[squid-users] ntlm_auth working only on some clients

Hi everyone

I'm having some problems to setup squid 2.5.STABLE9 to autentificate users
in a windows 2000 server domain (active directory).

I have followed this guide:
http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

ntlm_auth is working fine on some client machines but not others.
I have tested it with windows 2000 professional, IExplorer 6+SP1 and
Firebird 1.02 and they don't work no matter the user logs in. However,
when in some machine works, any user that logs in that machine can use the
proxy.
I mean, it seems some client machine related problem, not specific user
problem. Neverthleless, there are no significat differences between the
clients as they are generated from the same norton ghost image (all
clients have the same software and versions)
With linux clients, the login/password dalog appears and auth works
perfectly.

when in the proxy machine, any winbindd related command works OK (wbinfo,
nltm_auth...)

Now some specific stuff:
Fedora Core 3 with 2.6.11-1.14_FC3 kernel

Squid Cache: Version 2.5.STABLE9
configure options: --build=i386-redhat-linux --host=i386-redhat-linux
--target=i386-redhat-linux-gnu --program-prefix= --prefix=/usr
--exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
--mandir=/usr/share/man --infodir=/usr/share/info --exec_prefix=/usr
--bindir=/usr/sbin --libexecdir=/usr/lib/squid --localstatedir=/var
--sysconfdir=/etc/squid --enable-poll --enable-snmp
--enable-removal-policies=heap,lru
--enable-storeio=aufs,coss,diskd,null,ufs --enable-ssl
--with-openssl=/usr/kerberos --enable-delay-pools --enable-linux-netfilter
--with-pthreads --enable-ntlm-auth-helpers=SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
--enable-auth=basic,ntlm --with-winbind-auth-challenge
--enable-useragent-log --enable-referer-log --disable-dependency-tracking
--enable-cachemgr-hostname=localhost --disable-ident-lookups
--enable-truncate --enable-underscores --datadir=/usr/share
--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,winbind

winbindd version: 3.0.10-1.fc3

here is the squid.conf without comments:
---------------------------------------------------------------
http_port 192.168.2.10:8080
http_port 192.168.8.20:8080
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 16 MB
cache_dir ufs /var/spool/squid 700 16 256
auth_param ntlm program /usr/bin/ntlm_auth --debug-level=10
--helper-protocol=squid-2.5-ntlmssp --nt-response
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 8080 # Standard proxy port
acl CONNECT method CONNECT

acl red2 src 192.168.2.0/24 # red del aula
acl red8 src 192.168.8.0/24 # red interna
acl red1 src 192.168.1.0/24 # otra red
acl red9 src 192.168.9.0/24 # red administradtiva
acl red6 src 192.168.6.0/24 # inalambrica
acl autentificados proxy_auth REQUIRED

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access allow autentificados
http_access deny all
http_reply_access allow all

icp_access allow all
coredump_dir /var/spool/squid
---------------------------------------------------------
here comes some lines from smb.conf
---------------------------------------------------------
workgroup = AULADOM
security = domain
password server = aulaserver
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
-----------------------------------------------------------

Some additional info & tests:

Winbindd privileged dir has the correct permissions:
drwxr-x--- 2 root squid 4096 may 2 17:58 winbindd_privileged

# net join -S aulaserver -U Admin%ADMINPASSWORD
[2005/05/02 19:10:03, 0] libads/kerberos.c:ads_kinit_password(146)
  kerberos_kinit_password Administrador@AULADOM.ES failed: Cannot find KDC
for requested realm
[2005/05/02 19:10:03, 0] utils/net_ads.c:ads_startup(186)
  ads_connect: Cannot find KDC for requested realm
Joined domain AULADOM.

those are the only noticeable errors, however, it seems to join the domain
and autenticate users

# wbinfo -t
checking the trust secret via RPC calls succeeded

#wbinfo -a USER%PWD
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -u and wbinfo -g work also...

iin the access.log when ntlm_auth works the correct username of the client
appears, when not authenticated, NONE appears in the username field,
however, as you may see, sometimes an user receives a TCP_DENIED with NONE
as username and then the same request is a TCP_HIT authenticated: I dont
know if this is a normal beaviour or it can be related to the whole
problem.

(access.log extracted from a succesfuly authenticaed client)
1115050342.129 1 192.168.2.166 TCP_DENIED/407 1896 GET
http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif
- NONE/- text/html
1115050342.224 1203 192.168.2.166 TCP_REFRESH_HIT/200 8067 GET
http://www.rage3d.com/board/images/purerage/site/logo.jpg 52437211
DIRECT/66.224.5.66 image/jpeg
1115050342.405 1272 192.168.2.166 TCP_REFRESH_HIT/200 340 GET
http://www.rage3d.com/board/clear.gif 52437211 DIRECT/66.224.5.66
image/gif
1115050343.721 1591 192.168.2.166 TCP_REFRESH_HIT/200 345 GET
http://www.rage3d.com/board/images/purerage/site/sitemenu_open_collapsed.gif
52437211 DIRECT/66.224.5.66 image/gif
------------------------------------------
access.log from an unsuccessfolly auth client

1115050461.386 3 192.168.2.162 TCP_DENIED/407 1730 GET
http://www.rage3d.com/ - NONE/- text/html
1115050461.407 3 192.168.2.162 TCP_DENIED/407 1729 GET
http://www.rage3d.com/ - NONE/- text/html
1115050475.898 4 192.168.2.162 TCP_DENIED/407 1745 GET
http://www.meristation.com/ - NONE/- text/html
1115050475.918 3 192.168.2.162 TCP_DENIED/407 1744 GET
http://www.meristation.com/ - NONE/- text/html
1115050510.591 1 192.168.2.162 TCP_DENIED/407 1805 GET
http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html
1115050510.720 2 192.168.2.162 TCP_DENIED/407 1809 GET
http://csc3-2004-crl.verisign.com/CSC3-2004.crl - NONE/- text/html
1115050511.614 894 192.168.2.162 TCP_CLIENT_REFRESH_MISS/200 12862 GET
http://csc3-2004-crl.verisign.com/CSC3-2004.crl 52179933
DIRECT/12.158.80.10 application/pkix-crl
1115050569.182 143 192.168.2.162 TCP_DENIED/407 1715 CONNECT
192.168.2.251:443 - NONE/- text/html
1115050569.219 3 192.168.2.162 TCP_DENIED/407 1714 CONNECT
192.168.2.251:443 - NONE/- text/html
1115050583.430 3 192.168.2.162 TCP_DENIED/407 1730 GET
http://www.google.com/ - NONE/- text/html
1115050583.445 3 192.168.2.162 TCP_DENIED/407 1729 GET
http://www.google.com/ - NONE/- text/html
1115050609.646 3 192.168.2.162 TCP_DENIED/407 1730 GET
http://www.google.com/ - NONE/- text/html
1115050609.666 3 192.168.2.162 TCP_DENIED/407 1729 GET
http://www.google.com/ - NONE/- text/html
----------------------------------------------------------------

Any additional help or guide will be very much appreciated,
thank-you!
Received on Mon May 02 2005 - 11:36:12 MDT