Re: [squid-users] NTLM Authentication Problem

I managed to discover the problem. Because of a bug in IE 6.0 which
causes squid to initially display a page not found and then after a
refresh correctly displays the page, I had squid configured to not allow
client persistent connections. For NTLM authentication to work, client
persistent connections must be enabled in squid.conf

Jim Richey wrote:

> I'm having a problem getting NTLM authentication working between Squid
> 2.5STABLE4 and Samba 3.0.0 running on Linux 2.4.18. I've read the
> archives, faq, how-to, walk-thru, etc, and believe I have everthing
> correctly configured. I'm using the helper that is part of Samba 3.0,
> not the Squid helper. Basic authentication works fine with the helper,
> but I cannot get ntlmssp working.
> I set group read,execute access to the winbind pipe directory and full
> read,write,execute on the pipe itself.
> drwxr-x--- 2 root squid 72 Oct 27 21:21
> winbindd_privileged/
>
> srwxrwxrwx 1 root root 0 Oct 27 21:21 pipe=
>
> I have samba configured with ads but am not using it. I joined the
> domain with rpc and am using security=domain in smb.conf.
>
> The wbinfo commands work fine:
> #wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> #wbinfo -a TSTDOM\\testuser%testpass
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
> I can also authenticate successfully with the helper from the command
> line:
> #ntlm_auth --username testuser --password testpass
> NT_STATUS_OK: Success (0x0)
>
> However, when I try to use ntlm authentication from a browser I get
> this in cache.log:
> [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061)
> Got 'YR' from squid (length: 2).
> [2003/10/28 10:43:41, 10]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(312)
> got NTLMSSP packet:
> [2003/10/28 10:43:41, 10]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(322)
> NTLMSSP challenge
>
> The browser gets the Squid Cache Access Denied error page. This
> happens with both IE 6.0 SP1 and Mozilla 1.5.
>
>
> Squid configured with:
>
> Squid Cache: Version 2.5.STABLE4
> configure options: --enable-async-io --enable-storeio=ufs,aufs
> --enable-auth=ntlm,basic --enable-removal-policies
> --enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups
>
>
> authentication in squid.conf configured as:
>
> auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10
> --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 5
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
> #
> auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10
> --helper-protocol=squid-2.5-basic
> auth_param basic children 5
> auth_param basic realm Highmark Proxy Server
> auth_param basic credentialsttl 2 hours
>
> acl internet proxy_auth REQUIRED
> http_access allow internet
> http_access deny all
>
>
> samba configured with:
> --with-winbind --with-winbind-auth-challenge --with-libsmbclient
> --with-ads --with-krb5=/usr/local
>
>
> smb.conf configuration:
>
> [global]
> workgroup = TSTDOM
> netbios name = squidtest
> server string = squidtest
> security = domain
> encrypt passwords = yes
> smb passwd file = /usr/local/samba/private/smbpasswd
> load printers = yes
> log file = /usr/local/samba/var/log.%m
> max log size = 50
> password server = pwdserver
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> local master = no
> domain master = no
> preferred master = no
> wins support = no
> idmap uid = 10000-65000
> idmap gid = 10000-65000
> winbind enum users = yes
> winbind enum groups = yes
> template homedir = /home/%D/%U
> template shell = /bin/sh
> winbind use default domain = yes
>
>
>
>
>
>
Received on Sat Nov 01 2003 - 17:27:41 MST