On Tue, 9 Aug 2005, David Gameau wrote:
-----Original Message-----
From: Mike Diggins [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 9 August 2005 12:10 AM
To: Plant, Dean
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] NTLM Authentication
On Fri, 5 Aug 2005, Plant, Dean wrote:
Mike Diggins wrote:
We're running Squid V2.5Stable10 on a Solaris 8 platform and are
attempting to get the NTLM authentication working along with basic
authentication for non-IE browsers.
So far, IE users that are logged into the domain authenticate
without
an authentication prompt (good). Non IE users or users of other web
clients are prompted for authentication, which is expected, except
now they must type in the domain/username and password (i.e.
ap1/myname) instead of just their username. That's a bigger change
in
behaviour than we would like. Is there a way to make this work or
is
this normal behaviour?
I think you need to set "winbind use default domain = yes" in your
smb.conf
Okay, I've changed my configuration following the instructions in the
Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html -
How do I use the Winbind authenticators
Things are working better. Non IE browsers not logged into the domain
prompt for password (good). IE and Firefox, when logged into
the domain, do not ask for a password (also good).
A problem remains with IE when I'm not logged into the
domain. It prompts for usernmame and password as it should, but it
also insists
that I enter a domain (ap1\diggins) before it will authentication. All
non-IE browsers don't require this. Is there anyway to make IE behave
better?
Squid Version: 2.5Stable10
Samba: 3.0.14a (nmbd, smbd and windbind all running).
Samba Config:
[global]
workgroup = AP1
realm = AP1
winbind uid = 10000-20000
winbind gid = 10000-20000
encrypt passwords = yes
security=domain
password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca
winbind separator = /
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
preferred master = False
local master = No
domain master = False
log file = /var/log/samba.log
; end
Squid authentication configuration:
#
auth_param ntlm program /usr/local/squid/sbin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#
auth_param basic program /usr/local/squid/sbin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
-Mike
Mike,
I've run into the same problem in our testing of
Squid + Samba + NTLM. From what I can see, Internet
Explorer attempts to be 'helpful' by filling in the Domain
field when returning authentication details.
The problem is that if the machine isn't logged into your
normal Domain it returns it returns the local machine name
(or possibly the Workgroup) instead.
Since a Domain has been supplied, the default domain (as
defined in your smb.conf) is not used.
Firefox (at it's ilk) return nothing for the Domain, and so
the 'winbind use default domain = yes' kicks in.
One workaround I found was to munge the Samba code.
In samba/source/nsswitch/winbindd_pam.c the bit of code that
decides what domain to use is:
enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state
*state)
{
[...]
if (*state->request.data.auth_crap.domain) {
name_domain = state->request.data.auth_crap.domain;
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
DEBUG(5,("no domain specified with username (%s) -
failing auth\n",
name_user));
result = NT_STATUS_NO_SUCH_USER;
goto done;
}
[...]
}
Replacing that chunk of code with just
name_domain = lp_workgroup();
will force Samba to use whatever domain is defined in your smb.conf.
(This will, of course, break things if you ever want to authenticate
versus another domain.)
I haven't found any other way of making Internet Explorer play nicely.
Regards,
David.
__
David Gameau
ISTS - Systems Infrastructure Group
University of South Australia
email: [EMAIL PROTECTED]
phone: +61 8 302 3533
fax: +61 8 302 5800
Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh
David,
This is excellent, thanks! I tested your change and it does fix the
problem with IE. Too bad the Samba team wouldn't incorporate a "force
domain" option in the smb.conf file.
Does this piece of code change often? I'm not a programmer so making this
change to future updates of Samba might be difficult if the code is
changed extensively.
-Mike
