Re: [squid-users] Re: Re: Re: More NTLM Problems

From: <lists@dont-contact.us>
Date: Tue, 27 Jul 2004 13:09:15 +1000

Quoting Adam Aube <aaube01@baker.edu>:

> Johnny Doe wrote:
> > --- Adam Aube <aaube01@baker.edu> wrote:
> >> Johnny Doe wrote:
> >>> --- Adam Aube <aaube01@baker.edu> wrote:
>
> >>>> To clarify: as the user Squid runs as, have you used wbinfo -a to
> >>>> perform an authentication test, and did you see success
> >>>> for both plaintext and challenge response authentication?
>
> >>> Yes the wbinfo -a run as user squid gives me back
> >>> plaintext password authentication succeeded
> >>> challenge/response password authentication succeeded
>
> >>> If I put squid-2.5-basic i get prompted for username/password and
> >>> everything works fine, it's just squid-2.5-ntlmssp that I'm having
> >>> problems with. Not sure if this help but in my winbindd.log I keep
> >>> getting this:
> >>
> >>> [2004/07/26 11:49:39, 1]
> >>> nsswitch/winbindd_group.c:winbindd_getgroups(1029)
> >>> user 'squid' does not exist
> >>
> >> Odd. Can you post the exact command(s) you used to run the wbinfo -a test
> >> as the squid user? If the password is on the command line, you can munge
> >> that.
>
> > -bash-2.05b$ wbinfo -a 465732%######
> > plaintext password authentication succeeded
> > challenge/response password authentication succeeded
> >
> > 465732 being the username and ###### being the
> > password
>
> Since you didn't explicitly show it, I'm going to guess that you did a "su
> squid" before running wbinfo.
>
> Have you added any winbind lines to nsswitch.conf or PAM? If all you are
> using winbind for is Squid integration with a Windows domain, you don't
> need those lines and can take them out.
>
> That might be the source of the odd lines in winbindd.log, but that still
> won't explain why NTLM auth isn't working.
>
> Just to be thorough, can you post your smb.conf file and the output of
> "squid -v"?
>
> Adam
>
>

One thing that Adam pointed out to me when I was having similar problems was that the
permissions on the winbind_privileged pipe need to be accessible by the user Squid
runs as - I thought I had read and checked everything like yourself, but I had
overlooked this important step. If I overlooked this, then I guess it is possible
that others like yourself may do also :)

It is mentioned in the FAQ http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 -
just do a search on the page for "winbind privileged pipe permissions"

Regards,
Rob Hadfield
Received on Mon Jul 26 2004 - 21:09:36 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Aug 01 2004 - 12:00:02 MDT