Morning all,
Im trying to resolve a problem with the way a new squid server im
building handles NTLM authentication for Windows clients that arent
part of the default domain.
I have two groups of PCs. The first group of PC's are in the same
domain as my squid server (which obviously has a working samba running
on it as well). This first group of PC's are using NTLM authentication
in Squid with no problems. When a user opens their browser and enters
a website they arent prompted for a username and password.
The 2nd group of PC's are the group im having problems with. This 2nd
group of PCs are in a seperate windows domain to the squid server.
There is no trust between the two domains. As expected, when the user
opens their browser and tries to access a webpage they are prompted
for their username and password. Thats all well and good. The problem
is, is that they are also being prompted for their domain. Now i can
understand WHY you also need to enter a domain. If you do enter a
domain it does in fact work fine. The user gets access to the web.
The problem is is that I want the users to be successfully
authenticated even if they dont enter a domain in the IE
username/password window. They should still need to enter their
username and password, I just dont want for them to have to enter the
domain.
Ive mucked around with this for a few days and cant seem to make it work.
My smb.conf has
winbind use default domain = yes
Ive tried adding the --domain=[mydomainnamehere] option to my
auth_param line in my squid.conf and it doesnt seem to make any
difference to the behaviour.
What I would like to know is what im trying to do even possible?
If so, can anyone suggest where I should be looking to make it work?
squid.conf lines look like:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
--require-membership-of=ourdomainame\\ourgroupname
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
--require-membership-of=ourdomainame\\ourgroupname
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
Ill post my smb.conf if its asked for but winbind is working fine so
im pretty certain the problem doesnt lie there.
--
There is no gravity the world sucks.
- William Gibson - Pattern Recognition