Re: [squid-users] NTLM authentication not working with Squid 2.5 + Samba 3.0 after reading all the FAQs

From: Serassio Guido <>
Date: Mon, 23 Feb 2004 19:36:16 +0100


At 18.13 23/02/2004, Chavez Gutierrez, Freddy wrote:

>I can't get Squid to authenticate to Windows NT users.
>I have a system with Linux Fedora 1.0 (samba 3.0.0, squid 2.5 STABLE3).
>I've read Squid FAQ and Samba FAQ and I've done:
>1. Configure Samba to join to my NT Domain with "net rpc join", then:
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>Also, "wbinfo -u" and "wbinfo -g" are fine and:
> # ntlm_auth --username=testuser --password=littlesecret
> NT_STATUS_OK: Success (0x0)
> # wbinfo -a mydomain+testuser%littlesecret
> plaintext password authentication succeeded
> challenge/response password authentication succeeded
>2. Configure nsswitch and pam according to the Samba FAQ
>3. Squid is working fine with IP source ACLs.
>In /etc/squid/squid.conf:
> auth_param ntlm program /usr/bin/ntlm_auth
> auth_param basic program /usr/bin/ntlm_auth
> acl domain_admins proxy_auth mydomain+testuser
> http_access allow domain_admins
>Squid is compiled according to:
># /usr/sbin/squid -v
>Squid Cache: Version 2.5.STABLE3
>configure options: --host=i386-redhat-linux --build=i386-redhat-linux
>--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
>--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
>--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
>--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
>--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
>--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
>--sysconfdir=/etc/squid --enable-poll --enable-snmp
>--enable-removal-policies=heap,lru --enable-storeio=aufs,coss,diskd,null,ufs
>--enable-ssl --with-openssl=/usr/kerberos --enable-delay-pools
>--enable-linux-netfilter --with-pthreads
>bind_group --enable-auth=basic,ntlm --with-winbind-auth-challenge
>--enable-useragent-log --enable-referer-log
>When I access from WinXP/IE 6.0 a dialog box pops up asking my user/password
>and I've tried: "mydomain+testuser", "testuser", "mydomain\testuser" and I
>always get "Cache Access Denied" :(
>I'll really appreciate some help. Thanks in advance.

If already not verified, check the permission of the directory containing
the Winbindd pipe: the squid process must have the read privilege, Samba
default is that only root can read this directory.

Look here for more details:



Guido Serassio
Acme Consulting S.r.l.
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Received on Mon Feb 23 2004 - 11:37:02 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:03 MST