[squid-users] testing ntlm_auth shipped with samba 3

From: Lombardo Federico <[email protected]>
Date: Wed, 5 Nov 2003 11:12:18 +0100

Henrik I'm testing ntlm_auth shipped with samba 3.

I want to discuss these issues:

1) ntlm-ssp protocol seems to be not used from IE, testing with win2003,
latest IIS if leaving only this in squid.conf:

auth_param ntlm program
/usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

Will make cache.log say when I connect with my IE:

2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='
2003/11/05 10:28:43| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='
2003/11/05 10:30:56| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='
2003/11/05 10:31:30| authenticateDecodeAuth: Unsupported or unconfigured
proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='

Naturally, gives access denied.
seems that IE asks for Basic auth insted of ntlm one.

2) using ntlm_auth with this squid.conf' configuration:

auth_param basic program
usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
external_acl_type wbinfo_group_helper concurrency=10 ttl=300 %LOGIN
/usr/squid/libexec/wbinfo_group.pl
acl InternetFull external wbinfo_group_helper InternetFull
http_access allow InternetFull
http_access deny all

will give access denied for ever.
Please note that using normal ntlm_auth, shipped with squid will make all
work.
seems that ntlm_auth doesn't give correct credential to wbinfo_group.pl

Into the log this time I can see that user is recognized, but without the
domain.

Ah, note that using only basic auth, without external acl, all work
correctly, so the ntlm_auth helper, in this configuration work correctly, or
"seems" to work correctly

example:

in ntlm_auth squid one into the log I can see (when authorized from
wbinfo_group):

1067944601.051 1799 192.168.5.12 TCP_MISS/200 25711 GET
http://freshmeat.net domain\user
DIRECT/216.218.248.174 text/html

using ntlm_auth from samba will make my log:

1068025606.229 230 192.168.5.12 TCP_DENIED/407 2095 GET
http://www.grandistazioni.it/popupFla.cfm? user

so, no domain mapped in log.
I've tried to specify domain in command line to ntlm_auth, but nothing.
Received on Wed Nov 05 2003 - 03:12:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:06 MST