[squid-users] NTLM authentication with winbind - problem (but basic winbind works)

Hi everyone,

I have successfully got squid working with and compiled on a Redhat Line 7.3 system. However, having problems with NTLM authenticaion.

I have setup winbind as per the FAQ. I have tested wb_auth on the command line and it authenticates fine. I have also used wbinfo -a to test out authenticaion successfully using winbind. So as far as I can tell winbind is working fine.

The problem is - if I use:

auth_param ntlm program /root/newsquid/squid/libexec/wb_ntlmauth
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

in squid.conf authentication I get a dialog box prompting for username,password and domain. If I enter valid credentials it still just prompts with the box again. (Client is W2K SP3 IE6 SP1 + all current patches). The client is definatly logged into the domain (win2K active dir.) because I can access domain resources without any authentication prompts.

If I use:

auth_param basic program /root/newsquid/squid/libexec/wb_auth
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

in squid.conf then authentication works when I put valid credentials into the basic authentication dialog box.

This indicates to me a problem with the NTLM authentication, but I can't see what I am doing wrong.

Can anyone help? TIA!

I compiled squid with:
ulimit -HSn 4096
./configure --prefix=/root/newsquid/squid \
            --localstatedir=/root/newsquid/var \
            --enable-storeio="aufs,ufs" \
            --enable-removal-policies="heap,lru" \
            --enable-delay-pools \
            --enable-linux-netfilter \
            --enable-auth="ntlm,basic" \
            --enable-ntlm-auth-helpers="winbind" \
            --enable-basic-auth-helpers="winbind" \
            --with-pthreads \
            --with-aufs-threads=24 \
            --enable-cachemgr-hostname=proxy \
            --disable-wccp \
            --disable-snmp \
            --disable-referrer-log \
            --disable-htcp \
            --disable-ident-lookups \
            --disable-icmp

My squid.conf contains (some numbers and names have been replace with x's):

http_port 3128
icp_port 0

cache_peer xx.x.xx.xxx parent xx 0 no-query no-digest default

auth_param ntlm program /root/newsquid/squid/libexec/wb_ntlmauth
auth_param ntlm children 15
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

#auth_param basic program /root/newsquid/squid/libexec/wb_auth
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
acl NAI_FTP url_regex ^ftp://ftp\.nai\.com/pub/antivirus/datfiles
no_cache deny QUERY
no_cache deny NAI_FTP

cache_mem 64 MB
maximum_object_size 256 MB
maximum_object_size_in_memory 16 KB

cache_dir aufs /data/newsquid_cache 10000 60 256

cache_access_log /root/newsquid/var/logs/access.log
cache_log /root/newsquid/var/logs/cache.log
cache_store_log none
pid_filename /root/newsquid/var/run/squid.pid

ftp_user someone@somewhere.com

request_header_max_size 5 KB
request_body_max_size 20 KB

quick_abort_max 256 KB
quick_abort_pct 80

connect_timeout 60 seconds
client_lifetime 8 hours

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 89 # local icons
acl CONNECT method CONNECT

acl PURGE method PURGE

acl authorised_users proxy_auth REQUIRED
acl denied_hosts src "/usr/local/squid/etc/denied_hosts"
acl denied_users proxy_auth "/usr/local/squid/etc/denied_users"
acl denied_urls url_regex -i "/usr/local/squid/etc/denied_urls"

acl bypass_auth url_regex -i "/usr/local/squid/etc/bypass_auth"

acl yy_net src 10.0.0.0/255.255.0.0
acl bypass_delay src 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.x.xxx/255.255.255.255 10.0.0.x/255.255.255.255
acl delayed_users proxy_auth "/usr/local/squid/etc/delayed_users"
acl delayed_files urlpath_regex -i \.exe$ \.zip$ \.msi$ \.pdf$ \.ace$ \.?[0-9][0-9]$ \.swf$ \.gz$
acl delayed_webcam1 urlpath_regex -i webcam
acl delayed_webcam2 urlpath_regex -i \.gif \.png \.swf \.jpg \.jpeg
acl mng_hosts src 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.x.x/255.255.255.255 10.0.0.x/255.255.255.255 10.0.0.x/255.255.255.255 10.0.0.x/255.255.255.255 10.0.0.x/255.255.255.255

http_access allow manager localhost
http_access allow manager mng_hosts
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow PURGE localhost
http_access deny PURGE

http_access deny denied_hosts
http_access allow bypass_auth
http_access deny denied_users
http_access deny denied_urls

http_access allow authorised_users yy_net
http_access deny all

icp_access deny all

cache_mgr webmaster@audit.nsw.gov.au

cache_effective_user squid
cache_effective_group squid

visible_hostname 11111.xxxxx.xxx.xxx.xx
unique_hostname proxy-tst

logfile_rotate 0

append_domain .xxxxxxx.xxxxxx.xxxxxx.xx

forwarded_for off

cachemgr_passwd all xxxxxxxxx

acl intranet url_regex -i ^http://xxxxxxx\.xxxxxx\.xxxx\.xxx\.xx
always_direct allow intranet
acl proxystats url_regex -i ^http://xxxxxxx\.xxxxxx\.xxx\.xxx\.xx
always_direct allow proxystats

never_direct allow all

delay_pools 5
delay_class 1 3
delay_class 2 1
delay_class 3 3
delay_class 4 3
delay_class 5 3

delay_access 1 allow delayed_users
delay_access 1 deny all
delay_access 2 allow bypass_delay
delay_access 2 deny all
delay_access 3 allow delayed_webcam1 delayed_webcam2
delay_access 3 deny all
delay_access 4 allow delayed_files
delay_access 4 deny all
delay_access 5 allow ao_net
delay_access 5 deny all

delay_parameters 1 10000/16000 8000/16000 3500/16000
delay_parameters 2 -1/-1
delay_parameters 3 4000/4000 4000/4000 2000/2000
delay_parameters 4 25000/100000 25000/100000 8000/16000
delay_parameters 5 25000/100000 25000/100000 16000/16000
Received on Tue Jul 01 2003 - 00:56:30 MDT