0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works

Notes
(0002733) ancdix (reporter) 2009-07-02 14:57	Hi davvidde, i'm using a Endian Mini 2.2 and i'm having exactly the same issue... i got the same problem with the Endian UTM Software appliance... i've already talked with the Reseller we bought our appliances from and they passed the issue to the endian developers.

(0002737) luca-endian (developer) 2009-07-06 07:45 edited on: 2009-07-06 08:05	Hi there, can you try with this command on the endian box? In this way you can understand if the firewall allows the user. squidclient -l 192.168.x.x -p 8080 -u youruser -w password http://www.google.com [^] where -l is the firewall ip from green if you want to test from green, orange and so on.. -p the port where squid is listening to -u the user you want to test -w the user password ancdix, if your reseller doesn't give you information about the issue you can open a support ticket on your own.

(0002738) ancdix (reporter) 2009-07-06 07:58	Hi lucagiove, i've just tested your command and from the console it seems to work. Here is the output... Thanx for your help. root@ENDIAN:~ # squidclient -l 192.168.. -p 8080 -u USER -w PASSWORD http://www.google.com [^] HTTP/1.0 302 Moved Temporarily Location: http://www.google.lu/ [^] Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=e48b75fa72b4a2f3:TM=1246866996:LM=1246866996:S=u_eSXrFU4HMkWIS2; expires=Wed, 06-Jul-2011 07:56:36 GMT; path=/; domain=.google.com Date: Mon, 06 Jul 2009 07:56:36 GMT Server: gws Content-Length: 218 X-Cache: MISS from ENDIAN X-Cache-Lookup: MISS from ENDIAN:8080 X-Cache: MISS from ENDIAN X-Cache-Lookup: MISS from ENDIAN:8080 Via: 1.0 ENDIAN:8080 (squid/2.6.STABLE18), 1.0 ENDIAN:8080 (squid/2.6.STABLE18) Proxy-Connection: close <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved http://www.google.lu/. [^] </BODY></HTML>

(0002739) luca-endian (developer) 2009-07-06 08:06	My mistake, this message was for ancdix not davvidde "if your reseller doesn't give you information about the issue you can open a support ticket on your own."

(0002747) zorro1974 (reporter) 2009-07-09 07:50 edited on: 2009-07-09 07:52	Same problem,but a little dis. lucagiove,help http://bugs.endian.it/view.php?id=1991 [^]

(0002787) luca-endian (developer) 2009-07-24 13:50	have a look at this file: /var/cache/samba/winbindd_privileged drwxr-x--- 2 root root 4096 Jul 24 15:28 winbindd_privileged It should be owned by root:squid here how to correct: chown -R root:squid /var/cache/samba/winbindd_privileged chmod -R 750 /var/cache/samba/winbindd_privileged restartsquid --force

(0002788) ancdix (reporter) 2009-07-24 15:22	Hi, this is how my winbindd_privileged looks like drwxr-x--- 2 root squid 4096 Jul 24 15:31 winbindd_privileged I've already tried this (found it in this thread -> http://bugs.endian.it/view.php?id=1611 [^] (I already had a problem with (re-)joining a windows domain so I've deleted the winbindd_privileged folder and after that I could join the domain...) thanx everyone

(0003995) peter-endian (administrator) 2010-03-08 19:34	should be fixed in 2.3. pleas reopen if it is not

(0005634) simon-endian (developer) 2011-02-07 15:05	this reoccured on fresh 2.4 mini please test again with the following steps - enable proxy - use ntlm for authentication and join it to the AD - make a rule whit group or user based access restrictions login will fail with a valid user in /var/log/squid/cache.log you will find: [2011/02/07 15:53:40.541027, 0] utils/ntlm_auth.c:598(winbind_pw_check) Login for user [REALM]\[USERNAME]@[SERVERNAME] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.] [2011/02/07 15:53:40.541835, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2011/02/07 15:53:40\| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' after fixing the permissions on /var/cache/samba/winbindd_privileged it works again (see previous notes) this needs to be fixed in the samba spec file and maybe the squid restartscript/job should fix the persmissions before starting winbind

Issue History
Date Modified	Username	Field	Change
2009-06-25 10:14	davvidde	New Issue
2009-07-02 14:57	ancdix	Note Added: 0002733
2009-07-06 07:45	luca-endian	Note Added: 0002737
2009-07-06 07:58	ancdix	Note Added: 0002738
2009-07-06 08:05	luca-endian	Note Edited: 0002737
2009-07-06 08:06	luca-endian	Note Added: 0002739
2009-07-06 08:16	luca-endian	Relationship added	related to 0001985
2009-07-09 07:50	zorro1974	Note Added: 0002747
2009-07-09 07:51	zorro1974	Note Edited: 0002747
2009-07-09 07:52	zorro1974	Note Edited: 0002747
2009-07-24 13:50	luca-endian	Note Added: 0002787
2009-07-24 15:22	ancdix	Note Added: 0002788
2010-03-08 19:34	peter-endian	Note Added: 0003995
2010-03-08 19:34	peter-endian	Status	new => closed
2010-03-08 19:34	peter-endian	Resolution	open => fixed
2011-02-07 15:05	simon-endian	Assigned To	=> lorenzo-endian
2011-02-07 15:05	simon-endian	Note Added: 0005634
2011-02-07 15:05	simon-endian	Status	closed => feedback
2011-02-07 15:05	simon-endian	Resolution	fixed => reopened
2011-02-07 15:05	simon-endian	Customer Occurencies	=> 0
2011-02-07 15:05	simon-endian	Status	feedback => acknowledged
2011-02-07 15:05	simon-endian	Product Version	=> 2.4.1
2011-02-09 13:54	lorenzo-endian	Assigned To	lorenzo-endian => simon-endian
2011-02-09 13:54	lorenzo-endian	Status	acknowledged => confirmed
2011-02-24 14:20	ra-endian	Relationship added	has duplicate 0003456
2011-04-19 13:46	simon-endian	Status	confirmed => resolved
2011-04-19 13:46	simon-endian	Fixed in Version	=> 2.4.1
2011-04-19 13:46	simon-endian	Resolution	reopened => fixed

Please see now our new Bugtracker system: JIRA