[Samba] samba and squid are not working together

Vietnhi Phuvan vphuvan at specialai.com
Thu Apr 14 18:49:21 GMT 2005

Hello folks,

I am implementing on a RH Fedora Core Linux machine NTLM authentication 
through samba 3.0.2 for my squid server (Squid-2.5STABLE5-2). Our 
customer's environment is Mixed Mode Windows 2000.

To make a long story short:

(1) I have successfully upgraded kerberos from 1.2.7 to 1.3.3 (I was 
successful because I also upgraded the libraries that kerberos 1.3.3 

(2) I have successfully implemented kerberos 1.3.3 as shown by the 
output of the klist, klist -e and kinit commands

(3) I have implemented the /etc/pam.d/samba and /etc/pam.d/squid files

(4) I have successfully joined the RH Linux machine to the Windows 
domain by using the "net ads join -U administrator" command

(5) I have successfully upgraded samba from samba-3.00 to samba-3.0.2 (I 
was successful because I also upgraded the libraries that samba-3.0.2 

(6) I have properly configured the /etc/samba/smb.conf file, and I have 
shown it by successfully running commands such as wbinfo -u, wbinfo -g, 
wbinfo -p, wbinfo -t, wbinfo -m, wbinfo --sequence, wbinfo -a 
user%password, wbingo -get-auth user, and of course getent passwd

(7) I have successfully upgraded squid from squid-2.5STABLE3 to 
squid-2.5STABLE5 and I have run squid -v to make sure that squid 
supports winbind authenticaion

Issue: Doing a QA on squid by pointing an IE 6.0 browser to squid shows 
that the combination squid/samba does not work with NTLM authentication 
(auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp) - although squid DOES work with 
basic authentication (auth_param basic program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-basic) - A check of the 
/var/log/squid/cache.log file shows that an NTLM authentication is 
attempted but not brought to a successful conclusion

I am using the RH rpm's rather than recompile any of the software from 
source code.

Running smbd -b gets me the following results:

(1)  --with Options:

(2) Builtin modules: pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa 
rpc_reg rpc_lsa_ds rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_samr 
idmap_ldap idmap_tdb auth_rhosts auth_sam auth_unix auth_winbind 
auth_server auth_domain auth_builtin

I acknowledge that the option --with-winbind-auth-challenge looks like 
it's missing, but all of the wbinfo commands work like clock work.

The message that I get from the /var/log/samba/winbindd.log file is  
"krb5_get_credentials failed for monday$@ANGLERLABS.COM (Ticket 
expired)" where monday$ is the contact DC and ANGLERLABS.COM is a single 
domain (no dependents, no trust relationships baggage)

What gives? Where does the fault lie (squid, samba, both, neither)?

Vietnhi Phuvan

More information about the samba mailing list