[Samba] Urgent Samba / Squid NTLM Auth Problems
abartlet at samba.org
Tue Nov 8 05:00:46 GMT 2005
On Mon, 2005-11-07 at 23:21 +0200, Ian Barnes wrote:
> We are having problems setting up a squid cache server to use NTLMv2
> authentication to authenticate users against AD.
> We have narrowed the problems down to being a problem between samba and
> squid when using NTLMv2. It constantly moans about the password being wrong
> when using squid, but doing a direct samba auth works fine. We have
> (believedly) narrowed it down to this: the domain requires client ntlmv2 =
> yes in samba to work - however it seems ntlm_auth does not support this!
It is meant to work. Have you enabled the options in the squid.conf?
> Our squid.conf looks like this:
> auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp -d9
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2
> auth_param basic program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic -d9
> auth_param basic children 2
> auth_param basic realm Cache NTLM Authentication auth_param basic
> credentialsttl 2 hours
> Anyone have any idea as to why that would happen when only using squid? Is
> there an option that we need to set to make the authenticator use ntlmv2
> only or something like we had to do for samba? Does ntlm_auth not understand
> the v2 protocol properly?
ntlm_auth understands it, however it requires that:
be set in the squid.conf.
> Onto another question, when I join the domain for the first time, I get this
> error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are
> a few examples:
> [root at cont] ~ # wbinfo -t
> checking the trust secret via RPC calls
> failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
> And this from the squid log if we try and auth a user:
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
> Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
> NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> The strange thing is these errors stop happening from anywhere between 5 and
> 15 minutes after joining the domain. Any ideas as to why they are occurring
> in the first place? Basically: We are able to list users, and groups - but
> wbinfo -t doesn't work until we've been logged on for 5-15 minutes
This is really odd. It is as if the join wasn't propagated to all the
DCs in good time.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051108/5d562900/attachment-0001.bin
More information about the samba