[squid-users] NTLM authentication not working

From: Nirina Michel <[email protected]>
Date: Fri, 15 Apr 2005 14:41:26 +0200 (CEST)

Hi all,

I am trying to replace our IIS&MS-Proxy Server with
squid and linux. My test server is a Debian GNU/linux
sarge 3.1 with squid 2.5 stable 6 and I installed
samba and winbind 3.0.7 so the users can be
authenticated through the domain server like before.
I think I made all necessary configurations with samba
because all the tests are OKs :
wbinfo -u : showed all user members of the domain
wbinfo -g : showed the groups of the domain
wbinfo -p : success
wbinfo -t : success
wbinfo -m : SERVER BUILTIN
wbinfo -a user%pass : success
wbinfo --get-auth-user : DOMAIN\Administrateur
getent passwd : showed local users and domain users

Below is my squid.conf :

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
positive_dns_ttl 48 hours
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl QUERY urlpath_regex cgi-bin \?
acl lan src 10.1.0.0/24
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 873
acl Safe_ports port 80 21 443 563 70 210 1025-65535
280 488 591 777 631 873 901
acl purge method PURGE
acl CONNECT method CONNECT
acl unrestricted proxy_auth DOMAIN\nirina
acl Authenticated proxy_auth REQUIRED
no_cache deny QUERY
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow lan
#http_access allow unrestricted
#http_access deny !Authenticated
# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all
icp_access allow all
acl local_server dst 10.9.28.0/24 10.9.29.0/24
always_direct allow local_server
always_direct deny !local_server
never_direct allow all
coredump_dir /var/spool/squid

And when I try to connect with a client, there is no
dialog box for authentication. However, the proxy
works because I can really surf the web.

In winbindd log file, I find :
"nsswitch/winbindd_group.c:winbindd_getgroups(1059)
user 'root' does not exist"

Is this the problem? If so, how can I fix that and
make it work?

TYIA

        

        
                
__________________________________________________________________
D�couvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails !
Cr�ez votre Yahoo! Mail sur http://fr.mail.yahoo.com/
Received on Fri Apr 15 2005 - 06:41:28 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT