Re: [squid-users] NTLM authentication not working with Squid 2.5 + Samba 3.0 after reading all the FAQs

Hi,

At 18.13 23/02/2004, Chavez Gutierrez, Freddy wrote:

>I can't get Squid to authenticate to Windows NT users.
>I have a system with Linux Fedora 1.0 (samba 3.0.0, squid 2.5 STABLE3).
>I've read Squid FAQ and Samba FAQ and I've done:
>
>1. Configure Samba to join to my NT Domain with "net rpc join", then:
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>Also, "wbinfo -u" and "wbinfo -g" are fine and:
> # ntlm_auth --username=testuser --password=littlesecret
> NT_STATUS_OK: Success (0x0)
> # wbinfo -a mydomain+testuser%littlesecret
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>
>2. Configure nsswitch and pam according to the Samba FAQ
>
>3. Squid is working fine with IP source ACLs.
>In /etc/squid/squid.conf:
> auth_param ntlm program /usr/bin/ntlm_auth
>--helper-protocol=squid-2.5-ntlmssp
> auth_param basic program /usr/bin/ntlm_auth
>--helper-protocol=squid-2.5-basic
>
> acl domain_admins proxy_auth mydomain+testuser
> http_access allow domain_admins
>
>Squid is compiled according to:
># /usr/sbin/squid -v
>Squid Cache: Version 2.5.STABLE3
>configure options: --host=i386-redhat-linux --build=i386-redhat-linux
>--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
>--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
>--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
>--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
>--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
>--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
>--sysconfdir=/etc/squid --enable-poll --enable-snmp
>--enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs
>--enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools
>--enable-linux-netfilter --with-pthreads
>--enable-basic-auth-helpers=LDAP,NCSA,PAM,SMB,SASL,MSNT
>--enable-ntlm-auth-helpers=SMB,winbind
>--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,win
>bind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge
>--enable-useragent-log --enable-referer-log
>
>When I access from WinXP/IE 6.0 a dialog box pops up asking my user/password
>and I've tried: "mydomain+testuser", "testuser", "mydomain\testuser" and I
>always get "Cache Access Denied" :(
>
>I'll really appreciate some help. Thanks in advance.

If already not verified, check the permission of the directory containing
the Winbindd pipe: the squid process must have the read privilege, Samba
default is that only root can read this directory.

Look here for more details:

http://itmanagers.net/Documents/File/walkthroughs/~Linux@Squid/Squid+and+Samba+3+-+Walkthrough.html

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Mon Feb 23 2004 - 11:37:02 MST