[squid-users] NTLM isnt passing name through

From: Nick Duda <nduda@dont-contact.us>
Date: Wed, 17 Jan 2007 07:59:36 -0500

So my question has two parts, the first part is that I asked about this
in a recent post and it couldn't be done, but for some reason its doing
it!! Which I like, but in the long run I'd like to fix this and don't
know what I'm missing.

I've compared this new squid deployment to another (that's working
properly) and can't find the problem (except this deployment is
2.5stable13 and the working one is 2.6)

I have 2.5stable13 setup with samba and winbind for NT auth with active
directory. When I am logged into the domain as a valid user and attempt
to browse I get a popup asking for login credentials. When I supply my
username/password (I'm already logged into the domain) it lets me use
squid/authenticate me. Somehow, squid isn't looking at the logged in
user and passing the credentials throught to AD (while my other proxy
does). As far as my other post, this is what I wanted because I want to
have a generic user log into a computer on the domain and always get
prompted for NT auth when browsing....well its doing it, but how can I
fix it?

Here is some snippets of config:

smb.conf
-------------------------
[global]
workgroup = mydomain
realm = mydomain.net
preferred master = no
netbios name = proxy
password server = x.x.x.x (ip of local AD server)
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
-------------------------

Krb5.com
-------------------------
[libdefaults]
 ticket_lifetime = 24000
 default_realm = mydomain.NET
 default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
 permitted_enctypes = des3-hmac-sha1 des-cbc-crc
 dns_lookup_realm = false
 dns_lookup_kdc = false
 kdc_req_checksum_type = 2
 checksum_type = 2
 ccache_type = 1
 forwardable = true
 proxiable = true

[realms]
 VISTAPRINT.NET = {
  kdc = x.x.x.x:88 (ip of local AD server)
  admin_server = x.x.x.x:749 (ip of local AD server)
  default_domain = mydomain.net
 }

[domain_realm]
 .mydomain.net = mydomain.net
-------------------------

Nsswitch.conf
-------------------------
passwd: files ldap winbind
group: files ldap winbind

hosts: files dns ldap winbind
-------------------------

Squid.conf
-------------------------
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes

auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthUsers proxy_auth REQUIRED
http_access allow all AuthUsers
http_access deny all
-------------------------

Squid Cache: Version 2.5.STABLE13
configure options: --enable-auth=ntlm,basic
--enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind
--enable-delay-pools --enable-snmp

Also running latest samaba 3.0.23d

# wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -g
BUILTIN+administrators
BUILTIN+users
domain users
domain guests
...etc
(its getting the groups from the domain)

# wbinfo -u
jsmith
jdoh
...etc
(its getting the names from the domain)
Received on Wed Jan 17 2007 - 05:59:45 MST

This archive was generated by hypermail pre-2.1.9 : Thu Feb 01 2007 - 12:00:01 MST