Hi,
At 08.05 26/07/2003, Jay Turner wrote:
>Hi All,
>
>I am experiencing an unusual problem with NTLM and Domain Membership..
>
>Environment:
>Red Hat 7.3
>Squid2.5-STABLE2
>Samba 2.2.7-3.7.3 (Red Hat)
>Windows 2000 AD server (Native Mode with Pre-2000 compatibility)
>WinXP SP1, IE6 SP1 + all current patches applied
>
>Background:
>I have deployed Squid and NTLM a number of times now so I have a bit of
>experience installing & trouble shooting it.
>Winbindd is working correctly from the command line with wbinfo -t, -u,
>-g, -r and -a all performing correctly.
>wb_auth from the command line also works correctly and so does wb_group
>So from what I can see Winbindd is working fine.
>
>If have a client computer (Win2000 or WinXP) that is on the network, but
>not a member of the domain and I access the
>proxy, I receive an authentication window. This is correct as NTLM will
>fail as it is not a member of the domain and fall
>back to Basic. I can enter a valid username/password/domain and then
>access the proxy correctly. Cache and access.log all report the correct
>behaviour as I expect.
>
>As soon as I add this client computer to become a member of the domain,
>everything stops working.
>NTLM authentication does not work, and neither does Basic authentication.
>The browser sits there for a second then displays
>the standard IE 'Page cannot be found'.
>
>I have increased debugging on Authentication in squid.conf and run
>winbindd in debug mode (winbindd -i -d 3) to try and establish the
>problem. When a client on the domain requests a page cache.log reports
>"authenticateValidateUser: Validating Auth_user request '0x8413238'"
>"authenticateValidateUser: Validated Auth_user request '0x8413238'"
>"User not fully authenticated"
>
>But nothing is being recorded by Winbindd (as opposed to when it works).
>
>This message could hold the key, but I'm not entirely sure where I should
>look next for this.
>
>
>
>I have reams of log files with debugging turned right up which I can post
>specific sections of if required, but I'm not going to post all of them
>now for people to wade through.
>
>I commented out wb_ntlmauth in squid.conf and tried using just wb_auth to
>see if I could get the basic auth to work and that did the same thing..
>
>The interesting thing is that I brought this server back to my office and
>changed it's IP address and made it a member of our Windows NT4 domain and
>then using the same Win XP client from the other network (it's a laptop)
>it works perfectly!!
>
>This leads me to believe that there must be something in the way their AD
>is setup that might be causing this problem??
>
>Any advice will be greatly appreciated.
Some tips:
- Do You have restarted Squid after disabling NTLM authentication ?
- an AD replication problem ? Samba should use always the DC that acts as
PDC emulator
- some strange behaviour of DNS caching
Hoping to help you
Regards
Guido
>Thanks
>
>Regards
>Jay
-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Sat Jul 26 2003 - 01:20:59 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:17 MST