Hello folks,
I am implementing on a RH Fedora Core Linux machine NTLM authentication
through samba 3.0.2 for my squid server (Squid-2.5STABLE5-2). Our
customer's environment is Mixed Mode Windows 2000.
To make a long story short:
(1) I have successfully upgraded kerberos from 1.2.7 to 1.3.3 (I was
successful because I also upgraded the libraries that kerberos 1.3.3
requires
(2) I have successfully implemented kerberos 1.3.3 as shown by the
output of the klist, klist -e and kinit commands
(3) I have implemented the /etc/pam.d/samba and /etc/pam.d/squid files
(4) I have successfully joined the RH Linux machine to the Windows
domain by using the "net ads join -U administrator" command
(5) I have successfully upgraded samba from samba-3.00 to samba-3.0.2 (I
was successful because I also upgraded the libraries that samba-3.0.2
requires)
(6) I have properly configured the /etc/samba/smb.conf file, and I have
shown it by successfully running commands such as wbinfo -u, wbinfo -g,
wbinfo -p, wbinfo -t, wbinfo -m, wbinfo --sequence, wbinfo -a
user%password, wbingo -get-auth user, and of course getent passwd
(7) I have successfully upgraded squid from squid-2.5STABLE3 to
squid-2.5STABLE5 and I have run squid -v to make sure that squid
supports winbind authenticaion
Issue: Doing a QA on squid by pointing an IE 6.0 browser to squid shows
that the combination squid/samba does not work with NTLM authentication
(auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp) - although squid DOES work with
basic authentication (auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic) - A check of the
/var/log/squid/cache.log file shows that an NTLM authentication is
attempted but not brought to a successful conclusion
I am using the RH rpm's rather than recompile any of the software from
source code.
Running smbd -b gets me the following results:
(1) --with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_PAM
WITH_QUOTAS
WITH_SENDFILE
WITH_SMBMOUNT
WITH_SYSLOG
WITH_UTMP
WITH_WINBIND
(2) Builtin modules: pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa
rpc_reg rpc_lsa_ds rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_samr
idmap_ldap idmap_tdb auth_rhosts auth_sam auth_unix auth_winbind
auth_server auth_domain auth_builtin
I acknowledge that the option --with-winbind-auth-challenge looks like
it's missing, but all of the wbinfo commands work like clock work.
The message that I get from the /var/log/samba/winbindd.log file is
"krb5_get_credentials failed for monday$@ANGLERLABS.COM (Ticket
expired)" where monday$ is the contact DC and ANGLERLABS.COM is a single
domain (no dependents, no trust relationships baggage)
What gives? Where does the fault lie (squid, samba, both, neither)?
Vietnhi Phuvan