RE: [squid-users] Windows 2003 Strangeness

This might be worth a go as I have seen this also before.

Here is what fixed it for me (although the 2003 server was a domain
controller I think the similarity is close)

If machine is a 2003 Domain controller and you have a 2003 AD domain:

Change the domain controller security policy to:
Microsoft Network Server: Digitally Sign Communications (Always) Enabled
to DISABLED

Change DEFAULT DOMAIN AND Default DOMAIN CONTROLLER security pol:
Network Security: Lan Manager Authentication Level (not configured) to
Send LM & NTLM - User NTLMv2 If Negotiated

If machine is a standalone server and you do not have 2003 AD, just the
following should work (I have not tested)

Change LOCAL machine security policy to:

Microsoft Network Server: Digitally Sign Communications (Always) Enabled
to DISABLED
Network Security: Lan Manager Authentication Level (not configured) to
Send LM & NTLM - User NTLMv2 If Negotiated

Hope this helps,

Dave
 

-----Original Message-----
From: Charlie Grosvenor [mailto:charlie.grosvenor@BellandClements.co.uk]

Sent: Friday, 10 September 2004 3:45 AM
To: Dave Augustus
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Windows 2003 Strangeness

NT 4 doesn't support Kerberos so I don't see why samba should need to be
compiled with Kerberos support. Doesn't windows 2003 server support
normal NTLM auth? There must be some way of telling it to use it.

Thank you

-----Original Message-----
From: Dave Augustus [mailto:davea@support.kcm.org]
Sent: 09 September 2004 18:40
To: Charlie Grosvenor
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] Windows 2003 Strangeness

Did you compile Samba with kerberos 1.3? I am just guessing here but the
problem appears to be between your W2K3 servers and Squid.

This is a Samba configuration problem- whatever it is- you could try
posting there as well.

--
Dave
On Thu, 2004-09-09 at 12:03, Charlie Grosvenor wrote:
> Thank you for the response, the windows 2003 server is a member server
> of an NT 4 domain, no active directory. I have this problem on two all
> the windows
> 2003 member servers.
> 
> Squid.conf:
> 
> auth_param ntlm program /usr/bin/ntlm_auth domain/domaincontroller 
> auth_param ntlm children 5 auth_param ntlm max_challenge_reuses 5000 
> auth_param ntlm max_challenge_lifetime 5 minutes
> 
> I am using the NTLM_AUTH binary that comes with samba v3.
> 
> Thank you
> 
> -----Original Message-----
> From: Dave Augustus [mailto:davea@support.kcm.org]
> Sent: 09 September 2004 17:56
> To: Charlie Grosvenor
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Windows 2003 Strangeness
> 
> How are authenticating? It sounds like you are using mixed-mode
> authentication: that is, the the old-style Domain Controller and the 
> new Active Directory.
> 
> My guess is that:
> Your Squid box is using DC for authentication and the W2K3 server is 
> using AD. Do you have the same problem on another W2K3 server ?
> 
> With Samba v3, you use the NTLM_AUTH  binary that it installs instead 
> of the one that comes with Squid.
> 
> Let me know,
> --
> Dave
> 
> On Thu, 2004-09-09 at 10:49, Charlie Grosvenor wrote:
> > I am using squid 2.5.6, with NTLM authentication. This works fine 
> > with
> > IE6 on windows NT, 2000, XP clients, but with windows 2003 server, I
> > get "Page cannot be displayed" when I set IE6 to use the proxy and 
> > in the squid access.log I get:
> >  
> > 1094744912.490      0 192.168.1.97 TCP_DENIED/407 1866 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.664      0 192.168.1.97 TCP_DENIED/407 1792 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.667      0 192.168.1.97 TCP_DENIED/407 1866 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.824      0 192.168.1.97 TCP_DENIED/407 1792 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.827      0 192.168.1.97 TCP_DENIED/407 1866 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.976      0 192.168.1.97 TCP_DENIED/407 1792 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744912.979      0 192.168.1.97 TCP_DENIED/407 1866 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744913.136      0 192.168.1.97 TCP_DENIED/407 1792 GET
> > http://www.microsoft.com/ - NONE/- text/html
> > 1094744913.138      0 192.168.1.97 TCP_DENIED/407 1866 GET
> > http://www.microsoft.com/ - NONE/- text/html
> >  
> > Has anybody else experienced this with windows 2003 server? anybody 
> > know of a solution?
> > 
> > ____________________________________________________________________
> > __ This email has been scanned by the MessageLabs Email Security 
> > System.
> > For more information please visit http://www.messagelabs.com/email 
> > ____________________________________________________________________
> > __
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________