.ipfire.org/show_bug.cgi?id=11166

Also a change in Samba could be the reason but I feel not good when there is nobody at work for this problem. This error could be a reason why to not use IPFire in companys. I am happy to use open source and I am glad that there are some guys they did go away from close source systems where you don't know what happens in the background. But in details not unimportant things of IPFire are very slow to be fixed.

hulot
Posts: 9
Joined: October 20th, 2011, 6:23 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by hulot » October 13th, 2016, 2:57 pm

Please look in bugzilla #11166. I wrote a comment. Perhaps that solves the problem.

Ruddimaster
Posts: 24
Joined: August 23rd, 2011, 3:56 pm
Location: Aachen

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Ruddimaster » August 12th, 2017, 10:09 am

Is this problem solved? The link to the bugtracker is also untouched.
Or are the guys gone to an other solution?

Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » August 14th, 2017, 5:41 am

I don't really know. Because of this bug we don't use IPFire anymore in production environment.

Ruddimaster
Posts: 24
Joined: August 23rd, 2011, 3:56 pm
Location: Aachen

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Ruddimaster » August 14th, 2017, 7:10 am

What solution do you use now?

Submarine
Posts: 62
Joined: December 11th, 2013, 10:16 am

Re: Webproxy with ADS and SSO not working (Help Please)

Post by Submarine » August 14th, 2017, 7:46 am

Different solutions. One older IPFire only for the SSO to block users without an internet access and a WatchGuard for the DMZ. And a few other for other services. But maybe IPFire will be replaced by a Linux server with Squid.

Post Reply

Who is online

Users browsing this forum: Yahoo [Bot] and 1 guest