Re: [squid-users] testing ntlm_auth shipped with samba 3

From: Lombardo Federico <[email protected]>
Date: Wed, 5 Nov 2003 14:44:08 +0100

Ok, but at this time...
what are the advantages using ntlm_auth shipped with samba3 instead of the
same shipped with squid ?
I'm finding out problems only using the first....

for know, I'm thinking that is quite problemful using squid with samba3.
Better using it with samba 2.2.8a, wb_group and wb_ntlmauth works, and there
is no other ntlm_auth except from squid one! :-)

P.S. I wrote IIS, but I was meaning IE :-) sorry.

Thanks in advance

Federico

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Lombardo Federico" <egopfe@hotmail.com>
Cc: <squid-users@squid-cache.org>
Sent: Wednesday, November 05, 2003 11:43 AM
Subject: Re: [squid-users] testing ntlm_auth shipped with samba 3

> On Wed, 5 Nov 2003, Lombardo Federico wrote:
>
> > 1) ntlm-ssp protocol seems to be not used from IE, testing with win2003,
> > latest IIS if leaving only this in squid.conf:
>
> Where does ISS come into the picture?
>
> > auth_param ntlm program
> > /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 10
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
>
> Looks good to me.
>
> > Will make cache.log say when I connect with my IE:
> >
> > 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured
> > proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='
>
> Hmm.. confused browser.
>
> What does "log_mime_hdrs on" give in the initial 407 response headers from
> the proxy?
>
> > 2) using ntlm_auth with this squid.conf' configuration:
> >
> > Into the log this time I can see that user is recognized, but without
the
> > domain.
>
> The user name logged in basic authentication is the username entered in
> the browser. This may be with or without the NT domain when using a NT
> domain backend.
>
> > Ah, note that using only basic auth, without external acl, all work
> > correctly, so the ntlm_auth helper, in this configuration work
correctly, or
> > "seems" to work correctly
>
> Ok. So wbinfo_group.pl either does not like the username or the group
> name. Your testing suggest that it does not like the domainless login
> name.
>
> Solution a): Enter the login using domain name in the browser.
>
> Solution b): Teach wbinfo_group.pl how to handle "accuounts in the default
> domain" where no domain name is specified in the login name.
>
> Regards
> Henrik
>
>
Received on Wed Nov 05 2003 - 06:44:14 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:07 MST