Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

Dave Augustus davea at
Tue Dec 30 23:01:13 GMT 2003


(I am cross posting this to both the Squid and Samba-Tech list as it
relates to the integration of both- sorry! )

Here is the setup:

-1 W2K PDC and 2 W2K BDCs- no active directory
-lots of Windows clients: XP and W2K Cytrix
-Using Squid 2.5Stable4 and Kerberos 1.3.1 on RH9

We are using Squid in a transparent proxy fashion for logging. This
setup works great in every fashion except its transparency. (yuck!!)

Problem: Occasionally (like once every 4 hours), a Windows client user
will call help desk saying "Internet Explorer" is asking for my
username/password/domain to access a web page.

Well, my first thought was to check my logs on the RH9 box: squid,
samba, winbindd.


Ok, so I assume that possibly our PDC is being overloaded with requests
and I add "kdc" entries in krb5.conf in the realms section that point to
our backup domain controllers. I also add the *same* entries in
smb.conf. Restart Squid, Samba and Winbindd.

The problem worsens- it now occurs every hour!

So I undo my changes...

And I am thinking this: when a workstation logins to the Domain, it can
hit *ANY* of the domain controllers, probably the primary. Then when the
*SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
verifies the user with *ANY* of the domain controllers. 

Hence, there is the possibility of 2 sessions, one via the workstation
and one via Internet Explorer/Squid- both on different domain

If this is correct,then it is *impossible* for Squid to ever know which
domain controller the user logged into and therefore the occasional auth
window will appear, making transparency impossible!

Am I on the right track here? 

Is there a workaround?

A config setting that I missed?

Also, a colleague of mine noticed that those who where Domain Admins
never saw this problem. That begs the question: Does wbinfo have to use
a user that is a domain admin?


wbinfo -t ,-u and -g all work great

Here is my smb.conf:


workgroup = MINE
netbios name = GATEWAY

realm = MINE
security = domain
encrypt passwords = yes
password server = dc1.mine

winbind separator = /

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
interfaces =
bind interfaces only = yes
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 5
client signing = Yes
server signing = Yes
client use spnego = Yes

template shell = /bin/bash

template homedir = /home/%D/%U


    default_realm = MINE

    MINE = {
    kdc = dc1.mine

    kdc = SYSLOG:INFO

squid.conf- (relevant portions only)

auth_param ntlm program /usr/local/bin/ntlm_auth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

More information about the samba-technical mailing list