Transparent Squid Proxy with Samba 3 NTLM_AUTH and multiple domain controllers

Dave Augustus davea at
Wed Dec 31 03:25:02 GMT 2003

Answers embedded ...

On Tue, 2003-12-30 at 21:12, Andrew Bartlett wrote:
> On Tue, Dec 30, 2003 at 05:01:13PM -0600, Dave Augustus wrote:
> > Hello,
> > 
> > (I am cross posting this to both the Squid and Samba-Tech list as it
> > relates to the integration of both- sorry! )
> I'm just glad to see how many such systems there are out there!
> > Here is the setup:
> > 
> > -1 W2K PDC and 2 W2K BDCs- no active directory
> > -lots of Windows clients: XP and W2K Cytrix
> > -Using Squid 2.5Stable4 and Kerberos 1.3.1 on RH9
> Which version of Samba? Are you using the ntlm_auth from Samba?

Oops- Samba 3.0 and *yes* the ntlm_auth from Samba (not Squid) is being
used by Squid.

> > We are using Squid in a transparent proxy fashion for logging. This
> > setup works great in every fashion except its transparency. (yuck!!)
> > 
> > Problem: Occasionally (like once every 4 hours), a Windows client user
> > will call help desk saying "Internet Explorer" is asking for my
> > username/password/domain to access a web page.
> If they put in the password, does is them work?

Intermittant results- Sometimes they can continue without further
"Auths" but also the next web site they visit may cause another *Auth*

> Have you applied all the available patches to IE?

No- after starting this thread, I found your references to the IE6 bugs
along with the URLs. We will be applying the patches- I hope for good

> > Well, my first thought was to check my logs on the RH9 box: squid,
> > samba, winbindd.
> Add -d3 or the like (up to 10, which is a log of logs) to your
> ntlm_ath command line.

Yep- no problems noted via additional logging except where the user
mistyped their credentials when prompted.

> > Nothing...
> > 
> > Ok, so I assume that possibly our PDC is being overloaded with requests
> > and I add "kdc" entries in krb5.conf in the realms section that point to
> > our backup domain controllers. I also add the *same* entries in
> > smb.conf. Restart Squid, Samba and Winbindd.
> > 
> > The problem worsens- it now occurs every hour!
> > 
> > So I undo my changes...
> > 
> > And I am thinking this: when a workstation logins to the Domain, it can
> > hit *ANY* of the domain controllers, probably the primary. Then when the
> > *SAME* client accesses the Internet with IE 6.0, Squid (via NTLM_AUTH)
> > verifies the user with *ANY* of the domain controllers. 
> > 
> > Hence, there is the possibility of 2 sessions, one via the workstation
> > and one via Internet Explorer/Squid- both on different domain
> > controllers.
> This isn't an issue, unless passwords are out of sync (and the user
> changed their password recently)
> > If this is correct,then it is *impossible* for Squid to ever know which
> > domain controller the user logged into and therefore the occasional auth
> > window will appear, making transparency impossible!
> > 
> > Am I on the right track here? 
> No. The client sends the password every time, not some 'I logged on' token.  

Wonderful! Then full transparency is entirely possible as long as both
the clients and the servers work properly.

> > Is there a workaround?
> > 
> > A config setting that I missed?
> > 
> > Also, a colleague of mine noticed that those who where Domain Admins
> > never saw this problem. That begs the question: Does wbinfo have to use
> > a user that is a domain admin?
> I doubt it.  But I do understand that there are issues being resolved
> currently in squid regarding 'authentication popups'.  As far as I can
> tell, it is a squid/client issue.

More info please? I am on that list but have not seen these mentioned. I
have to admit that I don't read "every" post.

> Andrew Bartlett

More information about the samba-technical mailing list