Re: [squid-users] Samba 3-ntlm_auth, Squid-2.5Stable4 and W2K3 Authentication options

Hi Henrik,

Interesting results today.....

I spent alot of time trying to get to where I was yesterday. Before I
could even *start* to answer your questions, I had problems.

wbinfo -u and wbinfo -g would work but wbinfo -t would not. So I really
couldn't go any farther. I found a note about the same problem here
http://www.mail-archive.com/samba@lists.samba.org/msg25730.html

So I did what this guy did in the email and wbinfo -t started working
again. I realize that this is Samba problem but I am just sharing this
with for background to troubleshooting this problem.

> > So Samba's NTLM doesn't appear to give the answer in the form that Squid
> > wants.
>
> Indeed.

Well I recompiled squid with the settings I showed you earlier and set
the squid.conf parameters for ntlm_auth to:

# these are used by Internet Explorer
auth_param ntlm program /usr/local/bin/ntlm_auth -d 64
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 2 minutes

# these are used by every other browser
auth_param basic program /usr/local/bin/ntlm_auth -d 2
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minutes

I received no more information about the "aborted" message but also
squid didn't crash this time either.

On the browser side, I got prompted for the username/password/domain but
always got denied after 3 times. Winbind log said:

[2003/11/20 16:46:27, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(222)
  winbindd_pam_auth_crap: non-privileged access denied!
[2003/11/20 16:46:27, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379)
  NTLM CRAP authentication for user [(null)]\[(null)] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)
[2003/11/20 16:46:34, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(222)
  winbindd_pam_auth_crap: non-privileged access denied!
[2003/11/20 16:46:34, 2]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(379)
  NTLM CRAP authentication for user [(null)]\[(null)] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)

And the squid access log said:

1069368394.844 66 172.16.215.30 TCP_DENIED/407 1715 GET
http://www.google.com/ - NONE/- text/html
1069368394.903 56 172.16.215.30 TCP_DENIED/407 1645 GET
http://www.google.com/ - NONE/- text/html

****notice no username****

So it looks like we got somewhere, just not sure where we are!....

I remark the first set of ntlm_auth statements in squid.conf and restart
squid. I am prompted for the username password.

And BAM! I get to google.com....

The access log follows.....

1069368577.041 24 172.16.215.30 TCP_DENIED/407 1690 GET
http://www.google.com/ - NONE/- text/html
1069368581.548 3237 172.16.215.30 TCP_MISS/200 1581 GET
http://www.google.com/ surfer DIRECT/216.239.39.99 text/html

Until next time,

--Dave Augustus
Received on Thu Nov 20 2003 - 15:52:15 MST