-------- Original Message -------- Subject: [squid-users] NTLM Authentication Problem Date: Tue, 28 Oct 2003 11:34:29 -0500 From: Jim Richey <[EMAIL PROTECTED]> To: [EMAIL PROTECTED]
I'm having a problem getting NTLM authentication working between Squid 2.5STABLE4 and Samba 3.0.0 running on Slackware Linux 2.4.18. I've read the archives, faq, how-to, walk-thru, etc, and believe I have everthing correctly configured. I'm using the helper that is part of Samba 3.0, not the Squid helper. Basic authentication works fine with the helper, but I cannot get ntlmssp working.
I set group read,execute access to the winbind pipe directory and full read,write,execute on the pipe itself.
drwxr-x--- 2 root squid 72 Oct 27 21:21 winbindd_privileged/
srwxrwxrwx 1 root root 0 Oct 27 21:21 pipe=
I have samba configured with ads but am not using it. I joined the domain with rpc and am using security=domain in smb.conf.
The wbinfo commands work fine: #wbinfo -t checking the trust secret via RPC calls succeeded
#wbinfo -a TSTDOM\\testuser%testpass plaintext password authentication succeeded challenge/response password authentication succeeded
I can also authenticate successfully with the helper from the command line: #ntlm_auth --username testuser --password testpass NT_STATUS_OK: Success (0x0)
However, when I try to use ntlm authentication from a browser I get this in cache.log:
[2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061)
Got 'YR' from squid (length: 2).
[2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
got NTLMSSP packet:
[2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
NTLMSSP challenge
IE 6.0 SP1 get's a The page Cannot be displayed error. Mozilla 1.5 gives the login popup, but after entering user id and password returns the Cache Access Denied page.
Squid configured with:
Squid Cache: Version 2.5.STABLE4
configure options: --enable-async-io --enable-storeio=ufs,aufs --enable-auth=ntlm,basic --enable-removal-policies --enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups
authentication in squid.conf configured as:
auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#
auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10 --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Highmark Proxy Server
auth_param basic credentialsttl 2 hours
acl internet proxy_auth REQUIRED http_access allow internet http_access deny all
samba configured with:
--with-winbind --with-winbind-auth-challenge --with-libsmbclient --with-ads --with-krb5=/usr/local
smb.conf configuration:
[global] workgroup = TSTDOM netbios name = squidtest server string = squidtest security = domain encrypt passwords = yes smb passwd file = /usr/local/samba/private/smbpasswd load printers = yes log file = /usr/local/samba/var/log.%m max log size = 50 password server = pwdserver socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no wins support = no idmap uid = 10000-65000 idmap gid = 10000-65000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/sh winbind use default domain = yes
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
