RE: [squid-users] NTLM without username/password prompt

I'm running
RHEL 4
squid-2.5.STABLE3-6.3E.14
samba-3.0.9-1.3E.3

yes, my winbind authenticator is running

[root@mail /]# wbinfo -t
checking the trust secret via RPC calls succeeded

[root@mail /]# ./etc/init.d/winbind restart

Shutting down Winbind services: [ OK ]
Starting Winbind services: [ OK ]

[root@mail /]# ./etc/init.d/winbind status
winbindd (pid 31246 31245) is running...

when I try the command

[root@mail /]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp

It just hangs there ... doing nothing ...

We use winbind to authenticate our mail users so most of the winbind logs
are filled with that information over and over and over again

[2005/09/21 09:58:39, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'fiona.gould' does not exist
[2005/09/21 09:58:39, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'postfix' does not exist
[2005/09/21 09:58:39, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'fiona.gould' does not exist
[2005/09/21 09:58:39, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(161)
  user 'fiona.gould' does not exist

-----Original Message-----
From: David Gameau [mailto:David.Gameau@unisa.edu.au]
Sent: Thursday, 22 September 2005 3:56
To: paul.matthews@cathedral.qld.edu.au
Cc: squid-users@squid-cache.org
Subject: RE: [squid-users] NTLM without username/password prompt

NTLMSSP doesn't really use username/password like
basic authentication, so you can't really confirm
it from the command line.

The best you can do is:
# /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
KK

and that should give you back a 'TT Tl...AA' type response.

What versions of Squid and Samba are you running?
Is the winbind authenticator running?
Is it logging any useful messages (normally in daemonlog)?

David.
__

David Gameau
ISTS - Systems Infrastructure Group
University of South Australia

email: David.Gameau@UniSA.edu.au
phone: +61 8 302 3533
fax: +61 8 302 5800

Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh

> -----Original Message-----
> From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> Sent: Thursday, 22 September 2005 3:12 PM
> To: David Gameau
> Subject: RE: [squid-users] NTLM without username/password prompt
>
> I've stop, started, applied, restart squid about 300 times
> over the past 3
> days, I've been working on this none stop and I can't seam to
> get anything.
>
> But here is something that I don't think looks right, if I do
> the basic
> authentication via command line it works.
>
> [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
> username password
> OK
>
> [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> Username password
> [2005/09/22 15:39:43, 1]
> utils/ntlm_auth.c:manage_squid_ntlmssp_request(576)
> BH
>
>
> -----Original Message-----
> From: David Gameau [mailto:David.Gameau@unisa.edu.au]
> Sent: Thursday, 22 September 2005 3:32
> To: paul.matthews@cathedral.qld.edu.au
> Subject: RE: [squid-users] NTLM without username/password prompt
>
> Paul,
>
> Did you restart, or stop and start Squid?
> I've noticed with the authenticators that a restart
> doesn't seem to reset everything correctly.
>
> David.
> __
>
> David Gameau
> ISTS - Systems Infrastructure Group
> University of South Australia
>
> email: David.Gameau@UniSA.edu.au
> phone: +61 8 302 3533
> fax: +61 8 302 5800
>
> Disclaimer: "His brain sometimes stops working." - Chiyo,
> Azumanga Daioh
>
>
> > -----Original Message-----
> > From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> > Sent: Thursday, 22 September 2005 2:41 PM
> > To: David Gameau
> > Subject: RE: [squid-users] NTLM without username/password prompt
> >
> > I tried to put the ntlm authentication on top of the basic
> > and restart the
> > squid service, but the same result.
> >
> > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> > auth_param ntlm max_challenge_reuses 0
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > -----Original Message-----
> > From: David Gameau [mailto:David.Gameau@unisa.edu.au]
> > Sent: Thursday, 22 September 2005 2:53
> > To: Paul Matthews; squid-users@squid-cache.org
> > Subject: RE: [squid-users] NTLM without username/password prompt
> >
> > > From: Paul Matthews [mailto:paul.matthews@cathedral.qld.edu.au]
> > > Subject: [squid-users] NTLM without username/password prompt
> > >
> > > I've setup NTLM authentication on my fedora box a few times
> > before and
> > > it all went off without a problem, seamless authentication, it was
> > > great. But now I'm trying to get it done on a RHEL 4 box
> > and it's not
> > > going so well, I've got samba authenticating against my
> > > Active directory
> > >
> > > [root@rhel4 /]# wbinfo -t
> > > checking the trust secret via RPC calls succeeded
> > >
> > > but when I use my MSIE browser when I'm logged into the
> > domain I get a
> > > username/password prompt. I want it to be able to do it on the
> > > background, any suggestions?
> > >
> > > I've read just about everything there is to read on the net.
> > >
> > > Here is my what I have added to my squid.conf
> > >
> > > auth_param basic children 5
> > > auth_param basic realm Squid proxy-caching web server
> > > auth_param basic credentialsttl 2 hour
> > > auth_param basic casesensitive off
> > > auth_param basic program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > > auth_param ntlm program /usr/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > > auth_param ntlm children 30
> > > auth_param ntlm max_challenge_reuses 0
> > > auth_param ntlm max_challenge_lifetime 2 hour
> > >
> > >
> > > acl ntlm proxy_auth REQUIRED
> > >
> > > http_access allow ntlm
> > >
> > > I don't have one http_access rule and that's to allow the
> ntlm users
> > > through.
> > > Any suggestions?
> > >
> > Paul,
> >
> > Try reversing the order your auth_param basic and
> > ntlm declarations. While browsers are supposed to
> > pick the strongest authentication method, most seem
> > to latch onto the first one supplied.
> >
> > Regards,
> > David.
> > __
> >
> > David Gameau
> > ISTS - Systems Infrastructure Group
> > University of South Australia
> >
> > email: David.Gameau@UniSA.edu.au
> > phone: +61 8 302 3533
> > fax: +61 8 302 5800
> >
> > Disclaimer: "His brain sometimes stops working." - Chiyo,
> > Azumanga Daioh
> >
> >
> >
> >
> >
>
>
>
>
Received on Thu Sep 22 2005 - 00:02:01 MDT