[squid-users] 2003 & ntlm_auth from Michael Wray on 2004-10-01 (squid-users)

From: Michael Wray <mwray@dont-contact.us>
Date: Fri, 1 Oct 2004 15:35:05 -0500

I'm using 2003 AD, FreeBSD 5.2, samba 3.0.7, and suid 2.5--stable6
All command line tests pass (wbinfo -a validuser%validpassword,
ntlm_auth --helper-protocol=squid-2.5-basic
domain/validuser password
OK
domain/validuser badpassword
ERR

wbinfo -t comes bakc with the correct result as well.

However, when a webclient tries to authenticate, an auth window pops up
several times, and despite verifying username and password, authentication
fails, Cache Access Denied.

my cache.log shows the following error when auth traffic attempts to
authenticate (it always fails from a browser..all command lind tests work,
ntlm_auth and wbinfo):

2004/10/01 11:47:07| authenticateNTLMHandleReply: Error validating user via
NTLM
. Error returned 'BH NT_STATUS_ACCESS_DENIED'
[2004/10/01 11:47:07, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612)
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
[2004/10/01 11:47:54, 0] utils/ntlm_auth.c:winbind_pw_check(439)
  Login for user []\[ADMINTEST]@[DEV] failed due to [winbind client not
authoriz
ed to use winbindd_pam_auth_crap. Ensure permissions on
/var/db/samba/winbindd_
privileged are set correctly.]
[2004/10/01 11:47:54, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(612)
2004/10/01 11:47:54| authenticateNTLMHandleReply: Error validating user via
NTLM
. Error returned 'BH NT_STATUS_ACCESS_DENIED'
  NTLMSSP BH: NT_STATUS_ACCESS_DENIED
2004/10/01 12:52:06| NETDB state saved; 0 entries, 90 msec

Seeing as how I can't find any documentation on
/var/db/samba/winbindd_privileged I don't understand what permissions it
SHOULD have, and whether that is really the issue. I have turned off signed
traffic from the 2003 AD server, and told it to send LM & NTLM responses,
and NTLM2 when negotiated.

I see nothing useful in /var/log/log.winbindd or log.nmbd as no errors go
to these logs when traffic goes to the winbindd daemon.

Any info to point me in the right direction will be helpful..I suspect I may
need to post this to the samba list as well...but I'll hold off till I get a
response here as I see many questions re: squid/ntlm authentication.

Michael Wray
S4F Technologies, Inc.
2448 S. 81st St.
Tulsa, OK 74137
http://www.s4f.com
mailto:mwray@s4f.com
Received on Fri Oct 01 2004 - 15:23:19 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:01 MST