I submited this to the Squid list, but I got no response which I assume means that no one has any suggestions. Can anyone give me a clue as to what I have configured incorrectly. Thanks. -------- Original Message -------- Subject: [squid-users] NTLM Authentication Problem Date: Tue, 28 Oct 2003 11:34:29 -0500 From: Jim Richey <jrichey@highmark.com> To: squid-users@squid-cache.org I'm having a problem getting NTLM authentication working between Squid 2.5STABLE4 and Samba 3.0.0 running on Slackware Linux 2.4.18. I've read the archives, faq, how-to, walk-thru, etc, and believe I have everthing correctly configured. I'm using the helper that is part of Samba 3.0, not the Squid helper. Basic authentication works fine with the helper, but I cannot get ntlmssp working. I set group read,execute access to the winbind pipe directory and full read,write,execute on the pipe itself. drwxr-x--- 2 root squid 72 Oct 27 21:21 winbindd_privileged/ srwxrwxrwx 1 root root 0 Oct 27 21:21 pipe I have samba configured with ads but am not using it. I joined the domain with rpc and am using security=domain in smb.conf. The wbinfo commands work fine: #wbinfo -t checking the trust secret via RPC calls succeeded #wbinfo -a TSTDOM\\testuser%testpass plaintext password authentication succeeded challenge/response password authentication succeeded I can also authenticate successfully with the helper from the command line: #ntlm_auth --username testuser --password testpass NT_STATUS_OK: Success (0x0) However, when I try to use ntlm authentication from a browser I get this in cache.log: [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061) Got 'YR' from squid (length: 2). [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) got NTLMSSP packet: [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) NTLMSSP challenge IE 6.0 SP1 get's a The page Cannot be displayed error. Mozilla 1.5 gives the login popup, but after entering user id and password returns the Cache Access Denied page. Squid configured with: Squid Cache: Version 2.5.STABLE4 configure options: --enable-async-io --enable-storeio=ufs,aufs --enable-auth=ntlm,basic --enable-removal-policies --enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups authentication in squid.conf configured as: auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes # auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10 --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Highmark Proxy Server auth_param basic credentialsttl 2 hours acl internet proxy_auth REQUIRED http_access allow internet http_access deny all samba configured with: --with-winbind --with-winbind-auth-challenge --with-libsmbclient --with-ads --with-krb5=/usr/local smb.conf configuration: [global] workgroup = TSTDOM netbios name = squidtest server string = squidtest security = domain encrypt passwords = yes smb passwd file = /usr/local/samba/private/smbpasswd load printers = yes log file = /usr/local/samba/var/log.%m max log size = 50 password server = pwdserver socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no domain master = no preferred master = no wins support = no idmap uid = 10000-65000 idmap gid = 10000-65000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/sh winbind use default domain = yes
Hi, i tried this too with samba 3 and squid 2.5STABLE4 and i cant get it to work too. i use the pam modules to match samba and squid users for yet.( but it is not the kings way ) Best Regards ----- Original Message ----- From: "Jim Richey" <jrichey@highmark.com> To: <samba@lists.samba.org> Sent: Wednesday, October 29, 2003 7:31 PM Subject: [Samba] [Fwd: [squid-users] NTLM Authentication Problem]> I submited this to the Squid list, but I got no response which I assume > means that no one has any suggestions. Can anyone give me a clue as to > what I have configured incorrectly. Thanks. > > > -------- Original Message -------- > Subject: [squid-users] NTLM Authentication Problem > Date: Tue, 28 Oct 2003 11:34:29 -0500 > From: Jim Richey <jrichey@highmark.com> > To: squid-users@squid-cache.org > > > > I'm having a problem getting NTLM authentication working between Squid > 2.5STABLE4 and Samba 3.0.0 running on Slackware Linux 2.4.18. I've readthe> archives, faq, how-to, walk-thru, etc, and believe I have everthing > correctly configured. I'm using the helper that is part of Samba 3.0, > not the Squid helper. Basic authentication works fine with the helper, > but I cannot get ntlmssp working. > > I set group read,execute access to the winbind pipe directory and full > read,write,execute on the pipe itself. > drwxr-x--- 2 root squid 72 Oct 27 21:21winbindd_privileged/> > srwxrwxrwx 1 root root 0 Oct 27 21:21 pipe> > I have samba configured with ads but am not using it. I joined the > domain with rpc and am using security=domain in smb.conf. > > The wbinfo commands work fine: > #wbinfo -t > checking the trust secret via RPC calls succeeded > > #wbinfo -a TSTDOM\\testuser%testpass > plaintext password authentication succeeded > challenge/response password authentication succeeded > > I can also authenticate successfully with the helper from the commandline:> #ntlm_auth --username testuser --password testpass > NT_STATUS_OK: Success (0x0) > > However, when I try to use ntlm authentication from a browser I get this > in cache.log: > [2003/10/28 10:43:41, 10] utils/ntlm_auth.c:manage_squid_request(1061) > Got 'YR' from squid (length: 2). > [2003/10/28 10:43:41, 10] > utils/ntlm_auth.c:manage_squid_ntlmssp_request(312) > got NTLMSSP packet: > [2003/10/28 10:43:41, 10] > utils/ntlm_auth.c:manage_squid_ntlmssp_request(322) > NTLMSSP challenge > > IE 6.0 SP1 get's a The page Cannot be displayed error. Mozilla 1.5 givesthe login popup,> but after entering user id and password returns the Cache Access Deniedpage.> > > Squid configured with: > > Squid Cache: Version 2.5.STABLE4 > configure options: --enable-async-io --enable-storeio=ufs,aufs > --enable-auth=ntlm,basic --enable-removal-policies > --enable-cache-digests --enable-kill-parent-hack --disable-ident-lookups > > > authentication in squid.conf configured as: > > auth_param ntlm program /usr/local/samba/bin/ntlm_auth -d 10 > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 5 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > # > auth_param basic program /usr/local/samba/bin/ntlm_auth -d 10 > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Highmark Proxy Server > auth_param basic credentialsttl 2 hours > > acl internet proxy_auth REQUIRED > http_access allow internet > http_access deny all > > > samba configured with: > --with-winbind --with-winbind-auth-challenge --with-libsmbclient > --with-ads --with-krb5=/usr/local > > > smb.conf configuration: > > [global] > workgroup = TSTDOM > netbios name = squidtest > server string = squidtest > security = domain > encrypt passwords = yes > smb passwd file = /usr/local/samba/private/smbpasswd > load printers = yes > log file = /usr/local/samba/var/log.%m > max log size = 50 > password server = pwdserver > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > local master = no > domain master = no > preferred master = no > wins support = no > idmap uid = 10000-65000 > idmap gid = 10000-65000 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/sh > winbind use default domain = yes > > > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > >
Andrew Bartlett
2003-Oct-30 08:59 UTC
[Samba] [Fwd: [squid-users] NTLM Authentication Problem]
Skipped content of type multipart/mixed-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20031030/09c4a606/attachment.bin
cool , i will try it next time i will setup squid thx ----- Original Message ----- From: "Jim Richey" <jrichey@highmark.com> To: "Andrew Bartlett" <abartlet@samba.org> Cc: "rruegner" <robowarp@gmx.de>; <samba@lists.samba.org>; "Kinkie" <me@kinkie.it> Sent: Sunday, November 02, 2003 1:26 AM Subject: Re: [Samba] [Fwd: [squid-users] NTLM Authentication Problem]> > I managed to discover the problem. Because of a bug in IE 6.0 which > causes squid to initially display a page not found and then after a > refresh correctly displays the page, I had squid configured to not allow > client persistent connections. For NTLM authentication to work, client > persistent connections must be enabled in squid.conf. > > Andrew Bartlett wrote: > > >On Thu, 2003-10-30 at 05:53, rruegner wrote: > > > > > >>Hi, > >>i tried this too with samba 3 and squid 2.5STABLE4 and i cant get itto> >>work too. > >> > >> > > > What are the clients in these cases? (Win9X is known to have problem) > > > >Can you try Squid 3.0, applying this patch (not my patch, thank kinkie > >from the squid team for it), and set > > > >ntlmv2 on > > > >in your squid.conf? > > > >I think the problem might be that the client is setting something > >'interesting' in their NTLMSSP negotiate packet, but that without this > >patch, we are prevented from seeing it. > > > >(The patch might apply the squid 2.5, if you rename the .cc to .c). > > > >Andrew Bartlett > > > > > > > >