RE: [squid-users] NTLM Authentication

On Tue, 9 Aug 2005, David Gameau wrote:

>> -----Original Message-----
>> From: Mike Diggins [mailto:diggins@McMaster.CA]
>> Sent: Tuesday, 9 August 2005 12:10 AM
>> To: Plant, Dean
>> Cc: squid-users@squid-cache.org
>> Subject: RE: [squid-users] NTLM Authentication
>>
>>
>> On Fri, 5 Aug 2005, Plant, Dean wrote:
>>
>>> Mike Diggins wrote:
>>>> We're running Squid V2.5Stable10 on a Solaris 8 platform and are
>>>> attempting to get the NTLM authentication working along with basic
>>>> authentication for non-IE browsers.
>>>>
>>>> So far, IE users that are logged into the domain authenticate
> without
>>>> an authentication prompt (good). Non IE users or users of other web
>>>> clients are prompted for authentication, which is expected, except
>>>> now they must type in the domain/username and password (i.e.
>>>> ap1/myname) instead of just their username. That's a bigger change
> in
>>>> behaviour than we would like. Is there a way to make this work or
> is
>>>> this normal behaviour?
>>>>
>>> I think you need to set "winbind use default domain = yes" in your
>>> smb.conf
>>
>> Okay, I've changed my configuration following the instructions in the
>> Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html -
>> How do I use the Winbind authenticators
>>
>> Things are working better. Non IE browsers not logged into the domain
>> prompt for password (good). IE and Firefox, when logged into
>> the domain, do not ask for a password (also good).
>>
>> A problem remains with IE when I'm not logged into the
>> domain. It prompts for usernmame and password as it should, but it
> also insists
>> that I enter a domain (ap1\diggins) before it will authentication. All
>
>> non-IE browsers don't require this. Is there anyway to make IE behave
> better?
>>
>> Squid Version: 2.5Stable10
>> Samba: 3.0.14a (nmbd, smbd and windbind all running).
>>
>> Samba Config:
>>
>> [global]
>>
>> workgroup = AP1
>> realm = AP1
>> winbind uid = 10000-20000
>> winbind gid = 10000-20000
>> encrypt passwords = yes
>> security=domain
>> password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca
>> winbind separator = /
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> preferred master = False
>> local master = No
>> domain master = False
>> log file = /var/log/samba.log
>>
>> ; end
>>
>> Squid authentication configuration:
>>
>> #
>> auth_param ntlm program /usr/local/squid/sbin/ntlm_auth
>> --helper-protocol=squid-2.5-ntlmssp
>> auth_param ntlm children 10
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>> #
>> auth_param basic program /usr/local/squid/sbin/ntlm_auth
>> --helper-protocol=squid-2.5-basic
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>>
>>
>> -Mike
>>
>>
> Mike,
>
> I've run into the same problem in our testing of
> Squid + Samba + NTLM. From what I can see, Internet
> Explorer attempts to be 'helpful' by filling in the Domain
> field when returning authentication details.
> The problem is that if the machine isn't logged into your
> normal Domain it returns it returns the local machine name
> (or possibly the Workgroup) instead.
> Since a Domain has been supplied, the default domain (as
> defined in your smb.conf) is not used.
>
> Firefox (at it's ilk) return nothing for the Domain, and so
> the 'winbind use default domain = yes' kicks in.
>
> One workaround I found was to munge the Samba code.
> In samba/source/nsswitch/winbindd_pam.c the bit of code that
> decides what domain to use is:
>
> enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state
> *state)
> {
> [...]
> if (*state->request.data.auth_crap.domain) {
> name_domain = state->request.data.auth_crap.domain;
> } else if (lp_winbind_use_default_domain()) {
> name_domain = lp_workgroup();
> } else {
> DEBUG(5,("no domain specified with username (%s) -
> failing auth\n",
> name_user));
> result = NT_STATUS_NO_SUCH_USER;
> goto done;
> }
> [...]
> }
>
> Replacing that chunk of code with just
>
> name_domain = lp_workgroup();
>
> will force Samba to use whatever domain is defined in your smb.conf.
> (This will, of course, break things if you ever want to authenticate
> versus another domain.)
>
> I haven't found any other way of making Internet Explorer play nicely.
>
> Regards,
> David.
> __
>
> David Gameau
> ISTS - Systems Infrastructure Group
> University of South Australia
>
> email: David.Gameau@UniSA.edu.au
> phone: +61 8 302 3533
> fax: +61 8 302 5800
>
> Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh
>

David,

This is excellent, thanks! I tested your change and it does fix the
problem with IE. Too bad the Samba team wouldn't incorporate a "force
domain" option in the smb.conf file.

Does this piece of code change often? I'm not a programmer so making this
change to future updates of Samba might be difficult if the code is
changed extensively.

-Mike
Received on Tue Aug 09 2005 - 06:41:42 MDT