RE: [squid-users] ntlm_auth prompts for domain login

I'm sorry for wasting anyones time on this. I reset the directory mode on
/var/cache/samba/winbindd_privileged to 0750 and it's working. I found in
the winbind.log from samba that winbind was unable to access the directory
and was going into a hung state.

Thanks all for the help.

Jim

-----Original Message-----
From: Jim Crippen [mailto:jcrippen@eliteint.com]
Sent: Wednesday, December 10, 2003 9:19 AM
To: Squid-Users (E-mail)
Subject: RE: [squid-users] ntlm_auth prompts for domain login

The access logs do not show any domain\username in the logs as it never gets
past the authentication. I get the standard 2 TCP_DENIED while it waits for
authentication, then a third when I click Cancel. The test server shows the
correct info in the logs.

How exectly do you run ntlm_auth from the command line, I've tried but get
this back:

[2003/12/10 09:16:44, 10] lib/util.c:dump_data(1825)
  [000] B5 E8 68 B8 µèh¸
NA NT_STATUS_INVALID_PARAMETER

Here's the auth_param section of my config:

auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --enable-helper-fail-open -d 10
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 1
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

Here's a snippet from the access.log:

1071057348.017 1 192.168.12.50 TCP_DENIED/407 1746 GET
http://www.yahoo.com/ - NONE/- text/html
1071057348.064 2 192.168.12.50 TCP_DENIED/407 1750 GET
http://www.yahoo.com/ - NONE/- text/html
1071057348.069 5 192.168.12.50 TCP_DENIED/407 1680 GET
http://www.yahoo.com/ - NONE/- text/html

and here's what the cache.log shows on the failure:

[2003/12/09 14:40:26, 10] lib/util.c:dump_data(1825)
  [000] 4E 54 4C 4D 53 53 50 00 03 00 00 00 18 00 18 00 NTLMSSP. ........
  [010] 51 00 00 00 18 00 18 00 69 00 00 00 08 00 08 00 Q....... i.......
  [020] 40 00 00 00 04 00 04 00 48 00 00 00 05 00 05 00 @....... H.......
  [030] 4C 00 00 00 00 00 00 00 81 00 00 00 06 02 00 20 L....... .......
  [040] 45 4C 49 54 45 48 4F 55 4A 49 4D 43 52 4F 57 41 ELITEHOU JIMCROWA
  [050] 4E 23 61 DB 35 2F 82 FE 01 24 62 C4 58 86 D1 85 N#aÛ5/.þ .$bÄX.Ñ.
  [060] 2B F6 F6 5A 5A 21 AD 5A 80 98 44 CE 13 BB B4 E5 +ööZZ!­Z ..DÎ.»´å
  [070] 19 5E AC 07 0F 01 CA 1D 37 50 15 F1 97 59 CF 79 .^¬...Ê. 7P.ñ.YÏy
  [080] D5 Õ
[2003/12/09 14:40:26, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(285)
  Got user=[JIMC] domain=[ELITEHOU] workstation=[ROWAN] len1=24 len2=24
2003/12/09 14:40:26| comm_poll: 1+0 FDs ready
2003/12/09 14:40:26| cbdataValid: 0x8209958
2003/12/09 14:40:26| helperStatefulHandleRead: 27 bytes from
ntlmauthenticator #1.
2003/12/09 14:40:26| helperStatefulHandleRead: end of reply found
2003/12/09 14:40:26| cbdataValid: 0x83dc638
2003/12/09 14:40:26| cbdataValid: 0x83d84f0
2003/12/09 14:40:26| authenticateNTLMHandleReply: Error validating user via
NTLM. Error returned 'NA NT_STATUS_ACCESS_DENIED'
2003/12/09 14:40:26| authenticateValidateUser: Validated Auth_user request
'0x83d83e0'.

-----Original Message-----
From: Dave Augustus [mailto:davea@support.kcm.org]
Sent: Wednesday, December 10, 2003 8:49 AM
To: Jim Crippen
Subject: RE: [squid-users] ntlm_auth prompts for domain login

Hmmmm....

Check that Squid is getting auth info:
Do your access logs have the username/domain information in them?

Check that Squid's helper can auth properly:
What happens when you run ntlm_auth from the command line?

--Dave

On Wed, 2003-12-10 at 08:42, Jim Crippen wrote:
> Dave,
>
> All the wbinfo (-a,-u,-g,-t) work fine. The squid box is a member of the
> domain as are the clients. Samba is working fine doing shared directories
> using the NT authentication. As for the ACLs in squid, I'm going by IP
> ranges, not NT groups. The part I don't get, it works fine on the other
> box. I double checked and the /var/cache/samba/winbindd_privileged does
> have the correct access for squid on it.
>
> Also, I am not using any RPMs from the OS install. I've removed them all
and
> built the apps from source on both servers.
>
> Thanks.
>
> Jim
>
> -----Original Message-----
> From: Dave Augustus [mailto:davea@support.kcm.org]
> Sent: Wednesday, December 10, 2003 8:23 AM
> To: Jim Crippen
> Cc: Squid-Users (E-mail)
> Subject: Re: [squid-users] ntlm_auth prompts for domain login
>
>
> Hi Jim,
>
> I would check:
>
> 1) can you authenticate from the squid box itself, for a given user,
> using wbinfo -a ?
>
> 2) for Active Directory integration, I had to rebuild Samba3 using
> kerberos 1.3.1. Redhat 9 installs with 1.2.7 which seemed to provide
> inconsistent results. I don't know if this applies for you.
>
> 3) What does wbinfo -t, wbinfo -u wbinfo -g return? All three should
> work. (I had a situation where -u/-g would work but not -t. Upgrading to
> kerberos 1.3.1 and recompiling Samba3 fixed it.)
>
> 3) in squid.conf, are you using NT groups in Squid ACLs to allow access?
> If so those groups must exist on the PDC/AD.
>
> 4) is the client a member of the same domain as the squid box?
>
> --Dave
>
>
>
>
> On Wed, 2003-12-10 at 07:11, Jim Crippen wrote:
> > Hi all,
> >
> > I am running into a problem with squid 2.5 STABLE4 using ntlm_auth. I
> have
> > successfully set this up on a test server with no issues and everything
> > works transparently. I copied all the configs and set up samba and
squid
> > exactly as I did before on the production server and now IE 6.0 is
> prompting
> > for a domain login, which doesn't accept it if you enter the
> > username/password/domain. On clicking the Cancel button, I get a page
the
> > states Cache Access Denied, and in the cache.log I see where the
> > authentication returned NT_ACCESS_DENIED from the domain controller.
Any
> > ideas on what might cause this? Both servers are RedHat 7.3, Samba
3.0.0,
> > Squid 2-5STABLE4.
> >
> > Thanks,
> >
> > Jim Crippen
> > Sr LAN Administrator
> > Elite Transportation
> > jcrippen@eliteint.com
> >
> >
Received on Wed Dec 10 2003 - 08:33:03 MST