On Fri, 5 Aug 2005, Plant, Dean wrote:

Mike Diggins wrote:
We're running Squid V2.5Stable10 on a Solaris 8 platform and are
attempting to get the NTLM authentication working along with basic
authentication for non-IE browsers.

So far, IE users that are logged into the domain authenticate without
an authentication prompt (good). Non IE users or users of other web
clients are prompted for authentication, which is expected, except
now they must type in the domain/username and password (i.e.
ap1/myname) instead of just their username. That's a bigger change in
behaviour than we would like. Is there a way to make this work or is
this normal behaviour?

I think you need to set "winbind use default domain = yes" in your
smb.conf

Okay, I've changed my configuration following the instructions in the Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html - How do I use the Winbind authenticators

Things are working better. Non IE browsers not logged into the domain prompt for password (good). IE and Firefox, when logged into the domain, do not ask for a password (also good).

A problem remains with IE when I'm not logged into the domain. It prompts for usernmame and password as it should, but it also insists that I enter a domain (ap1\diggins) before it will authentication. All non-IE browsers don't require this. Is there anyway to make IE behave better?

Squid Version: 2.5Stable10
Samba: 3.0.14a (nmbd, smbd and windbind all running).

Samba Config:

[global]

        workgroup = AP1
        realm = AP1
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        encrypt passwords = yes
        security=domain
        password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca
        winbind separator = /
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        preferred master = False
        local master = No
        domain master = False
        log file = /var/log/samba.log

; end

Squid authentication configuration:

#
auth_param ntlm program /usr/local/squid/sbin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#
auth_param basic program /usr/local/squid/sbin/ntlm_auth 
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours


-Mike

Reply via email to