[Samba] Urgent Samba / Squid NTLM Auth Problems

Andrew Bartlett abartlet at samba.org
Tue Nov 8 05:00:46 GMT 2005 

On Mon, 2005-11-07 at 23:21 +0200, Ian Barnes wrote:
> Hi, 
> 
> We are having problems setting up a squid cache server to use NTLMv2
> authentication to authenticate users against AD.
> 
> We have narrowed the problems down to being a problem between samba and
> squid when using NTLMv2. It constantly moans about the password being wrong
> when using squid, but doing a direct samba auth works fine. We have
> (believedly) narrowed it down to this: the domain requires client ntlmv2 =
> yes in samba to work - however it seems ntlm_auth does not support this!

It is meant to work.  Have you enabled the options in the squid.conf?

> Our squid.conf looks like this:
> auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp -d9
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2
> auth_param basic program /usr/local/libexec/squid/ntlm_auth
> --helper-protocol=squid-2.5-basic -d9
> auth_param basic children 2
> auth_param basic realm Cache NTLM Authentication auth_param basic
> credentialsttl 2 hours
> 
> Anyone have any idea as to why that would happen when only using squid? Is
> there an option that we need to set to make the authenticator use ntlmv2
> only or something like we had to do for samba? Does ntlm_auth not understand
> the v2 protocol properly?

ntlm_auth understands it, however it requires that:

use_ntlm_negotiate on

be set in the squid.conf.  

> 
> Onto another question, when I join the domain for the first time, I get this
> error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are
> a few examples:
> 
> [root at cont] ~ # wbinfo -t
> checking the trust secret via RPC calls 
> failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) 
> Could not check secret
> 
> And this from the squid log if we try and auth a user:
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427)
>   Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied]
> [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
>   NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 
> The strange thing is these errors stop happening from anywhere between 5 and
> 15 minutes after joining the domain. Any ideas as to why they are occurring
> in the first place? Basically: We are able to list users, and groups - but
> wbinfo -t doesn't work until we've been logged on for 5-15 minutes
> (randomly)?

This is really odd.  It is as if the join wasn't propagated to all the
DCs in good time.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051108/5d562900/attachment-0001.bin

More information about the samba mailing list