On Fri, 5 Aug 2005, Plant, Dean wrote:
Mike Diggins wrote:
We're running Squid V2.5Stable10 on a Solaris 8 platform and are
attempting to get the NTLM authentication working along with basic
authentication for non-IE browsers.
So far, IE users that are logged into the domain authenticate without
an authentication prompt (good). Non IE users or users of other web
clients are prompted for authentication, which is expected, except
now they must type in the domain/username and password (i.e.
ap1/myname) instead of just their username. That's a bigger change in
behaviour than we would like. Is there a way to make this work or is
this normal behaviour?
I think you need to set "winbind use default domain = yes" in your
smb.conf
Okay, I've changed my configuration following the instructions in the
Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html - How do I use
the Winbind authenticators
Things are working better. Non IE browsers not logged into the domain
prompt for password (good). IE and Firefox, when logged into the domain,
do not ask for a password (also good).
A problem remains with IE when I'm not logged into the domain. It prompts
for usernmame and password as it should, but it also insists that I enter
a domain (ap1\diggins) before it will authentication. All non-IE browsers
don't require this. Is there anyway to make IE behave better?
Squid Version: 2.5Stable10
Samba: 3.0.14a (nmbd, smbd and windbind all running).
Samba Config:
[global]
workgroup = AP1
realm = AP1
winbind uid = 10000-20000
winbind gid = 10000-20000
encrypt passwords = yes
security=domain
password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
preferred master = False
local master = No
domain master = False
log file = /var/log/samba.log
; end
Squid authentication configuration:
#
auth_param ntlm program /usr/local/squid/sbin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#
auth_param basic program /usr/local/squid/sbin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
-Mike