forum.censornet.com

[dcross]

I've just upgraded to 3.3r6. We were fine using 3.2 with NT auth - worked a treat for the past two years. 3.3r6 is about to take an unscheduled flying lesson!!!

The upgrade went perfectly fine, no errors, no problems. All the users, workstations, lists and settings all fine. The only difference now is we must use 2000/3 AD auth. So I enter the settings and CN will import users fine. But when users try to browse - nothing - not even the logon box.

Now nothing has changed on the workstations at all. The proxy and ports, exceptions are all the same as before. I've triple checked the IP address, subnet, etc etc of the CN box. Our workstations can happily access the CN Web interface.

I have used Lynx to test URLs with AD auth setup and that worked. I've tired pam_auth but CN says the file doesn't exist - I guess I've got the location wrong.

For some reason our workstation browsers (XP SP2 IE6) will not display the logon dialog.

Any ideas appreciated.

[stonefish]

Please read the FAQ at www.censornet.com/faq - specifically Q3.1. Its quite likely to be time related.

Also, at the command line whilst logged in as root run /usr/local/squid/libexec/pam_auth - the details of what to do next are in that FAQ.

Incidentally, you don't have to use AD authentication. NT authentication is still available.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com

[dcross]

Hello. This time issue annoys me very much. We have checked the times in the AD BIOS and CN BIOS and they are correct. CN is in GMT and currently changes to BST. AD is set to BST. If I set the AD BIOS back an hour when the Windows starts it adds an hour on. The clocks on both servers are syncd with NTP using the same NTP server.

Surely if Lynx will authenicate correctly then AD authentication is working??? I've run pam_auth successfully now and that replied "OK".

When using Ad Auth, I assume the logon dialog is supposed to appear - or does it use pass-through?

Regards.

[stonefish]

OK - it does indeed sound as if your auth is working fine. There are other things which will cause the login box not appear. They're listed in the FAQ too - but to cut down the time you have to wait........

From the CN's command line, ping something external by name - say www.bbc.co.uk. Even if the ping itself fails the name should get resolved to an IP address. If it does, your nameservers, as configured are fine.

If not, you have a DNS issue, so next try and ping the DNS servers - by IP address.

If the name resolution worked from the command line, then check that DNRD is running

[dcross]

DNS resolution works fine.

DNRD I assume it running it it returns "grep dnrd" as the last entry.

I've commented the line as you described using nano. Ran the update, even rebooted the box.

Still no logon box. None of our workstations show it. Not even the Ad server or our plain and simple exchange server.

My only other thought is the network card. We have a Realtek 8139 in it, but the Network Configuration says "8 Base Address 0xb000". The IP address appears fine. Why does it say that where the version before said "Realtek 8139...."

All of our workstations can run the web admin console.

NT Auth will not work etither, nor will it obtain the users list from the NT domain. I have removed the censornet computer from AD, I have tried again/ I have removed the entry that was created and then manually added the machine ticking the pre-2000 option. It still failed.

It just doesn't make sense to me and this is now the second with no net access for our students.

[stonefish]

OK, you have two network cards or just one? If two, are they both the same type of card? Is there an on-board card that perhaps needs disabling in the BIOS?

Have you probed the LAN for workstations and set them to Allow Web or Allow Web and Other? Having imported the users, have you configured them as Filtered/Unfiltered/WhiteList Only users?

Are you browsers configured to use CN as the proxy?

Oh, and grep dnrd is the command you typed. You wanted to se /usr/bin/dnrd -s <IP address of DNS> or similar. Still, as you commented the line out of the squid.conf.tmpl it doesn't matter whether its working or not.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com

[dcross]

[stonefish]

That would seem the logical conclusion. Of course, in the experimental environment in which I find myself, I've not played with groups enough.

The groups should certainly have been imported. Basically, if the workstations behave the way you'd expect, once you've defined a group policy - then this is obviously some sort of bug. If they don't - you might just have to place the workstations in their respective groups again. Not sure how the import script will have behaved on that question.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com

[dcross]

Well I thought this was over!!

It worked for a short while, but now the logon box still appears but does not authenticate. Every user gets Logon Failed.

[stonefish]

Hmm, thats odd, because you've already said that both servers are updated from the same NTP source. I suppose we are certain your LEA is letting the returning NTP packets back in.

Check the two servers for clock drift. On the CN log into the command line and type date. It should show you the time in BST. The AD server needs to be within +/- 5 minutes.

Reset the server you find it easiest to alter if necessary. On the CN, type

date 04251706 (for example). That sets the date to 17:06 on the 25th April.

Also, make sure no services have died. You can do that from the web interface. If anything is red, click on it, and it may well restart.

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com

[dcross]

Ok, the times are almost exact - within seconds of each other. I've noticed this morning that one student can login ok and browse, but the students after cannot.

I've rebooted CN and are watching to system to see if there's any pattern.

There was an error during startup:

Cannot find module [IPFWCHAINS-MIB] : at line 0 in (none)
Process 'snmptrapb is using obsolete setsockopt SO_BSDCOMPAT SNMPTRAPD

Is this anything to worry about?

[stonefish]

That error look like the SNMP functionality isn't quite kosher, it won't affect normal running of the box though.

Hmm, so sometimes users can login and sometimes they can't. Thats a little odd - not something we commonly see. We may need to tweak the pam_auth command line you actually use.

Can you do the following for now :-

[dcross]

Ok, the system has been running fine for about 1hr 20 mins. Now it's stopped. All services on the admin console are green. I can't see any major difference or change to anything over that time.

The host.conf fiule contains our ADs IP and hostname correctly. Our hostname is Epsom.Internal - would the . make any difference?

[stonefish]

if epsom.internal is the domain you've told the AD authenticator to use, that should be fine.

Can you successfully ping epsom.internal by name from the CN's command line?

Regards
Neil
_________________
Neil Briscoe
Adelix Limited
neil.briscoe@adelix.com

Adelix Limited - WiFi, VoIP, CensorNet, Linux solutions and consultancy.
www.adelix.com www.censornet.com

[dcross]

I can ping the AD server using the hostname. Its authenticating again now, we'll keep our eye on it.