Winbindd from Samba 2.2.4 or greater is needed.  Samba 2.2.4, 2.2.5, 
and 3.0a17 work with the Squid 2.5 winbind authenticators.  

The winbind authenticators have been used successfully
under Linux, FreeBSD and Solaris(others?).

===============
Configure Samba
===============

Build/Install Samba
-------------------
Samba must be built with configure options:
	--with-winbind
	--with-winbind-auth-challenge

Test Samba/winbindd
-------------------
1: Edit smb.conf for winbindd functionality.  The following template 
   may be used as a minimum:
	workgroup = mydomain
	password server = myPDC
	security = domain
	winbind uid = 10000-20000
	winbind gid = 10000-20000
        winbind use default domain = yes
	encrypt passwords = yes

2: Join the NT domain as outlined in the winbindd man page. 

3: Test winbindd functionality.
	a) Start winbindd 
	b) Test basic winbindd functionality "wbinfo -t":
		# wbinfo -t
		Secret is good
	c) Test winbindd user authentication:
		# wbinfo -a mydomain\\myuser%mypasswd
		plaintext password authentication succeeded
		error code was NT_STATUS_OK (0x0)
		challenge/response password authentication succeeded
		error code was NT_STATUS_OK (0x0)

	   Note that both plaintext and challenge/response should return
	   "succeeded."
	   
	   If there is no "challenge/response" status returned then Samba 
	   was not built with "--with-winbind-auth-challenge."


================
Configure Squid
================

Build/Install Squid
-------------------
Squid must be built with the configure options:
	--enable-auth="ntlm,basic"
	--enable-basic-auth-helpers="winbind"
	--enable-ntlm-auth-helpers="winbind"


Test the helpers
----------------
Tesing the winbind ntlm helper is not really possible from the command
line, but the winbind basic authenticator can be tested like any other
basic helper:

	# /usr/local/squid/libexec/wb_auth -d
	/wb_auth[65180](wb_basic_auth.c:136): basic winbindd auth helper ...
	mydomain\myuser mypasswd                   
	/wb_auth[65180](wb_basic_auth.c:107): Got 'mydomain\myuser mypasswd' from squid (length: 24).
	/wb_auth[65180](wb_basic_auth.c:54): winbindd result: 0
	/wb_auth[65180](wb_basic_auth.c:57): sending 'OK' to squid
	OK

The key point here is the helper should return "OK" if given a valid 
username/password.

Edit squid.conf
---------------
1: Setup the authenticators.  
   Add the following to enable both the winbind basic and ntlm 
   authenticators. IE will use ntlm and everything else basic:

	auth_param ntlm program /usr/local/squid/libexec/wb_ntlmauth         
	auth_param ntlm children 5
	auth_param ntlm max_challenge_reuses 0
	auth_param ntlm max_challenge_lifetime 2 minutes

	auth_param basic program /usr/local/squid/libexec/wb_auth
	auth_param basic children 5
	auth_param basic realm Squid proxy-caching web server
	auth_param basic credentialsttl 2 hours

2: Add acl entries to require authentication:
	acl AuthorizedUsers proxy_auth REQUIRED
	..
	http_access allow all AuthorizedUsers