RE: [squid-users] NTLM Auth Problem.

Yes, thanks Patricio, we sure did join the machine to the domain. It
appears in the AD, and everything! :)

-----Original Message-----
From: Patricio Bruna V. [mailto:pbruna@linuxcenterla.com]
Sent: Friday, 15 October 2004 12:44 PM
To: hal@mrc.tas.edu.au
Subject: Re: [squid-users] NTLM Auth Problem.

El vie, 15-10-2004 a las 11:26 +1100, Hal Douglas escribió:
> Hi all.
>
> I need some help sorting out a problem I've got with ntlm_auth using
> squid and winbind. I'm using Squid-2.5.STABLE6 and Samba 3.0.7.
>
> I've setup squid and samba from source, and configured them, all
> according to the documentation found here:
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
>
> I'm sure I've done everything right, according to the docco, but when
> the user requests a site, the challenge/response auth fails, and the
> user is prompted for a username and password (using basic auth as a
> fallback), which succeeds.
>
> I've done a lot of troubleshooting, and tried a lot of things to get
> this working. I'm running on Debian 3.0r2, but I had much the same
> problem on FC2. Eveything during setup seemed to work. The following
> gives the
> result:
>
> # wbinfo -t
> checking the trust secret via RPC calls succeeded
>
> # wbinfo -a username%password
> plaintext password authentication succeeded challenge/response
> password authentication succeeded
>
> However, if I do as per the docs I'm following:
>
> # wbinfo -a mydomain\\username%password plaintext password
> authentication failed error code was NT_STATUS_NO_SUCH_USER
> (0xc0000064) error messsage was: No such user Could not authenticate
> user mydomain\username%password with plaintext password
> challenge/response password authentication failed error code was
> NT_STATUS_NO_SUCH_USER (0xc0000064) error messsage was: No such user
> Could not authenticate user mydomain\username with challenge/response
>
> But, doing:
>
> # /usr/local/samba/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> mydomain+username password
> OK
>
> Seems to be working there, but the browser still doesn't authenticate.
> With the debugging turned on, I get this in the cache log:
>
> 2004/10/14 16:15:59| aclMatchAclList: checking AuthorizedUsers
> 2004/10/14 16:15:59| aclMatchAcl: checking 'acl AuthorizedUsers
> proxy_auth REQUIRED'
> 2004/10/14 16:15:59| authenticateValidateUser: Auth_user_request was NULL!
> 2004/10/14 16:15:59| authenticateAuthenticate: broken auth or no
> proxy_auth header. Requesting auth header.
> 2004/10/14 16:15:59| aclMatchAcl: returning 0 sending authentication
> challenge.
> 2004/10/14 16:15:59| aclMatchAclList: no match, returning 0
> 2004/10/14 16:15:59| aclCheck: match found, returning 2
> 2004/10/14 16:15:59| cbdataUnlock: 0x81eadf8
> 2004/10/14 16:15:59| aclCheckCallback: answer=2
> 2004/10/14 16:15:59| cbdataValid: 0x83d7430
> 2004/10/14 16:15:59| The request GET http://slashdot.org/ is DENIED,
> because it matched 'AuthorizedUsers'
>
> Searching around for that error I found that someone had suggested
> this was due to squid not being able to access winbinds privileged
> pipe, however, squid runs as the user and group "squid", and these are
> the perms on the directory in question:
>
> drwxr-s--- 2 root squid 4096 Oct 14 15:09
> /usr/local/samba/var/locks/winbindd_privileged
>
> Seems okay to me, and consistent with the info on giving squid access
> to winbinds privileged pipe in the squid FAQ mentioned above.
>
> So, does anyone know what I've done wrong here, if anything? It seems
> to me that it SHOULD be working, unless I've got something wrong in
> the squid or samba .conf files. I wont post those, because this email
> is long enough already, but I'll provide links to them.
>
> Squid.conf:
>
> http://users.bigpond.com/xdouglas/stuff/4work/squid.conf
>
> Smb.conf:
>
> http://users.bigpond.com/xdouglas/stuff/4work/smb.conf
>
> Any help with this problem would be greatly appreciated.
>
> Thanks.
>
>

Did you join your machine to the domain?
Received on Sun Oct 17 2004 - 21:43:53 MDT