[Samba] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01

Greg Scott GregScott at InfraSupport.com
Mon Apr 4 07:24:39 GMT 2005

This turned into the mother of all system integration exercises and I
**almost**  have it working.  
I am trying to set up proxy authorization using:  

	RedHat Linux 9.0, 
	MIT Kerberos 1.4 built from source, 
	Samba 3.0.13 built from source, 
	Squid 2.5.STABLE7 built from source
	SmartFilter 4.01.  
	Active Directory with Windows 2003

Why not use RPMs?  Well - ADS support for Windows 2003 needs Kerberos
1.3 or newer.  But RedHat 9.0 has Kerberos 1.2.7 and zillions of RedHat
packages depend on it.  So I need krb5 1.4 in another tree and
everything pretty much flows from that.  

See below for details on how I built all this, with attributions to
everyone who has helped so far.   Once this is up and running, I'll
update my step by step instructions and post them.  So below is a
snapshot as of right now and will likely change in a few hours.

Here is, I think, my last remaining problem getting this into

Whenever I launch IE on a client PC, IE prompts the user for
credentials.  IE is supposed to just pass the credentials to Squid
without annoying the user for this, but it doesn't and this is making me
nuts.  If the user enters 


s(he) gets to the desired website via Squid/SmartFilter and I assume I
can set appropriate SmartFilter policies to regulate usage.  But it is
not acceptable for a user to always enter credentials and this
combination of software is supposed to eliminate that hassle.  

I must be missing something...

>From Windows, I can browse to the Linux box via My Network Places and
view its Samba shares.
>From Linux, getent passwd returns all the A/D usernames and getent group
returns all the A/D groups.

>From Linux, /usr/local/samba/bin/wbinfo -g, /usr/local/samba/bin/wbinfo
-u, and /usr/local/samba/bin/wbinfo -t work as advertised and return my
A/D groups, users, and verify the trust relationship.

/usr/local/samba/bin/ntlm_auth --username=[USERNAME] works as advertised
- success if a good username/password, failure otherwise.  Similarly, 

/usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic works
as advertised and returns OK if a good username/password, ERR otherwise.

Running /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp returns output I don't understand,
but the Squid FAQ says you can't really test this one by hand anyway.  

This all suggests Samba is good. 

Here are the relevant lines from /usr/local/etc/squid.conf
#  TAG: auth_param
#       This is used to define parameters for the various authentication

#       schemes supported by Squid.
#       format: auth_param scheme parameter [setting]
#       The order in which authentication schemes are presented to the
client is
auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

# Site specific configs

auth_param ntlm program /usr/local/samba/bin/ntlm_auth
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/samba/bin/ntlm_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src
#http_access allow our_networks

##acl my_network src
##http_access allow my_network

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

##acl password proxy_auth REQUIRED
##http_access allow password

# And finally deny all other access to this proxy
http_access deny all

This spawns another question - why do I need an auth_param for both ntlm
and basic authentication?  What's the difference?  Lots of documentation
all over the place says I need both and in this order but I haven't
found anything that says why.  Could this be a key to my problem?


- Greg Scott
  GregScott at InfraSupportEtc.com

Here are the build notes - remember, this is a snapshot in time, useful
right now for debugging.  Below is a work in progress.

For Squid authentication with an Active Directory domain, we need Samba,
up with Kerberos.  

Redhat Linux 9.0 ships with Kerberos version 5, revision 1.2.7-10.
we need at least rev 1.3 to work with Windows 2003.  See this URL for a

The fc3 RPM directory has rev 1.3 RPMs.  Unfortunately, several dozen
components in RedHat 9.0 depend on the 1.2.7 RPMs installed, especially
the Kerberos libraries.  

So we need to build a copy of Kerberos from source and put it in an
directory.  Then we'll build a copy of Samba using this Kerberos build.

We get the latest and greatest Kerberos from MIT.

For the MIT Kerberos download, see:

FOr release notes, see:

FOr the Installation Guide see:

First, put a copy of the download into /usr/src
cp krb5-1.4-signed.tar /usr/src

Do this to unpack the download.
cd /usr/src
tar -xvf krb5-1.4-signed.tar

This extracts these two files:
krb5-1.4.tar.gz - the actual software
krb5-1.4.tar.gz.asc - a signature

Now do this to unpack the Kerberos software:
tar -xvzf krb5-1.4.tar.gz

Now build it.  By default, Kerberos will install the package's files
at `/usr/local' as in `/usr/local/bin', `/usr/local/sbin', etc.  (Pasted
the Installation Guide).  We will need this later on when we build

cd /usr/src/krb5-1.4
cd src
make install

Some notes:

Make sure /etc/hosts has the FQDN of this system in place, similar to

[root at infra-fw src]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.               squidtest.infrasupportetc.com
localhost.localdomain localhost              squidtest.infrasupportetc.com

Test the build like this:

cd /usr/src/krb5-1.4/src
make check

Fix any problems it calls out and keep running until it finishes

Now to build Samba from source to take advantage of the newest Kerberos

Download samba-3.0.13.tar.gz from here:

Put the saveset in the source directory:
cp samba-3.0.13.tar.gz /usr/src

Unpack it
cd /usr/src
tar -xvzf samba-3.0.13.tar.gz

Now build it with the Kerberos flavor installed earlier
cd /usr/src/samba-3.0.13/source
./configure --with-ads --with-krb5=/usr/local
make install

Configure Samba to work with Kerberos

Set up smb.conf and krb5.conf.
(The paths are /usr/local/samba/lib/smb.conf and /etc/krb5.conf.)

(Extracted from the email Chris Cinnamo from Secure Computing sent.)

Edit the smb.conf 


realm = <YOUR DOMAIN> ex. support.com
workgroup = <DOMAIN> ex. support
security = ADS
encrypt passwords = yes
password server =

# idmap uid and idmap gid are aliases for
# winbind uid and winbid gid, respectively
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

comment = Samba functionality test directory
path = /home/ryan/
read only = no
browsable = yes
writable = yes
guest ok = yes
valid users = @SUPPORT\"Domain Users"


(Note that Kerberos uses realms named the same as the A/D domain name.
BUt --IMPORTANT--  the realm name must be in all UPPER CASE.  So
infrasupportetc.com becomes INFRASUPPORTETC.COM)

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = SUPPORT.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

  kdc =
  admin_server =
  default_domain = SUPPORT.com

 .centralpower.com = SUPPORT.COM
 centralpower.com = SUPPORT.COM

# profile = /var/kerberos/krb5kdc/kdc.conf

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

Add following entries in nssswitch.conf:

  passwd:        files winbind
  group:         files winbind

Samba uses a daemon called winbindd that handles the authentication
between Windows and Linux.
When a Windows system tries to look at a share on the Samba server, it
passes credentials.  
The Samba server needs to know where to look to validate the
credentials.  The above entries
tell the Samba server to first check the local passwd file and if not
there, then have Winbindd
look back in the Windows AD.  It turns out, there is more to the story.
In order for the Samba
server to have a clue how to tell winbindd what to do, we need to put
some Samba libraries in 
the right place.  As of 4/3/2005, the documentation in the
Samba-HOWTO-Collection is wrong.  
Use this script provided by Doug VanLeuven to set up the libraries:


# Save this script in /home/gregs or someplace convenient.
# cd /usr/src/samba-3.0.13/source and run this script from there.

echo "Copying nsswitch modules to system library"


cd /lib
rm -f libnss_winbind.so libnss_winbind.so.1 libnss_winbind.so.2
rm -f libnss_wins.so libnss_wins.so.1 libnss_wins.so.2
cd /usr/lib
rm -f libnss_winbind.so libnss_wins.so

cd $CWD
cp -f nsswitch/libnss_winbind.so /lib
cp -f nsswitch/libnss_wins.so /lib

cd /lib
ln -sf libnss_winbind.so libnss_winbind.so.1
ln -sf libnss_winbind.so libnss_winbind.so.2
ln -sf libnss_wins.so libnss_wins.so.1
ln -sf libnss_wins.so libnss_wins.so.2

cd /usr/lib
ln -sf ../../lib/libnss_winbind.so libnss_winbind.so
ln -sf ../../lib/libnss_wins.so libnss_wins.so


We need a place for log files.  The smb.conf template points here:
mkdir /var/log/samba

(Also look in the already existing directory, /usr/local/samba/var for

Since we are building from source, we need a script to fire up the
daemons, like this:


Save this script someplace convenient, perhaps /firewall-scripts.

Now join this system to the Win2003 domain.  Here is an extract:

[root at infra-fw gregs]# /usr/local/samba/bin/net ads join -S
-U administrator
administrator's password: 
Using short domain name -- INFRASUPPORTETC

Here are a few useful commands for testing:

kinit username at DOMAIN.SUFFIX	Use Kerberos to get a ticket (prompts
for password)
klist -e			Lists cached kerberos tickets

/usr/local/samba/bin/wbinfo -t	Check the trust relationship
/usr/local/samba/bin/wbinfo -g	Enumerate groups in the AD domain
/usr/local/samba/bin/wbinfo -u	Enumerate users in the AD domain

/usr/bin/ntlm_auth --username=[username]

This example will be useful later.  Squid will use this Samba program as
an authentication

[root at Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[root at Stylmark-fw etc]# 
[root at Stylmark-fw etc]# 
[root at Stylmark-fw etc]# /usr/local/samba/bin/ntlm_auth --username=gregs
NT_STATUS_OK: Success (0x0)

Now rebuild Squid
(The following modified from the explanation from Secure Computing Tech

cd /usr/local/squid/src/squid-2.5.STABLE7
./configure \
	--enable-smartfilter \
	--enable-async-io \
	--enable-linux-netfilter \
	--enable-underscores \
	--prefix=/usr/local/squid \
        --enable-auth="ntlm,basic" \
        --enable-external-acl-helpers="wbinfo_group" \

make clean
make all
make install

For Samba 3.n, Squid will use the authentication helpers with Samba.  No
need to build any Squid
authentication helpers.  In fact, the squid FAQ says it won't work with
Samba 3.0.  See:

Put the following changes into /usr/local/squid/etc/squid.conf:

auth_param ntlm program /usr/local/samba/bin/ntlm_auth
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/local/samba/bin/ntlm_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

change group ownership for the Samba winbindd files:
chgrp squid /usr/local/samba/var/locks/winbindd_privileged -R

change file ownership on squid files:
cd /usr/local/squid
chown squid.squid * -R

create cache dirs and then start squid:
su squid

/usr/local/squid/sbin/squid -z

killall -name squid -9



from a pc logged into AD you should now be able to point ie to your
squid proxy
and NOT be prompted for username and password


More information about the samba mailing list