[squid-users] NTLM authentication not working with Squid 2.5 + Samba 3.0 after reading all the FAQs from Chavez Gutierrez, Freddy on 2004-02-23 (squid-users)

From: Chavez Gutierrez, Freddy <fchavez@dont-contact.us>
Date: Mon, 23 Feb 2004 12:13:02 -0500

I can't get Squid to authenticate to Windows NT users.
I have a system with Linux Fedora 1.0 (samba 3.0.0, squid 2.5 STABLE3).
I've read Squid FAQ and Samba FAQ and I've done:

1. Configure Samba to join to my NT Domain with "net rpc join", then:
  # wbinfo -t
  checking the trust secret via RPC calls succeeded
Also, "wbinfo -u" and "wbinfo -g" are fine and:
  # ntlm_auth --username=testuser --password=littlesecret
  NT_STATUS_OK: Success (0x0)
  # wbinfo -a mydomain+testuser%littlesecret
  plaintext password authentication succeeded
  challenge/response password authentication succeeded

2. Configure nsswitch and pam according to the Samba FAQ

3. Squid is working fine with IP source ACLs.
In /etc/squid/squid.conf:
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic

acl domain_admins proxy_auth mydomain+testuser
http_access allow domain_admins

Squid is compiled according to:
# /usr/sbin/squid -v
Squid Cache: Version 2.5.STABLE3
configure options: --host=i386-redhat-linux --build=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
--sysconfdir=/etc/squid --enable-poll --enable-snmp
--enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs
--enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools
--enable-linux-netfilter --with-pthreads
--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
--enable-ntlm-auth-helpers=SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,win
bind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge
--enable-useragent-log --enable-referer-log

When I access from WinXP/IE 6.0 a dialog box pops up asking my user/password
and I've tried: "mydomain+testuser", "testuser", "mydomain\testuser" and I
always get "Cache Access Denied" :(

I'll really appreciate some help. Thanks in advance.

Regards,
Freddy Chavez.
Received on Mon Feb 23 2004 - 10:12:06 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST