SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works - MantisBT
MantisBT - Endian Firewall
View Issue Details
0001963Endian FirewallProxy HTTPpublic2009-06-25 10:142011-04-19 13:46
davvidde 
simon-endian 
normalmajoralways
resolvedfixed 
2.4.1 
2.4.1 
0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works
I installed EFW 2.2rc3 in a virtual machine and it works fine with authentication from an (LDAP v3) Active directory domain configuration.
After update the distribution to 2.2 (final) from updates.endian.org the group policy of EFW do not longer work correctly. Only groups with "unrestricted" policy are able to surf the internet by the proxy and every other groups with "default policy" which is "Antivirus and Content filtering" are not able to surf because do not bypas s the authentication process (authentication requests continuosly).
This is riproducible also in a fresh installation of EFW2.2 and also on a VM on VMWare ESXi.
Reverting the snapshot to the 2.2rc3 the authentication returns to work.
No tags attached.
has duplicate 0003456resolved simon-endian Endian Firewall AD autentication does not work due to incorrect permissions 
Issue History
2009-06-25 10:14davviddeNew Issue
2009-07-02 14:57ancdixNote Added: 0002733
2009-07-06 07:45luca-endianNote Added: 0002737
2009-07-06 07:58ancdixNote Added: 0002738
2009-07-06 08:05luca-endianNote Edited: 0002737
2009-07-06 08:06luca-endianNote Added: 0002739
2009-07-06 08:16luca-endianRelationship addedrelated to 0001985
2009-07-09 07:50zorro1974Note Added: 0002747
2009-07-09 07:51zorro1974Note Edited: 0002747
2009-07-09 07:52zorro1974Note Edited: 0002747
2009-07-24 13:50luca-endianNote Added: 0002787
2009-07-24 15:22ancdixNote Added: 0002788
2010-03-08 19:34peter-endianNote Added: 0003995
2010-03-08 19:34peter-endianStatusnew => closed
2010-03-08 19:34peter-endianResolutionopen => fixed
2011-02-07 15:05simon-endianAssigned To => lorenzo-endian
2011-02-07 15:05simon-endianNote Added: 0005634
2011-02-07 15:05simon-endianStatusclosed => feedback
2011-02-07 15:05simon-endianResolutionfixed => reopened
2011-02-07 15:05simon-endianCustomer Occurencies => 0
2011-02-07 15:05simon-endianStatusfeedback => acknowledged
2011-02-07 15:05simon-endianProduct Version => 2.4.1
2011-02-09 13:54lorenzo-endianAssigned Tolorenzo-endian => simon-endian
2011-02-09 13:54lorenzo-endianStatusacknowledged => confirmed
2011-02-24 14:20ra-endianRelationship addedhas duplicate 0003456
2011-04-19 13:46simon-endianStatusconfirmed => resolved
2011-04-19 13:46simon-endianFixed in Version => 2.4.1
2011-04-19 13:46simon-endianResolutionreopened => fixed

Notes
(0002733)
ancdix   
2009-07-02 14:57   
Hi davvidde,
i'm using a Endian Mini 2.2 and i'm having exactly the same issue...
i got the same problem with the Endian UTM Software appliance...
i've already talked with the Reseller we bought our appliances from and they passed the issue to the endian developers.
(0002737)
luca-endian   
2009-07-06 07:45   
(edited on: 2009-07-06 08:05)
Hi there,

can you try with this command on the endian box?
In this way you can understand if the firewall allows the user.

squidclient -l 192.168.x.x -p 8080 -u youruser -w password http://www.google.com [^]

where -l is the firewall ip from green if you want to test from green, orange and so on..
-p the port where squid is listening to
-u the user you want to test
-w the user password

ancdix,
if your reseller doesn't give you information about the issue you can open a support ticket on your own.

(0002738)
ancdix   
2009-07-06 07:58   
Hi lucagiove,
i've just tested your command and from the console it seems to work.
Here is the output...
Thanx for your help.

root@ENDIAN:~ # squidclient -l 192.168.*.* -p 8080 -u USER -w PASSWORD http://www.google.com [^]
HTTP/1.0 302 Moved Temporarily
Location: http://www.google.lu/ [^]
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=e48b75fa72b4a2f3:TM=1246866996:LM=1246866996:S=u_eSXrFU4HMkWIS2; expires=Wed, 06-Jul-2011 07:56:36 GMT; path=/; domain=.google.com
Date: Mon, 06 Jul 2009 07:56:36 GMT
Server: gws
Content-Length: 218
X-Cache: MISS from ENDIAN
X-Cache-Lookup: MISS from ENDIAN:8080
X-Cache: MISS from ENDIAN
X-Cache-Lookup: MISS from ENDIAN:8080
Via: 1.0 ENDIAN:8080 (squid/2.6.STABLE18), 1.0 ENDIAN:8080 (squid/2.6.STABLE18)
Proxy-Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
http://www.google.lu/. [^]
</BODY></HTML>
(0002739)
luca-endian   
2009-07-06 08:06   
My mistake,
this message was for ancdix not davvidde

"if your reseller doesn't give you information about the issue you can open a support ticket on your own."
(0002747)
zorro1974   
2009-07-09 07:50   
(edited on: 2009-07-09 07:52)
Same problem,but a little dis. lucagiove,help

http://bugs.endian.it/view.php?id=1991 [^]

(0002787)
luca-endian   
2009-07-24 13:50   
have a look at this file: /var/cache/samba/winbindd_privileged
drwxr-x--- 2 root root 4096 Jul 24 15:28 winbindd_privileged

It should be owned by root:squid here how to correct:
chown -R root:squid /var/cache/samba/winbindd_privileged
chmod -R 750 /var/cache/samba/winbindd_privileged
restartsquid --force
(0002788)
ancdix   
2009-07-24 15:22   
Hi, this is how my winbindd_privileged looks like

drwxr-x--- 2 root squid 4096 Jul 24 15:31 winbindd_privileged

I've already tried this (found it in this thread -> http://bugs.endian.it/view.php?id=1611 [^]

(I already had a problem with (re-)joining a windows domain so I've deleted the winbindd_privileged folder and after that I could join the domain...)

thanx everyone
(0003995)
peter-endian   
2010-03-08 19:34   
should be fixed in 2.3. pleas reopen if it is not
(0005634)
simon-endian   
2011-02-07 15:05   
this reoccured on fresh 2.4 mini

please test again with the following steps

- enable proxy
- use ntlm for authentication and join it to the AD
- make a rule whit group or user based access restrictions

login will fail with a valid user

in /var/log/squid/cache.log you will find:


[2011/02/07 15:53:40.541027, 0] utils/ntlm_auth.c:598(winbind_pw_check)
  Login for user [REALM]\[USERNAME]@[SERVERNAME] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.]
[2011/02/07 15:53:40.541835, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2011/02/07 15:53:40| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

after fixing the permissions on /var/cache/samba/winbindd_privileged it works again (see previous notes)

this needs to be fixed in the samba spec file and maybe the squid restartscript/job should fix the persmissions before starting winbind