[Samba] [Fwd: [squid-users] NTLM Authentication Problem]

Jim Richey jrichey at highmark.com
Wed Oct 29 18:31:36 GMT 2003

I submited this to the Squid list, but I got no response which I assume 
means that no one has any suggestions. Can anyone give me a clue as to 
what I have configured incorrectly. Thanks.

-------- Original Message --------
Subject: 	[squid-users] NTLM Authentication Problem
Date: 	Tue, 28 Oct 2003 11:34:29 -0500
From: 	Jim Richey <jrichey at highmark.com>
To: 	squid-users at squid-cache.org

I'm having a problem getting NTLM authentication working between Squid 
2.5STABLE4 and Samba 3.0.0 running on Slackware Linux 2.4.18. I've read the 
archives, faq, how-to, walk-thru, etc, and believe I have everthing 
correctly configured. I'm using the helper that is part of  Samba 3.0, 
not the Squid helper. Basic authentication works fine with the helper, 
but I cannot get ntlmssp working. 

I set group read,execute access to the winbind pipe directory and full 
read,write,execute on the pipe itself.
drwxr-x---    2 root     squid          72 Oct 27 21:21 winbindd_privileged/

srwxrwxrwx    1 root     root            0 Oct 27 21:21 pipe=

I have samba configured with ads but am not using it. I joined the 
domain with rpc and am using security=domain in smb.conf.

The wbinfo commands work fine:
#wbinfo -t
checking the trust secret via RPC calls succeeded

#wbinfo -a TSTDOM\\testuser%testpass
plaintext password authentication succeeded
challenge/response password authentication succeeded

I can also authenticate successfully with the helper from the command line:
#ntlm_auth --username testuser --password testpass
NT_STATUS_OK: Success (0x0)

However, when I try to use ntlm authentication from a browser I get this 
in cache.log:
[2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061)
 Got 'YR' from squid (length: 2).
[2003/10/28 10:43:41, 10] 
 got NTLMSSP packet:
[2003/10/28 10:43:41, 10] 
 NTLMSSP challenge

IE 6.0 SP1 get's a The page Cannot be displayed error. Mozilla 1.5 gives the login popup, 
but after entering user id and password returns the Cache Access Denied page. 

Squid configured with:

Squid Cache: Version 2.5.STABLE4
configure options:  --enable-async-io --enable-storeio=ufs,aufs 
--enable-auth=ntlm,basic --enable-removal-policies 
--enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups

authentication in squid.conf configured as:

auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10 
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10 
auth_param basic children 5
auth_param basic realm Highmark Proxy Server
auth_param basic credentialsttl 2 hours

acl internet proxy_auth REQUIRED
http_access allow internet
http_access deny all

samba configured with:
--with-winbind --with-winbind-auth-challenge --with-libsmbclient 
--with-ads --with-krb5=/usr/local

smb.conf configuration:

  workgroup = TSTDOM
  netbios name = squidtest
  server string = squidtest
  security = domain
  encrypt passwords = yes
  smb passwd file = /usr/local/samba/private/smbpasswd
  load printers = yes
  log file = /usr/local/samba/var/log.%m
  max log size = 50
  password server = pwdserver
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  local master = no
  domain master = no
  preferred master = no
  wins support = no
  idmap uid = 10000-65000
  idmap gid = 10000-65000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%D/%U
  template shell = /bin/sh
  winbind use default domain = yes

More information about the samba mailing list