RE: [squid-users] NTLM Auth Problem.

 
Thanks for your help Henrik.

I checked, just to be sure, and we are using the ntlm_auth from samba.

Yes, we are trying to use NTLM auth. As per the documentation I was using,
I've set it up to fall back to basic auth if NTLM challenge/response fails
(which it does), basic auth works quite well, but challenge/response
doesn't.

Anyway, I took a look at the cache.log, and there aren't any messages at the
default log level, other than the standard "starting X NTLM auth processes".

I turned on log_mime_hdrs as you asked, and here's the output:

1098069200.802 1 10.0.1.8 TCP_DENIED/407 1747 GET
http://www.google.com/ - NONE/- text/html [Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint,
application/vnd.ms-excel, application/msword, application/x-shockwave-flash,
*/*\r\nAccept-Language: en-au\r\nCookie:
PREF=ID=17238ed846c9d38d:CR=1:TM=1096527005:LM=1096527005:S=kyLy_3fTUQxpLp2g
\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR
1.1.4322)\r\nHost: www.google.com\r\nProxy-Connection: Keep-Alive\r\n]
[HTTP/1.0 407 Proxy Authentication Required\r\nServer:
squid/2.5.STABLE6\r\nMime-Version: 1.0\r\nDate: Mon, 18 Oct 2004 03:13:20
GMT\r\nContent-Type: text/html\r\nContent-Length: 1320\r\nExpires: Mon, 18
Oct 2004 03:13:20 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED
0\r\nProxy-Authenticate: Basic realm="Pandora Squid Test Proxy blah blah
blah"\r\nProxy-Authenticate: NTLM\r\n\r]

The dummy username used was "restricted" and the password was "password".
This user worked with basic auth after the NTLM auth failed.

Hope this helps.

L8r.
 

-----Original Message-----
From: Henrik Nordstrom [mailto:hno@squid-cache.org]
Sent: Friday, 15 October 2004 6:47 PM
To: Hal Douglas
Cc: Squid Users
Subject: Re: [squid-users] NTLM Auth Problem.

On Fri, 15 Oct 2004, Hal Douglas wrote:

> I need some help sorting out a problem I've got with ntlm_auth using
> squid and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7.

Make sure to use the ntlm_auth from Samba, not the one from Squid. But I
think you have done this already.

> # wbinfo -t
> checking the trust secret via RPC calls succeeded

Good.

>
> # wbinfo -a username%password
> plaintext password authentication succeeded challenge/response
> password authentication succeeded

Good.

> However, if I do as per the docs I'm following:
>
> # wbinfo -a mydomain\\username%password plaintext password
> authentication failed error code was NT_STATUS_NO_SUCH_USER
> (0xc0000064) error messsage was: No such user Could not authenticate
> user mydomain\username%password with plaintext password
> challenge/response password authentication failed error code was
> NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user
> Could not authenticate user mydomain\username with challenge/response

This is somewhat winbind version specific and may also be dependent on your
smb.conf settings for the domain separator. But as the test above succeeded
this is not critical.

> But, doing:
>
> # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> mydomain+username password
> OK

Good.

> So, does anyone know what I've done wrong here, if anything? It seems
> to me that it SHOULD be working, unless I've got something wrong in
> the squid or samba .conf files. I wont post those, because this email
> is long enough already, but I'll provide links to them.

Are you using NTLM or Basic authentication?

Please enable log_mime_hdrs, then test with a dummy account and post the
result here, inlcuding the supposed account name and password. Also post any
cache.log messages if there is any with the default log levels.

Regards
Henrik
Received on Sun Oct 17 2004 - 21:41:17 MDT