[Samba] ADS auth for squid

Steve Allen steve.allen at member.sage-au.org.au
Thu Jun 25 00:01:21 GMT 2009


I've already tried this in a squid list, but no response so maybe my 
problem is related to my squid conf.

I'm setting up a squid proxy to auth against our 2003 ADS

I have ntlm working so it authenticates both transparently to the user 
and using domain\username login.

My Problem is getting squid to auth with just the username not requiring 
the domain\ part.

The docs say I need to have winbind use default domain = yes which I do.

With the option set to yes I get

proxyv4# wbinfo -u | grep test99

without the option I get
proxyv4# wbinfo -u | grep test99

What am I missing? I didn't configure anything for kerberos because of 
this line in the samba howto

> With both MIT and Heimdal Kerberos, it is unnecessary to configure the 
> /etc/krb5.conf, and it may be detrimental. 

My system hasn't got a the krb5.conf at all and I wonder if the lack of 
said file is causing me to have to enter the AFCT\test99 format?


FreeBSD 6.4-RELEASE-p5 AMD64
Squid Cache: Version 3.0.STABLE15
Samba Version 3.3.4
Windows 2003 ADS in what appears for be native mode.


workgroup = AFCT
realm = afct.org.au
Server String = AFC Proxy
security = ads
encrypt passwords = yes
winbind use default domain = yes
wins server =

Relevant lines in squid for ntlm

auth_param ntlm program /usr/local/bin/ntlm_auth 
auth_param ntlm children 5
auth_param ntlm keep_alive on
auth_param basic program /usr/local/bin/ntlm_auth 
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

More information about the samba mailing list