Hi,
I am having real difficulty getting squid working with NTLM
authentication on FreeBSD 4.10 and Samba 3.0.4.
I have read the FAQ thoroughly at
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.2 but still can't
seem to figure out whats wrong.
The only two things that stick out are that when I do the wbinfo -a test
the challenge/response password authenticates fine but not plaintext.
Running the ntlm_auth program by hand I also get the message "BH Helper
detected protocol error"
For info our domain controller is Windows 2003 server running AD and our
domain is called TRIDENT.
Reading the FAQ on NTLM Auth heres a walkthrough of what I did:
1) Build and install samba 3 with winbind support - done.
2) Configure smb.conf (below) and join to the domain - done.
[global]
workgroup = TRIDENT
server string = Mungo
security = domain
log file = /var/log/samba/log.%m
password server = DC1
socket options = TCP_NODELAY
local master = no
dns proxy = yes
winbind seperator = +
idmap uid = 10000-20000
idmap guid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
3) Check wbinfo -t command - done. (output below - output different from
FAQ)
admin@mungo:/<2>etc/squid# wbinfo -t
checking the trust secret via RPC calls succeeded
4) Test winbind user authentication - done. (Output below - command
syntax different from FAQ? Note that only challenge/response password
works).
admin@mungo:/<2>etc/squid# wbinfo -a TRIDENT\\jamie%xxxxxxx
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user TRIDENT\jamie%xxxxxxx with plaintext
password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user TRIDENT\jamie with challenge/response
admin@mungo:/<2>etc/squid# wbinfo -a jamie%xxxxxxx
plaintext password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error messsage was: No such user
Could not authenticate user jamie%xxxxxxx with plaintext password
challenge/response password authentication succeeded
5) Set priveleges on winbindd_privileged - done (output below)
admin@mungo:/<2>etc/squid# chgrp squid /var/db/samba/winbindd_privileged
admin@mungo:/<2>etc/squid# l /var/db/samba
<snip>
Drwxrwx--- 2 root squid - 512 Jun 25 16:68 winbindd_privileged
6) Compile squid with --enable-auth="ntlm,basic" - Done.
7) Test squid without auth - works fine. Also tested with basic auth on
ncsa passwd file which also works but pops up a username and password
box, browsing ok once correct username and password entered.
Relevant bits for my NTLM auth from squid.conf below:
auth_param ntlm program /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
8) Test the samba 3.x helper. Bleh. Command line seems completely
different from the FAQ. Output below if the FAQ one and the one I think
is correct:
admin@mungo:/<2>etc/squid# /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic TRIDENT+jamie xxxxxxx
Couldn't grok domain-controller TRIDENT+jamie
Couldn't grok domain-controller xxxxxxx
You must specify at least one domain-controller!
/usr/local/libexec/squid/ntlm_auth usage:
/usr/local/libexec/squid/ntlm_auth [-b] [-f] [-d] [-l] domain\controller
[domain\controller ...]
-b enables load-balancing among controllers
-f enables failover among controllers (DEPRECATED and always active)
-l changes behavior on domain controller failyures to last-ditch.
-d enables debugging statements if DEBUG was defined at build-time.
You MUST specify at least one Domain Controller.
You can use either \ or / as separator between the domain name
and the controller name
admin@mungo:/<2>etc/squid# /usr/local/libexec/squid/ntlm_auth
--helper-protocol=squid-2.5-basic TRIDENT\\DC1 jamie xxxxxxx
BH Helper detected protocol error
Hmmmmmmmmmmmmmmmmmm. Everything appears to be configured fine to me. Is
it a FreeBSD quirk?? There doesn't appear to be any relevant info in the
squid logs about whats happening and IE just displays the "Cannot find
page or DNS error" page.
My goal out of this is for people who are authenticated on the domain to
browse the internet without having to type in a username and password
every time they open IE.
Hope the reams of info above sheds some light on whats happening!!!!
Any help mucho appreciated.
Thanks,
-- Jamie Heckford Network Manager Trident Microsystems Ltd. t: +44(0)1737-780790 f: +44(0)1737-771908 w: http://www.tridentmicrosystems.co.uk/Received on Fri Jun 25 2004 - 11:02:11 MDT
This archive was generated by hypermail pre-2.1.9 : Thu Jul 01 2004 - 12:00:03 MDT