[Samba] [newbie] SQUID/SAMBA problems with NTLM_Auth

Stuart Chase schase at elpasohonda.com
Mon Nov 29 21:13:52 GMT 2004 

Hello, I havn't gotten an answer over on the squid usergroup - so I'm hoping
someone can help me here.

SUSE - 9.1
SQUID - 2.5.STABLE5
SAMBA - 3.0.2a-SUSE (the one that came with SUSE Installer by YAST)

I have set up squid, samba, got the winbind to work great 
Wbinfo -t, -u, -g all work great 
Squid also worked great until I tried to tie in NTLM_Auth 
If I authenticate using /usr/bin/ntlm_auth --username=administrator 


It authenticates perfectly. 


I have this in my squid.conf 


auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp 
auth_param ntlm children 45 
auth_param ntlm max_challenge_reuses 0 
auth_param ntlm max_challenge_lifetime 2 minutes 
auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic 
auth_param basic children 5 
auth_param basic realm Squid proxy-caching web server 
auth_param basic credentialsttl 2 hours 


And my ACL's 


acl all src 0.0.0.0/0.0.0.0 
acl localhost src 127.0.0.1/255.255.255.255 
http_access allow localhost 
acl AuthorizedUsers proxy_auth REQUIRED 
http_access allow all AuthorizedUsers 
http_access deny all 
http_reply_access allow all 


And if I try to browse anywebsite at all, the squid access.log shows 
TCP_DENIED/407 


In the squid cache.log I can see it authenticateValidateUser: Validating 
Auth_user request '0x8487f80' 
Then authenticateValidateUser: Validated Auth_user request '0x8487f80' 
Then 
User not fully authenticated 
It will continue like that counting 4,3,2,1 And will eventually say 
The request GET http://www.yahoo.com/ is DENIED, because it matched 
'AuthorizedUsers' 
Access Denied: http://www.yahoo.com 
AciMatchedName = AuthorizedUsers 
Proxy Auth message = <NULL> 


Later down the log I'll see 
Creating entry 0x832c000: near 'X-Squid-Error: ERR_CACHE_ACCESS DENIED 0' 
Creating entry 0x832c000' near 'Proxy-Authenticate: NTLM - a whole bunch of 
letters, then trying more lookups. 



Any ideas where I seem to be going awry here? 


Thank you.

More information about the samba mailing list