SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2021-01-16 20:17 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0001963 | Endian Firewall | Proxy HTTP | public | 2009-06-25 10:14 | 2011-04-19 13:46 | ||||
Reporter | davvidde | ||||||||
Assigned To | simon-endian | ||||||||
Priority | normal | Severity | major | Reproducibility | always | ||||
Status | resolved | Resolution | fixed | ||||||
Platform | OS | OS Version | |||||||
Product Version | 2.4.1 | ||||||||
Target Version | Fixed in Version | 2.4.1 | |||||||
Summary | 0001963: HTTP Proxy EFW 2.2 (updated from 2.2rc3) group policy not longer works | ||||||||
Description | I installed EFW 2.2rc3 in a virtual machine and it works fine with authentication from an (LDAP v3) Active directory domain configuration. After update the distribution to 2.2 (final) from updates.endian.org the group policy of EFW do not longer work correctly. Only groups with "unrestricted" policy are able to surf the internet by the proxy and every other groups with "default policy" which is "Antivirus and Content filtering" are not able to surf because do not bypas s the authentication process (authentication requests continuosly). This is riproducible also in a fresh installation of EFW2.2 and also on a VM on VMWare ESXi. Reverting the snapshot to the 2.2rc3 the authentication returns to work. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
![]() |
|||||||
|
![]() |
|
(0002733) ancdix (reporter) 2009-07-02 14:57 |
Hi davvidde, i'm using a Endian Mini 2.2 and i'm having exactly the same issue... i got the same problem with the Endian UTM Software appliance... i've already talked with the Reseller we bought our appliances from and they passed the issue to the endian developers. |
(0002737) luca-endian (developer) 2009-07-06 07:45 edited on: 2009-07-06 08:05 |
Hi there, can you try with this command on the endian box? In this way you can understand if the firewall allows the user. squidclient -l 192.168.x.x -p 8080 -u youruser -w password http://www.google.com [^] where -l is the firewall ip from green if you want to test from green, orange and so on.. -p the port where squid is listening to -u the user you want to test -w the user password ancdix, if your reseller doesn't give you information about the issue you can open a support ticket on your own. |
(0002738) ancdix (reporter) 2009-07-06 07:58 |
Hi lucagiove, i've just tested your command and from the console it seems to work. Here is the output... Thanx for your help. root@ENDIAN:~ # squidclient -l 192.168.*.* -p 8080 -u USER -w PASSWORD http://www.google.com [^] HTTP/1.0 302 Moved Temporarily Location: http://www.google.lu/ [^] Cache-Control: private Content-Type: text/html; charset=UTF-8 Set-Cookie: PREF=ID=e48b75fa72b4a2f3:TM=1246866996:LM=1246866996:S=u_eSXrFU4HMkWIS2; expires=Wed, 06-Jul-2011 07:56:36 GMT; path=/; domain=.google.com Date: Mon, 06 Jul 2009 07:56:36 GMT Server: gws Content-Length: 218 X-Cache: MISS from ENDIAN X-Cache-Lookup: MISS from ENDIAN:8080 X-Cache: MISS from ENDIAN X-Cache-Lookup: MISS from ENDIAN:8080 Via: 1.0 ENDIAN:8080 (squid/2.6.STABLE18), 1.0 ENDIAN:8080 (squid/2.6.STABLE18) Proxy-Connection: close <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>302 Moved</TITLE></HEAD><BODY> <H1>302 Moved</H1> The document has moved http://www.google.lu/. [^] </BODY></HTML> |
(0002739) luca-endian (developer) 2009-07-06 08:06 |
My mistake, this message was for ancdix not davvidde "if your reseller doesn't give you information about the issue you can open a support ticket on your own." |
(0002747) zorro1974 (reporter) 2009-07-09 07:50 edited on: 2009-07-09 07:52 |
Same problem,but a little dis. lucagiove,help http://bugs.endian.it/view.php?id=1991 [^] |
(0002787) luca-endian (developer) 2009-07-24 13:50 |
have a look at this file: /var/cache/samba/winbindd_privileged drwxr-x--- 2 root root 4096 Jul 24 15:28 winbindd_privileged It should be owned by root:squid here how to correct: chown -R root:squid /var/cache/samba/winbindd_privileged chmod -R 750 /var/cache/samba/winbindd_privileged restartsquid --force |
(0002788) ancdix (reporter) 2009-07-24 15:22 |
Hi, this is how my winbindd_privileged looks like drwxr-x--- 2 root squid 4096 Jul 24 15:31 winbindd_privileged I've already tried this (found it in this thread -> http://bugs.endian.it/view.php?id=1611 [^] (I already had a problem with (re-)joining a windows domain so I've deleted the winbindd_privileged folder and after that I could join the domain...) thanx everyone |
(0003995) peter-endian (administrator) 2010-03-08 19:34 |
should be fixed in 2.3. pleas reopen if it is not |
(0005634) simon-endian (developer) 2011-02-07 15:05 |
this reoccured on fresh 2.4 mini please test again with the following steps - enable proxy - use ntlm for authentication and join it to the AD - make a rule whit group or user based access restrictions login will fail with a valid user in /var/log/squid/cache.log you will find: [2011/02/07 15:53:40.541027, 0] utils/ntlm_auth.c:598(winbind_pw_check) Login for user [REALM]\[USERNAME]@[SERVERNAME] failed due to [winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly.] [2011/02/07 15:53:40.541835, 0] utils/ntlm_auth.c:888(manage_squid_ntlmssp_request) NTLMSSP BH: NT_STATUS_ACCESS_DENIED 2011/02/07 15:53:40| authenticateNTLMHandleReply: Error validating user via NTLM. Error returned 'BH NT_STATUS_ACCESS_DENIED' after fixing the permissions on /var/cache/samba/winbindd_privileged it works again (see previous notes) this needs to be fixed in the samba spec file and maybe the squid restartscript/job should fix the persmissions before starting winbind |
![]() |
|||
Date Modified | Username | Field | Change |
2009-06-25 10:14 | davvidde | New Issue | |
2009-07-02 14:57 | ancdix | Note Added: 0002733 | |
2009-07-06 07:45 | luca-endian | Note Added: 0002737 | |
2009-07-06 07:58 | ancdix | Note Added: 0002738 | |
2009-07-06 08:05 | luca-endian | Note Edited: 0002737 | |
2009-07-06 08:06 | luca-endian | Note Added: 0002739 | |
2009-07-06 08:16 | luca-endian | Relationship added | related to 0001985 |
2009-07-09 07:50 | zorro1974 | Note Added: 0002747 | |
2009-07-09 07:51 | zorro1974 | Note Edited: 0002747 | |
2009-07-09 07:52 | zorro1974 | Note Edited: 0002747 | |
2009-07-24 13:50 | luca-endian | Note Added: 0002787 | |
2009-07-24 15:22 | ancdix | Note Added: 0002788 | |
2010-03-08 19:34 | peter-endian | Note Added: 0003995 | |
2010-03-08 19:34 | peter-endian | Status | new => closed |
2010-03-08 19:34 | peter-endian | Resolution | open => fixed |
2011-02-07 15:05 | simon-endian | Assigned To | => lorenzo-endian |
2011-02-07 15:05 | simon-endian | Note Added: 0005634 | |
2011-02-07 15:05 | simon-endian | Status | closed => feedback |
2011-02-07 15:05 | simon-endian | Resolution | fixed => reopened |
2011-02-07 15:05 | simon-endian | Customer Occurencies | => 0 |
2011-02-07 15:05 | simon-endian | Status | feedback => acknowledged |
2011-02-07 15:05 | simon-endian | Product Version | => 2.4.1 |
2011-02-09 13:54 | lorenzo-endian | Assigned To | lorenzo-endian => simon-endian |
2011-02-09 13:54 | lorenzo-endian | Status | acknowledged => confirmed |
2011-02-24 14:20 | ra-endian | Relationship added | has duplicate 0003456 |
2011-04-19 13:46 | simon-endian | Status | confirmed => resolved |
2011-04-19 13:46 | simon-endian | Fixed in Version | => 2.4.1 |
2011-04-19 13:46 | simon-endian | Resolution | reopened => fixed |
Copyright © 2000 - 2012 MantisBT Group |