I'm having a problem trying to set up NTLM authentication following the steps on the wiki and a few tutorials elsewhere. I think I have the computer joined to the domain correctly, and all of the command line tests work. Basic authentication works against AD accounts. However, when I turn on NTLM, two 407 denieds are written to the access.log and the client is never authenticated. It does not fail back to basic authentication.
access.log: 1207755884.688 3 172.16.1.70 TCP_DENIED/407 1747 GET http://go.microsoft.com/fwlink/? - NONE/- text/html 1207755884.694 0 172.16.1.70 TCP_DENIED/407 1817 GET http://go.microsoft.com/fwlink/? - NONE/- text/html squid.conf relevant section: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off #auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic #auth_param basic children 5 #auth_param basic realm Proxy Server #auth_param basic credentialsttl 2 hours #auth_param basic casesensitive off acl NTLMusers proxy_auth REQUIRED http_access allow NTLMusers samus:/var/log/squid # wbinfo -t checking the trust secret via RPC calls succeeded wbinfo -a ad\\gooduser%goodpassword plaintext password authentication succeeded challenge/response password authentication succeeded This is a SLES 10, so the winbindd_privileged directory is under /var/lib/samba. Is there a path I need to set somewhere? I'm guessing it's working since basic authentication works. squid -v results: Squid Cache: Version 2.5.STABLE12 configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl' '--enable-snmp' '--enable-carp' '--enable-useragent-log' '--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB no_check' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user ldap_group unix_group wbinfo_group' '--enable-ntlm-fail-open' '--enable-referer-log' '--enable-arp-acl' '--enable-htcp' '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' '--enable-ssl' '--enable-cache-digests' '--enable-storeio=aufs,ufs,diskd,null' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--with-samba-sources=/usr/include/samba' '--enable-x-accelerator-vary' 'CFLAGS=-O2 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing' 'LDFLAGS=-pie' Any pointers would be much appreciated. I'm starting to think I'm on the wrong track entirely and might have my ACLs written wrong, but the only ACLs defined are from the default configuration. Basic authentication also does work if I uncomment it, so I'm pretty confused...
