Re: [squid-users] Re: Constant Login Prompt for NTLM Auth against Samba PDC from Amos Jeffries on 2008-11-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 6 Nov 2008 14:38:19 +1300 (NZDT)

> I figured it out to a point:
>
> I had this config, which worked on another setup:
>
> #Samba PDC Auth
> auth_param ntlm program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-ntlmssp
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 2 minutes
> auth_param ntlm children 40
> auth_param basic program /usr/bin/ntlm_auth
> --helper-protocol=squid-2.5-basic
> auth_param basic children 40
> auth_param basic realm Cache NTLM Authentication
> auth_param basic credentialsttl 2 hours
>
> Though this setup now works:
> auth_param ntlm program /usr/lib/squid/ntlm_auth 01Networks/Debian-PDC
> auth_param ntlm children 5
> #auth_param ntlm max_challenge_reuses 0
> #auth_param ntlm max_challenge_lifetime 2 minutes
>
>
> The reason I have two lines commented out on each is because even
> though tons of sites claim to use max_challenge but they always error
> out. Did something change?

This is a perfect example of the squid vs Samba bundled confusion.

The top config uses the Samba helper for full NTLM auth with some kerberos
support by rumour. It also has basic auth input accepted as a backup if
the client fails NTLM handshake.

The second config uses the squid helper for partial SMB LanManager auth.

Amos

>
> On Wed, Nov 5, 2008 at 12:50 AM, Adam McCarthy
> <zeroonetwothree_at_gmail.com> wrote:
>> I currently have a Samba 3 PDC.
>>
>> Everything seems to work, except IE/Firefox both bring up a prompt for
>> username and password.
>>
>> I'm using the exact same config files from another setup that worked
>> fine.
>>
>> You for some reason can't type in just the username and password, like
>> you would think.
>>
>> For example, my workgroup is 01Networks, and even though the XP Pro
>> machine is logged in sucessfully with that same name, unless I type in
>>
>> 01Networks/adam and password, the prompts never go away.
>>
>> After I type those in they work.
>>
>> Why is this setup acting strange after a previous setup done exactly
>> the same way works fine?
>>
>> Also, why would I be required to put in my Domain/User instead of just
>> User when normally I only ever needed User?
>>
>> Also normally IE/Firefox just sent out my info.
>>
>
Received on Thu Nov 06 2008 - 01:38:23 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 06 2008 - 12:00:03 MST