Hi, I have encountered a problem and I don't know how or if I can work around the problem. I setup squid to use NTLM to auth against a 2003 machine. On windows 2003 there is a security option called: "Network Security: LAN Manager authentication level properties", now the default option for this setting is: "Send NTLM response only". If I use the defaults, I can connect fine and users can auth and everything is perfect. The problem comes in when I change that setting to read: "Send NTLMv2 response only\refuse LM & NTLM", then I cant auth anymore, I cant even join the domain anymore. I am running squid version 2.5.stable4 with samba 3.0.10. My configuration looks as follows: I run the following command to join the domain which works if I have the default option enabled, and fails with invalid username or password with the custom setting: # /usr/local/bin/net join -S SERVER -w DOMAIN -U username%password I then run winbindd and nmbd. If the default setting in 2003 is used, I can then view users and groups, but with custom setting it doesn't get this far because the net join fails. My squid config looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone got any suggestions? Im totally lost.. Thanks Ian
On Tue, 2005-10-25 at 12:11 +0200, Ian Barnes wrote:> Hi, > > I have encountered a problem and I don't know how or if I can work around > the problem. > > I setup squid to use NTLM to auth against a 2003 machine. On windows 2003 > there is a security option called: "Network Security: LAN Manager > authentication level properties", now the default option for this setting > is: "Send NTLM response only". If I use the defaults, I can connect fine and > users can auth and everything is perfect. The problem comes in when I change > that setting to read: "Send NTLMv2 response only\refuse LM & NTLM", then I > cant auth anymore, I cant even join the domain anymore. > > I am running squid version 2.5.stable4 with samba 3.0.10. My configuration > looks as follows: > > I run the following command to join the domain which works if I have the > default option enabled, and fails with invalid username or password with the > custom setting: > # /usr/local/bin/net join -S SERVER -w DOMAIN -U username%password > > I then run winbindd and nmbd. If the default setting in 2003 is used, I can > then view users and groups, but with custom setting it doesn't get this far > because the net join fails.Easy. Set 'client ntlmv2 auth = yes' in your smb.conf, which is the same as the client side of the system policy you describe above. 'net ads join' may also have worked. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20051026/22b61cee/attachment.bin
Apparently Analagous Threads
- [Fwd: [squid-users] NTLM Authentication Problem]
- NTLM Problems
- NTLM, Squid & default domain
- RE: [squid-users] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01; ticket number 48293
- Multiple Group checking using ntlm_auth