This forum is read-only and is provided for reference. The new CensorNet forums will be operational shortly.
forum.censornet.com :: View topic - No logon box in IE for users
forum.censornet.com Forum Index forum.censornet.com
CensorNet is an Internet Management Appliance
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

No logon box in IE for users
Goto page 1, 2  Next
 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    forum.censornet.com Forum Index -> Install Problems
View previous topic :: View next topic  
Author Message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Mon Apr 24, 2006 1:37 pm    Post subject: No logon box in IE for users Reply with quote

I've just upgraded to 3.3r6. We were fine using 3.2 with NT auth - worked a treat for the past two years. 3.3r6 is about to take an unscheduled flying lesson!!!

The upgrade went perfectly fine, no errors, no problems. All the users, workstations, lists and settings all fine. The only difference now is we must use 2000/3 AD auth. So I enter the settings and CN will import users fine. But when users try to browse - nothing - not even the logon box.

Now nothing has changed on the workstations at all. The proxy and ports, exceptions are all the same as before. I've triple checked the IP address, subnet, etc etc of the CN box. Our workstations can happily access the CN Web interface.

I have used Lynx to test URLs with AD auth setup and that worked. I've tired pam_auth but CN says the file doesn't exist - I guess I've got the location wrong.

For some reason our workstation browsers (XP SP2 IE6) will not display the logon dialog.

Any ideas appreciated.
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Mon Apr 24, 2006 7:44 pm    Post subject: Reply with quote

Please read the FAQ at www.censornet.com/faq - specifically Q3.1. Its quite likely to be time related.

Also, at the command line whilst logged in as root run /usr/local/squid/libexec/pam_auth - the details of what to do next are in that FAQ.

Incidentally, you don't have to use AD authentication. NT authentication is still available.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Tue Apr 25, 2006 6:35 am    Post subject: Reply with quote

Hello. This time issue annoys me very much. We have checked the times in the AD BIOS and CN BIOS and they are correct. CN is in GMT and currently changes to BST. AD is set to BST. If I set the AD BIOS back an hour when the Windows starts it adds an hour on. The clocks on both servers are syncd with NTP using the same NTP server.

Surely if Lynx will authenicate correctly then AD authentication is working??? I've run pam_auth successfully now and that replied "OK".

When using Ad Auth, I assume the logon dialog is supposed to appear - or does it use pass-through?

Regards.
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Tue Apr 25, 2006 7:36 am    Post subject: Reply with quote

OK - it does indeed sound as if your auth is working fine. There are other things which will cause the login box not appear. They're listed in the FAQ too - but to cut down the time you have to wait........

From the CN's command line, ping something external by name - say www.bbc.co.uk. Even if the ping itself fails the name should get resolved to an IP address. If it does, your nameservers, as configured are fine.

If not, you have a DNS issue, so next try and ping the DNS servers - by IP address.

If the name resolution worked from the command line, then check that DNRD is running

Code:
ps ax | grep dnrd


If its died, restart it

Code:
/etc/init.d/dnrd start


Check its running ok now and if so, try surfing from a workstation.

If that works - but it later dies - it might be that something on your network is upsetting dnrd causing it to crash - its a fussy little bit of software.

We can dispense with its services. Edit the file /usr/local/squid/etc/squid.conf.tmpl

Find the line that reads dns_nameservers 127.0.0.1 and comment it out.

Write the file and at the command line run

[code]update_squid_conf reload[/conf]

I will be very surprised if something in that lot doesn't get you going.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Tue Apr 25, 2006 9:49 am    Post subject: Reply with quote

DNS resolution works fine.

DNRD I assume it running it it returns "grep dnrd" as the last entry.

I've commented the line as you described using nano. Ran the update, even rebooted the box.

Still no logon box. None of our workstations show it. Not even the Ad server or our plain and simple exchange server.

My only other thought is the network card. We have a Realtek 8139 in it, but the Network Configuration says "8 Base Address 0xb000". The IP address appears fine. Why does it say that where the version before said "Realtek 8139...."

All of our workstations can run the web admin console.

NT Auth will not work etither, nor will it obtain the users list from the NT domain. I have removed the censornet computer from AD, I have tried again/ I have removed the entry that was created and then manually added the machine ticking the pre-2000 option. It still failed.

It just doesn't make sense to me and this is now the second with no net access for our students.
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Tue Apr 25, 2006 9:56 am    Post subject: Reply with quote

OK, you have two network cards or just one? If two, are they both the same type of card? Is there an on-board card that perhaps needs disabling in the BIOS?

Have you probed the LAN for workstations and set them to Allow Web or Allow Web and Other? Having imported the users, have you configured them as Filtered/Unfiltered/WhiteList Only users?

Are you browsers configured to use CN as the proxy?

Oh, and grep dnrd is the command you typed. You wanted to se /usr/bin/dnrd -s <IP address of DNS> or similar. Still, as you commented the line out of the squid.conf.tmpl it doesn't matter whether its working or not.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Tue Apr 25, 2006 11:32 am    Post subject: Reply with quote

stonefish wrote:
set them to Allow Web or Allow Web and Other?


Umm, (hides his face behind the biggest mountain he can find!!!!)

Well that was it. I didn't even consider that or see the (None) in the box. I expected the upgrade to have maintained all of those settings just like it maintained the workstations and their groupings.

Well thank you for your time and assistance.

On the subject of the Workstation Access Controls, all of our stations are grouped, yet after their name is says (None). Is it supposed to say the group they belong to?

Regards,
David.
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Tue Apr 25, 2006 11:38 am    Post subject: Reply with quote

That would seem the logical conclusion. Of course, in the experimental environment in which I find myself, I've not played with groups enough.

The groups should certainly have been imported. Basically, if the workstations behave the way you'd expect, once you've defined a group policy - then this is obviously some sort of bug. If they don't - you might just have to place the workstations in their respective groups again. Not sure how the import script will have behaved on that question.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Tue Apr 25, 2006 1:59 pm    Post subject: Reply with quote

Well I thought this was over!!

It worked for a short while, but now the logon box still appears but does not authenticate. Every user gets Logon Failed.
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Tue Apr 25, 2006 4:08 pm    Post subject: Reply with quote

Hmm, thats odd, because you've already said that both servers are updated from the same NTP source. I suppose we are certain your LEA is letting the returning NTP packets back in.

Check the two servers for clock drift. On the CN log into the command line and type date. It should show you the time in BST. The AD server needs to be within +/- 5 minutes.

Reset the server you find it easiest to alter if necessary. On the CN, type

date 04251706 (for example). That sets the date to 17:06 on the 25th April.

Also, make sure no services have died. You can do that from the web interface. If anything is red, click on it, and it may well restart.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Wed Apr 26, 2006 9:03 am    Post subject: Reply with quote

Ok, the times are almost exact - within seconds of each other. I've noticed this morning that one student can login ok and browse, but the students after cannot.

I've rebooted CN and are watching to system to see if there's any pattern.

There was an error during startup:

Cannot find module [IPFWCHAINS-MIB] : at line 0 in (none)
Process 'snmptrapb is using obsolete setsockopt SO_BSDCOMPAT SNMPTRAPD

Is this anything to worry about?
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Wed Apr 26, 2006 9:12 am    Post subject: Reply with quote

That error look like the SNMP functionality isn't quite kosher, it won't affect normal running of the box though.

Hmm, so sometimes users can login and sometimes they can't. Thats a little odd - not something we commonly see. We may need to tweak the pam_auth command line you actually use.

Can you do the following for now :-

Code:
cd /etc
cat hosts


I'm fairly certain that these days the setup program puts the IP and name of the AD server in there. Can you just confirm that you can see your AD server's IP and name.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Wed Apr 26, 2006 10:26 am    Post subject: Reply with quote

Ok, the system has been running fine for about 1hr 20 mins. Now it's stopped. All services on the admin console are green. I can't see any major difference or change to anything over that time.

The host.conf fiule contains our ADs IP and hostname correctly. Our hostname is Epsom.Internal - would the . make any difference?
Back to top
View user's profile Send private message
stonefish



Joined: 07 Apr 2003
Posts: 2448
Location: Bristol, UK

PostPosted: Wed Apr 26, 2006 10:33 am    Post subject: Reply with quote

if epsom.internal is the domain you've told the AD authenticator to use, that should be fine.

Can you successfully ping epsom.internal by name from the CN's command line?

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com
Back to top
View user's profile Send private message
dcross



Joined: 15 Jul 2004
Posts: 26

PostPosted: Wed Apr 26, 2006 10:39 am    Post subject: Reply with quote

I can ping the AD server using the hostname. Its authenticating again now, we'll keep our eye on it.
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    forum.censornet.com Forum Index -> Install Problems All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group