[squid-users] NTLM, Win2k, IE config

>There is BIG differences when it comes to how browsers deal
>with NTLM authentication and its by design incompability with
>HTTP proxies.. (if browser is configured to use a proxy it won't
>use NTLM, as it knows it won't work).
>Regards
>Henrik

The above is a quote from the archive by Henrik on Mon Jan 6 2003:
http://www.squid-cache.org/mail-archive/squid-users/200301/0221.html

This confuses me, because I have a Red Hat 8.0 box running
Squid-2.5.STABLE1 with winbind helper, and samba 2.2.7 .
The Red Hat box is joined to my windows 2000 domain, and
squid is authenticating users successfully using the NTLM helper
winbind (that is what that does, right?). I'm not doing any port
forwarding (which I gather is what would be called transparent
proxying), and the browser( IE 6.0.2800.1106, SP1) is
configured to proxy to the address of the squid machine.

Everything tells me that this is setup is working and ready to go
into our production environment:
-a machine joined to our win2k domain with an authenticated
domain user can successfully browse (no popup box)
-a machine not joined to our win2k domain is presented with
a login box; after entering valid 2k domain user/pass, can browse

Can someone tell me if this is actually working correctly in a
standard kind of way, or if this setup is not quite as I believe it
to be. Henrik's comment above leads me to believe that I'm doing
something fundamentally wrong, even though it appears to be
working.

cache.log snippet:
------------------
(wb_ntlmauth)[17256](wb_ntlm_auth.c:66): sending 'AF buhler\jamie' to
squid
(wb_ntlmauth)[17256](wb_ntlm_auth.c:292): Got 'YR' from squid.
(wb_ntlmauth)[17256](wb_ntlm_auth.c:72): sending 'TT
TlRMTVNTUAACAAAAGQAZACgAAACCgkEAK96cSucBGu4AAAAAAAAXXXXXXXXXXExFUi5DT00='
to squid
(wb_ntlmauth)[17256](wb_ntlm_auth.c:292): Got 'KK
TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAYABgBAAAAABQAFAEYAAAALAXXXXXXXXAAAABoIAAEJVSEXXXXXBTUlFRlJJU0hBQ0tJSUl74KFAeKk0y/nCkmbEDzqbv3VRCKCq4Qw6MS3D6v+B6eeiPs3JICU8aSqzXeS1EuI='
from squid.
(wb_ntlmauth)[17256](wb_ntlm_auth.c:240): Checking user 'BUHLER\JAMIE'
lmhash len =24, have_nthash=0, nthash len=24
(wb_ntlmauth)[17256](wb_ntlm_auth.c:246): winbindd result: 1
(wb_ntlmauth)[17256](wb_ntlm_auth.c:66): sending 'AF buhler\jamie' to
squid

access.log snippet:
-------------------
1043957349.117 2 frishackiii.buhler.com TCP_DENIED/407 1673 GET
http://www.google.com/ - NONE/- text/html
1043957349.137 3 frishackiii.buhler.com TCP_DENIED/407 1767 GET
http://www.google.com/ - NONE/- text/html
1043957350.444 1306 frishackiii.buhler.com TCP_MISS/200 4072 GET
http://www.google.com/ buhler\jamie DIRECT/216.239.39.101 text/html
1043957351.128 684 frishackiii.buhler.com TCP_REFRESH_HIT/200 8833 GET
http://www.google.com/images/logo.gif buhler\jamie DIRECT/216.239.39.101
text/html

winbind stuff:
--------------
[root@Intranix logs]# wbinfo -t
Secret is good

[root@Intranix logs]# wbinfo -a BUHLER/jamie%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Would appreciate your opinions on this.

-jamie-
Received on Thu Jan 30 2003 - 14:15:18 MST