Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

Andrew Bartlett abartlet at samba.org
Wed Dec 31 03:12:04 GMT 2003


On Tue, Dec 30, 2003 at 05:01:13PM -0600, Dave Augustus wrote:
> Hello,
> 
> (I am cross posting this to both the Squid and Samba-Tech list as it
> relates to the integration of both- sorry! )

I'm just glad to see how many such systems there are out there!

> Here is the setup:
> 
> -1 W2K PDC and 2 W2K BDCs- no active directory
> -lots of Windows clients: XP and W2K Cytrix
> -Using Squid 2.5Stable4 and Kerberos 1.3.1 on RH9

Which version of Samba? Are you using the ntlm_auth from Samba?

> We are using Squid in a transparent proxy fashion for logging. This
> setup works great in every fashion except its transparency. (yuck!!)
> 
> Problem: Occasionally (like once every 4 hours), a Windows client user
> will call help desk saying "Internet Explorer" is asking for my
> username/password/domain to access a web page.

If they put in the password, does is them work?

Have you applied all the available patches to IE?

> Well, my first thought was to check my logs on the RH9 box: squid,
> samba, winbindd.

Add -d3 or the like (up to 10, which is a log of logs) to your
ntlm_auth command line.

> Nothing...
> 
> Ok, so I assume that possibly our PDC is being overloaded with requests
> and I add "kdc" entries in krb5.conf in the realms section that point to
> our backup domain controllers. I also add the *same* entries in
> smb.conf. Restart Squid, Samba and Winbindd.
> 
> The problem worsens- it now occurs every hour!
> 
> So I undo my changes...
> 
> And I am thinking this: when a workstation logins to the Domain, it can
> hit *ANY* of the domain controllers, probably the primary. Then when the
> *SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
> verifies the user with *ANY* of the domain controllers. 
> 
> Hence, there is the possibility of 2 sessions, one via the workstation
> and one via Internet Explorer/Squid- both on different domain
> controllers.

This isn't an issue, unless passwords are out of sync (and the user
changed their password recently)

> If this is correct,then it is *impossible* for Squid to ever know which
> domain controller the user logged into and therefore the occasional auth
> window will appear, making transparency impossible!
> 
> Am I on the right track here? 

No. The client sends the password every time, not some 'I logged on' token.  

> Is there a workaround?
> 
> A config setting that I missed?
> 
> Also, a colleague of mine noticed that those who where Domain Admins
> never saw this problem. That begs the question: Does wbinfo have to use
> a user that is a domain admin?

I doubt it.  But I do understand that there are issues being resolved
currently in squid regarding 'authentication popups'.  As far as I can
tell, it is a squid/client issue.

Andrew Bartlett


More information about the samba-technical mailing list