On Wed, 5 Nov 2003, Lombardo Federico wrote: > 1) ntlm-ssp protocol seems to be not used from IE, testing with win2003, > latest IIS if leaving only this in squid.conf:
Where does ISS come into the picture? > auth_param ntlm program > /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 10 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes Looks good to me. > Will make cache.log say when I connect with my IE: > > 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured > proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU=' Hmm.. confused browser. What does "log_mime_hdrs on" give in the initial 407 response headers from the proxy? > 2) using ntlm_auth with this squid.conf' configuration: > > Into the log this time I can see that user is recognized, but without the > domain. The user name logged in basic authentication is the username entered in the browser. This may be with or without the NT domain when using a NT domain backend. > Ah, note that using only basic auth, without external acl, all work > correctly, so the ntlm_auth helper, in this configuration work correctly, or > "seems" to work correctly Ok. So wbinfo_group.pl either does not like the username or the group name. Your testing suggest that it does not like the domainless login name. Solution a): Enter the login using domain name in the browser. Solution b): Teach wbinfo_group.pl how to handle "accuounts in the default domain" where no domain name is specified in the login name. Regards Henrik
