SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001963Endian FirewallProxy HTTPpublic2009-06-25 10:142011-04-19 13:46
Reporterdavvidde 
Assigned Tosimon-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version2.4.1 
Target VersionFixed in Version2.4.1 
Summary0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works
DescriptionI installed EFW 2.2rc3 in a virtual machine and it works fine with authentication from an (LDAP v3) Active directory domain configuration.
After update the distribution to 2.2 (final) from updates.endian.org the group policy of EFW do not longer work correctly. Only groups with "unrestricted" policy are able to surf the internet by the proxy and every other groups with "default policy" which is "Antivirus and Content filtering" are not able to surf because do not bypas s the authentication process (authentication requests continuosly).
This is riproducible also in a fresh installation of EFW2.2 and also on a VM on VMWare ESXi.
Reverting the snapshot to the 2.2rc3 the authentication returns to work.
TagsNo tags attached.
Attached Files

- Relationships
has duplicate 0003456resolvedsimon-endian Endian Firewall AD autentication does not work due to incorrect permissions 

-  Notes
(0002733)
ancdix (reporter)
2009-07-02 14:57

Hi davvidde,
i'm using a Endian Mini 2.2 and i'm having exactly the same issue...
i got the same problem with the Endian UTM Software appliance...
i've already talked with the Reseller we bought our appliances from and they passed the issue to the endian developers.
(0002737)
luca-endian (developer)
2009-07-06 07:45
edited on: 2009-07-06 08:05

Hi there,

can you try with this command on the endian box?
In this way you can understand if the firewall allows the user.

squidclient -l 192.168.x.x -p 8080 -u youruser -w password http://www.google.com [^]

where -l is the firewall ip from green if you want to test from green, orange and so on..
-p the port where squid is listening to
-u the user you want to test
-w the user password

ancdix,
if your reseller doesn't give you information about the issue you can open a support ticket on your own.

(0002738)
ancdix (reporter)
2009-07-06 07:58

Hi lucagiove,
i've just tested your command and from the console it seems to work.
Here is the output...
Thanx for your help.

root@ENDIAN:~ # squidclient -l 192.168.*.* -p 8080 -u USER -w PASSWORD http://www.google.com [^]
HTTP/1.0 302 Moved Temporarily
Location: http://www.google.lu/ [^]
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Set-Cookie: PREF=ID=e48b75fa72b4a2f3:TM=1246866996:LM=1246866996:S=u_eSXrFU4HMkWIS2; expires=Wed, 06-Jul-2011 07:56:36 GMT; path=/; domain=.google.com
Date: Mon, 06 Jul 2009 07:56:36 GMT
Server: gws
Content-Length: 218
X-Cache: MISS from ENDIAN
X-Cache-Lookup: MISS from ENDIAN:8080
X-Cache: MISS from ENDIAN
X-Cache-Lookup: MISS from ENDIAN:8080
Via: 1.0 ENDIAN:8080 (squid/2.6.STABLE18), 1.0 ENDIAN:8080 (squid/2.6.STABLE18)
Proxy-Connection: close

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
http://www.google.lu/. [^]
</BODY></HTML>
(0002739)
luca-endian (developer)
2009-07-06 08:06

My mistake,
this message was for ancdix not davvidde

"if your reseller doesn't give you information about the issue you can open a support ticket on your own."
(0002747)
zorro1974 (reporter)
2009-07-09 07:50
edited on: 2009-07-09 07:52

Same problem,but a little dis. lucagiove,help

http://bugs.endian.it/view.php?id=1991 [^]

(0002787)
luca-endian (developer)
2009-07-24 13:50

have a look at this file: /var/cache/samba/winbindd_privileged
drwxr-x--- 2 root root 4096 Jul 24 15:28 winbindd_privileged

It should be owned by root:squid here how to correct:
chown -R root:squid /var/cache/samba/winbindd_privileged
chmod -R 750 /var/cache/samba/winbindd_privileged
restartsquid --force
(0002788)
ancdix (reporter)
2009-07-24 15:22

Hi, this is how my winbindd_privileged looks like

drwxr-x--- 2 root squid 4096 Jul 24 15:31 winbindd_privileged

I've already tried this (found it in this thread -> http://bugs.endian.it/view.php?id=1611 [^]

(I already had a problem with (re-)joining a windows domain so I've deleted the winbindd_privileged folder and after that I could join the domain...)

thanx everyone
(0003995)
peter-endian (administrator)
2010-03-08 19:34

should be fixed in 2.3. pleas reopen if it is not
(0005634)
simon-endian (developer)
2011-02-07 15:05

this reoccured on fresh 2.4 mini

please test again with the following steps

- enable proxy
- use ntlm for authentication and join it to the AD
- make a rule whit group or user based access restrictions

login will fail with a valid user

in /var/log/squid/cache.log you will find:


[2011/02/07 15:53:40.541027, 0] utils/ntlm_auth.c:598(winbind_pw_check)
  Login for user [REALM]\[USERNAME]@[SERVERNAME] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.]
[2011/02/07 15:53:40.541835, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2011/02/07 15:53:40| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED'

after fixing the permissions on /var/cache/samba/winbindd_privileged it works again (see previous notes)

this needs to be fixed in the samba spec file and maybe the squid restartscript/job should fix the persmissions before starting winbind

- Issue History
Date Modified Username Field Change
2009-06-25 10:14 davvidde New Issue
2009-07-02 14:57 ancdix Note Added: 0002733
2009-07-06 07:45 luca-endian Note Added: 0002737
2009-07-06 07:58 ancdix Note Added: 0002738
2009-07-06 08:05 luca-endian Note Edited: 0002737
2009-07-06 08:06 luca-endian Note Added: 0002739
2009-07-06 08:16 luca-endian Relationship added related to 0001985
2009-07-09 07:50 zorro1974 Note Added: 0002747
2009-07-09 07:51 zorro1974 Note Edited: 0002747
2009-07-09 07:52 zorro1974 Note Edited: 0002747
2009-07-24 13:50 luca-endian Note Added: 0002787
2009-07-24 15:22 ancdix Note Added: 0002788
2010-03-08 19:34 peter-endian Note Added: 0003995
2010-03-08 19:34 peter-endian Status new => closed
2010-03-08 19:34 peter-endian Resolution open => fixed
2011-02-07 15:05 simon-endian Assigned To => lorenzo-endian
2011-02-07 15:05 simon-endian Note Added: 0005634
2011-02-07 15:05 simon-endian Status closed => feedback
2011-02-07 15:05 simon-endian Resolution fixed => reopened
2011-02-07 15:05 simon-endian Customer Occurencies => 0
2011-02-07 15:05 simon-endian Status feedback => acknowledged
2011-02-07 15:05 simon-endian Product Version => 2.4.1
2011-02-09 13:54 lorenzo-endian Assigned To lorenzo-endian => simon-endian
2011-02-09 13:54 lorenzo-endian Status acknowledged => confirmed
2011-02-24 14:20 ra-endian Relationship added has duplicate 0003456
2011-04-19 13:46 simon-endian Status confirmed => resolved
2011-04-19 13:46 simon-endian Fixed in Version => 2.4.1
2011-04-19 13:46 simon-endian Resolution reopened => fixed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker