[Samba] samba4 and squid with NTLM auth

Eugene M. Zheganin eugene at zhegan.in
Wed Aug 7 03:57:32 MDT 2013



Besides serving files I'm using Samba to authenticate users in the
Windows AD with squid.
After having issues with samba 3.6.16 I decided to see if samba4 will
fit me more. I was surprised, but I found that Samba 4 is fully
functional in my environment and is nearly production-ready.

After that I tried to setup squid to use samba for NTLM authentication.
I found something that may be a bug, but may be also a misconfiguration
of some sort. In short words - it doesn't work.
To describe what's not working, I should say that in my configuration
squid is authorizing user in two stages:
- ntlm_auth is authenticating user
- external squid helper is authorizing user's access to an URL using a
supplied by ntlm_auth name and the group membership information from the AD.

It turns out that for some reason ntlm_auth authenticates user just
fine, but then it is supplying squid with some sort of corrupted username:

squid access log:

1375868558.129 1957 TCP_DENIED/403 2338 GET
http://www.ru/rus/index.php ZZZZZZZZZZZZZZZZ%a0%92%03\r%08 HI
ER_NONE/- text/html

This ZZZZ[...] is actually my username - 'emz', but looks it's
authenticated by ntlm_auth. Squid also thinks that this username has
been just authenticated, and tries to look it's group membership

Squid cache log:

support_member.cc(124): pid=12390 :2013/08/07 15:42:38|
kerberos_ldap_group: INFO: User ZZZZZZZZZZZZZZZZ═..
. is not member of group at domain Internet Users - Crystal at NULL

Considering that everything is fine when using samba 3.5.x, I suppose
the answer is is samba software.
Is this some bug or a misconfiguration ?


More information about the samba mailing list