Greetings:
I am in the process of setting up ntlm-based user authentication with
Squid. Following the various instructions available in the FAQ and on the
mailing list, I have what appears to be a functioning setup: I can use
`wbinfo' to authenticate successfully, and Squid works as configured,
logging my authenticated username into the logs. However, after what
appears to be a random amount of time into a browsing session, I begin
to get authentication failures that cause a "Login" window to pop up.
Restarting winbindd with debugging turned on shows a string of successful
credential checks, followed by failures:
[2003/06/04 10:14:29, 5]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(213)
NTLM CRAP authentication for user [MYGROUP]\[STEVE] returned
NT_STATUS_OK (PAM: 0)
... a bunch of these, followed by a string of:
[2003/06/04 10:16:41, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(213)
NTLM CRAP authentication for user [MYGROUP]\[STEVE] returned
NT_STATUS_WRONG_PASSWORD (PAM: 4)
What's strange is that a page will almost load up to completion, but then
things will grind to a halt with a password prompt when trying to load up
a random image on the page.
I am running 2.5S3 and Samba 2.2.8a on a Solaris 8/SPARC machine. The PDC
is running Windows 2000+SP3. I have witnessed this behaviour occuring
with IE 5.5 & 6 running on Win98, 2000 and XP.
Relevant parts of the configuration files:
== squid.conf =auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
== smb.conf =workgroup = MYGROUP
password server = MYPDC
security = domain
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
$ ./wbinfo -a MYGROUP\\steve%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
Any help would be greatly appreciated. I can easily turn up the debug
level on winbindd to capture more detail if it'll help.
Thank you,
Steve
