RE: [squid-users] NTLM Authentication

On Fri, 5 Aug 2005, Plant, Dean wrote:

> Mike Diggins wrote:
>> We're running Squid V2.5Stable10 on a Solaris 8 platform and are
>> attempting to get the NTLM authentication working along with basic
>> authentication for non-IE browsers.
>>
>> So far, IE users that are logged into the domain authenticate without
>> an authentication prompt (good). Non IE users or users of other web
>> clients are prompted for authentication, which is expected, except
>> now they must type in the domain/username and password (i.e.
>> ap1/myname) instead of just their username. That's a bigger change in
>> behaviour than we would like. Is there a way to make this work or is
>> this normal behaviour?
>>
> I think you need to set "winbind use default domain = yes" in your
> smb.conf

Okay, I've changed my configuration following the instructions in the
Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html - How do I use
the Winbind authenticators

Things are working better. Non IE browsers not logged into the domain
prompt for password (good). IE and Firefox, when logged into the domain,
do not ask for a password (also good).

A problem remains with IE when I'm not logged into the domain. It prompts
for usernmame and password as it should, but it also insists that I enter
a domain (ap1\diggins) before it will authentication. All non-IE browsers
don't require this. Is there anyway to make IE behave better?

Squid Version: 2.5Stable10
Samba: 3.0.14a (nmbd, smbd and windbind all running).

Samba Config:

[global]

         workgroup = AP1
         realm = AP1
         winbind uid = 10000-20000
         winbind gid = 10000-20000
         encrypt passwords = yes
         security=domain
         password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca
         winbind separator = /
         winbind enum users = yes
         winbind enum groups = yes
         winbind use default domain = yes
         preferred master = False
         local master = No
         domain master = False
         log file = /var/log/samba.log

; end

Squid authentication configuration:

#
auth_param ntlm program /usr/local/squid/sbin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
#
auth_param basic program /usr/local/squid/sbin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

-Mike
Received on Mon Aug 08 2005 - 08:38:06 MDT