Re: [squid-users] Squid NTLM/ADS problem

From: Dave Augustus <[email protected]>
Date: 12 Jan 2004 11:29:45 -0600

Hello Ben,

Ensure that you are referencing the ntlm_auth that comes with Samba V3.

--Dave

On Mon, 2004-01-12 at 09:01, Ben Kelley wrote:
> Trying to get NTLM/seamless authentication working with IE in domain/AD
> environment. Have browser setup to use proxy.
>
> Basic authentication from a non-M$ machine/browser works fine to the
> domain.
> Basic authentication from a M$ machine with Netscape works fine to the
> domain.
> Any authentication from a M$ machine with a M$ browser fails.
>
> It appears that the NTLM between the client IE and Squid takes place due
> to seeing the username appearing in the logs (cache.log) as soon as IE is
> launched, but that authentication is never sent to the Domain Controllers
> (verified via tcpdump).
>
> TESTWKSN
> - WinXP
> - IE 6
> - Netscape 7.0
>
> Non M$ Workstation
> - Solaris 9
> - Netscape 7.0
>
> Proxy Server
> - FreeBSD 4.9
> - Samba 3.0.0,1 from ports
> - Squid 2.5_4 from ports
>
> -----------------------------------------------------------------------------------
> output of 'squid -v'
>
> Squid Cache: Version 2.5.STABLE3
> configure options: --bindir=/usr/local/sbin
> --sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid
> --localstatedir=/usr/local/squid '--enable-storeio=ufs diskd null'
> '--enable-removal-policies=lru heap' --enable-auth=ntlm,basic
> '--enable-basic-auth-helpers=NCSA winbind'
> --enable-ntlm-auth-helpers=winbind
> '--enable-external-acl-helpers=wbinfo_group winbind_group' --enable-snmp
> --enable-delay-pools --enable-useragent-log --enable-referer-log
> --disable-ident-lookups --enable-underscores --prefix=/usr/local
> i386-portbld-freebsd4.9
>
> -----------------------------------------------------------------------------------
> CACHE.LOG
>
> Jan 9 16:10:05 cache02 [2004/01/09 16:10:05, 3]
> libsmb/ntlmssp.c:ntlmssp_server_auth(286)
> Jan 9 16:10:05 cache02 user=[TESTUSER1] domain=[TESTDOMAIN]
> workstation=[TESTWKSN] len1=24 len2=24
>
> -----------------------------------------------------------------------------------
> SQUID.CONF
>
> auth_param ntlm program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 20 minutes
>
> auth_param basic program /usr/local/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
>
> acl AuthorizedUsers proxy_auth REQUIRED
>
> http_access allow AuthorizedUsers
>
> -----------------------------------------------------------------------------------
> SMB.CONF
>
> security = ads
> password server = TESTADC0 TESTADC1
> encrypt passwords = yes
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
>
> winbind separator = "
> realm = TEST.COM
> winbind use default domain = yes
> workgroup = TESTDOMAIN
>
> domain master = no
Received on Mon Jan 12 2004 - 10:29:56 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:05 MST