[Samba] [Fwd: [squid-users] NTLM Authentication Problem]

rruegner robowarp at gmx.de
Wed Oct 29 18:53:47 GMT 2003 

Hi,
i tried this too with samba 3 and squid  2.5STABLE4  and i cant get it to
work too.
i use the pam modules to match samba and squid users for yet.( but it is not
the  kings way )
Best Regards
----- Original Message ----- 
From: "Jim Richey" <jrichey at highmark.com>
To: <samba at lists.samba.org>
Sent: Wednesday, October 29, 2003 7:31 PM
Subject: [Samba] [Fwd: [squid-users] NTLM Authentication Problem]


> I submited this to the Squid list, but I got no response which I assume
> means that no one has any suggestions. Can anyone give me a clue as to
> what I have configured incorrectly. Thanks.
>
>
> -------- Original Message --------
> Subject: [squid-users] NTLM Authentication Problem
> Date: Tue, 28 Oct 2003 11:34:29 -0500
> From: Jim Richey <jrichey at highmark.com>
> To: squid-users at squid-cache.org
>
>
>
> I'm having a problem getting NTLM authentication working between Squid
> 2.5STABLE4 and Samba 3.0.0 running on Slackware Linux 2.4.18. I've read
the
> archives, faq, how-to, walk-thru, etc, and believe I have everthing
> correctly configured. I'm using the helper that is part of  Samba 3.0,
> not the Squid helper. Basic authentication works fine with the helper,
> but I cannot get ntlmssp working.
>
> I set group read,execute access to the winbind pipe directory and full
> read,write,execute on the pipe itself.
> drwxr-x---    2 root     squid          72 Oct 27 21:21
winbindd_privileged/
>
> srwxrwxrwx    1 root     root            0 Oct 27 21:21 pipe=
>
> I have samba configured with ads but am not using it. I joined the
> domain with rpc and am using security=domain in smb.conf.
>
> The wbinfo commands work fine:
> #wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> #wbinfo -a TSTDOM\\testuser%testpass
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> I can also authenticate successfully with the helper from the command
line:
> #ntlm_auth --username testuser --password testpass
> NT_STATUS_OK: Success (0x0)
>
> However, when I try to use ntlm authentication from a browser I get this
> in cache.log:
> [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061)
>  Got 'YR' from squid (length: 2).
> [2003/10/28 10:43:41, 10]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
>  got NTLMSSP packet:
> [2003/10/28 10:43:41, 10]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
>  NTLMSSP challenge
>
> IE 6.0 SP1 get's a The page Cannot be displayed error. Mozilla 1.5 gives
the login popup,
> but after entering user id and password returns the Cache Access Denied
page.
>
>
> Squid configured with:
>
> Squid Cache: Version 2.5.STABLE4
> configure options:  --enable-async-io --enable-storeio=ufs,aufs
> --enable-auth=ntlm,basic --enable-removal-policies
> --enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups
>
>
> authentication in squid.conf configured as:
>
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #
> auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Highmark Proxy Server
> auth_param basic credentialsttl 2 hours
>
> acl internet proxy_auth REQUIRED
> http_access allow internet
> http_access deny all
>
>
> samba configured with:
> --with-winbind --with-winbind-auth-challenge --with-libsmbclient
> --with-ads --with-krb5=/usr/local
>
>
> smb.conf configuration:
>
> [global]
>   workgroup = TSTDOM
>   netbios name = squidtest
>   server string = squidtest
>   security = domain
>   encrypt passwords = yes
>   smb passwd file = /usr/local/samba/private/smbpasswd
>   load printers = yes
>   log file = /usr/local/samba/var/log.%m
>   max log size = 50
>   password server = pwdserver
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>   local master = no
>   domain master = no
>   preferred master = no
>   wins support = no
>   idmap uid = 10000-65000
>   idmap gid = 10000-65000
>   winbind enum users = yes
>   winbind enum groups = yes
>   template homedir = /home/%D/%U
>   template shell = /bin/sh
>   winbind use default domain = yes
>
>
>
>
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>
>

More information about the samba mailing list