Re: [squid-users] testing ntlm_auth shipped with samba 3

From: Henrik Nordstrom <[email protected]>
Date: Wed, 5 Nov 2003 11:43:48 +0100 (CET)

On Wed, 5 Nov 2003, Lombardo Federico wrote:

> 1) ntlm-ssp protocol seems to be not used from IE, testing with win2003,
> latest IIS if leaving only this in squid.conf:

Where does ISS come into the picture?

> auth_param ntlm program
> /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes

Looks good to me.

> Will make cache.log say when I connect with my IE:
>
> 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured
> proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='

Hmm.. confused browser.

What does "log_mime_hdrs on" give in the initial 407 response headers from
the proxy?

> 2) using ntlm_auth with this squid.conf' configuration:
>
> Into the log this time I can see that user is recognized, but without the
> domain.

The user name logged in basic authentication is the username entered in
the browser. This may be with or without the NT domain when using a NT
domain backend.

> Ah, note that using only basic auth, without external acl, all work
> correctly, so the ntlm_auth helper, in this configuration work correctly, or
> "seems" to work correctly

Ok. So wbinfo_group.pl either does not like the username or the group
name. Your testing suggest that it does not like the domainless login
name.

Solution a): Enter the login using domain name in the browser.

Solution b): Teach wbinfo_group.pl how to handle "accuounts in the default
domain" where no domain name is specified in the login name.

Regards
Henrik
Received on Wed Nov 05 2003 - 03:43:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:06 MST