[squid-users] proxy-auth NTLM stop working

Hi,

I had a working setup with Ubuntu 10.04 LTS x64 with the following versions:

squid 3.0.STABLE19-1ubuntu0.1
samba 2:3.4.7~dfsg-1ubuntu3.5

We have a AD domain with around 50 clients using Windows 7 and joined
in the domain.
For this clients we user squid with kerberos and it's working fine
with no issues.

We had a second auth method (NTLM basic,ntlmssp) for clients that were
not joined in the domain.
For this clients normally a pop-up auth appear in the browser witch
then the user should provide AD
credentials in the following manner:

User: MYDOMAIN\user
Pass: password

Since last week NTLM seams to stop working, but from all the tests i
run from the proxy shell it seams ok
Here is what i already did to debug the issue:

root_at_proxy:/# net ads testjoin
Join is OK

root_at_proxy:/# wbinfo -t
checking the trust secret via RPC calls succeeded

root_at_proxy:/# wbinfo -a lsquintella%lsquintella
plaintext password authentication succeeded
challenge/response password authentication succeeded

wbinfo -u and wbinfo -g both work and list users and groups without the domain.
I'm using ntml binary from the samba:

root_at_proxy:/# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
mydomain+lsquintella lsquintella
OK

Im running out of ideas to solve this im missing something here?
Can someone please point me to the right direction.

Below is are my config files:

/etc/samba/smb.conf

[global]
     #log level = 5
     netbios name = proxy
     security = ads
     realm = MYDOMAIN.LAN
     workgroup = MYDOMAIN
     ; winbind separator = +
     idmap uid = 10000-20000
     idmap gid = 10000-20000
     winbind enum users = yes
     winbind enum groups = yes
     client use spnego = yes
     client ntlmv2 auth = yes
     encrypt passwords = true
     winbind use default domain = yes
     restrict anonymous = 2

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/ksadmind.log

[libdefaults]
 default_realm = MYDOMAIN.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes
 default_tgs_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 default_tkt_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 preferred_enctypes = DES-CBC-CRC DES-CBC-MD5 RC4-HMAC
 fcc-mit-ticketflags = true
 default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 MYDOMAIN.LAN = {
        kdc = dc1.mydomain.lan
        kdc = dc2.mydomain.lan
        admin_server = dc1.mydomain.lan
        default_domain = mydomain.lan
 }

[domain_realm]
 .mydomain.lan = MYDOMAIN.LAN
 mydomain.lan = MYDOMAIN.LAN

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
 }

/etc/squid3/squid.conf

visible_hostname proxy1.mydomain.lan
http_port 3128

hierarchy_stoplist cgi-bin ?

cache_mem 1024 MB
maximum_object_size 8096 KB

cache_dir aufs /var/spool/squid3 50000 16 256
cache_access_log /var/log/squid3/access.log
cache_log /var/log/squid3/cache.log squid
cache_store_log none

#Suggested default:
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
refresh_pattern -i (cgi-bin|\?) 0
 0% 0
refresh_pattern -i \.index.(html|htm)$ 0 40%
      10080
refresh_pattern -i \.(html|htm|css|js)$ 1440 40% 40320

auth_param negotiate program /usr/lib/squid3/squid_kerb_auth -s
HTTP/ldapbind_at_MYDOMAIN.LAN
auth_param negotiate children 20
auth_param negotiate keep_alive on

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 10
auth_param ntlm keep_alive on

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Mydomain Log
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

external_acl_type FaGroup ttl=900 %LOGIN
/usr/lib/squid3/squid_ldap_group -R -b "dc=mydomain,dc=lan" -D
"cn=ldapbind,cn=users,dc=mydomain,dc=lan" -W "/etc$

authenticate_ttl 1 hour
authenticate_cache_garbage_interval 1 hour

acl manager proto cache_object
acl localhost src 127.0.0.1
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563 8443 # https

acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 631 # cups
acl Safe_ports port 873 # rsync
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

acl rede_interna src 192.168.20.0/24
acl rede_servidores src 192.168.10.0/24
acl h_trabalho_manha time MTWHF 09:00-13:00
acl h_trabalho_tarde time MTWHF 14:30-18:00
acl FullAccess external FaGroup InetFA

acl sites_internos_nocache dst 192.168.10.0/24
cache deny sites_internos_nocache

acl Publicidade url_regex "/etc/squid3/list/publicidade.acl"
acl BlockFiles urlpath_regex -i "/etc/squid3/list/block-files.acl"
acl BlockSites dstdomain "/etc/squid3/list/block-sites.acl"
acl TimeBasedSites dstdomain "/etc/squid3/list/timebased-sites.acl"
acl DenyFun dstdomain "/etc/squid3/list/block-sites-fun.acl"
deny_info ERR_MYDOMAIN_TBSITES_DENY TimeBasedSites
deny_info ERR_MYDOMAIN_FUN_DENY DenyFun

acl windowsupdate dstdomain windowsupdate.microsoft.com
acl windowsupdate dstdomain .update.microsoft.com
acl windowsupdate dstdomain download.windowsupdate.com
acl windowsupdate dstdomain redir.metaservices.microsoft.com
acl windowsupdate dstdomain images.metaservices.microsoft.com
acl windowsupdate dstdomain c.microsoft.com
acl windowsupdate dstdomain www.download.windowsupdate.com
acl windowsupdate dstdomain wustat.windows.com
acl windowsupdate dstdomain crl.microsoft.com
acl windowsupdate dstdomain sls.microsoft.com
acl windowsupdate dstdomain productactivation.one.microsoft.com
acl windowsupdate dstdomain ntservicepack.microsoft.com

acl CONNECT method CONNECT
acl wuCONNECT dstdomain www.update.microsoft.com
acl wuCONNECT dstdomain sls.microsoft.com
acl wuCONNECT dstdomain .dropbox.com

http_access allow CONNECT wuCONNECT rede_interna
http_access allow CONNECT wuCONNECT localhost
http_access allow windowsupdate rede_interna
http_access allow windowsupdate localhost

acl msn url_regex -i gateway.dll
acl msnd dstdomain messenger.msn.com gateway.messenger.hotmail.com
acl msn1 req_mime_type ^application/x-msn-messenger$

http_access deny msnd
http_access deny msn
http_access deny msn1

http_access deny !FullAccess Publicidade
http_access deny !FullAccess BlockFiles
http_access deny !FullAccess BlockSites
http_access deny !FullAccess DenyFun
http_access deny rede_interna h_trabalho_manha !FullAccess TimeBasedSites
http_access deny rede_interna h_trabalho_tarde !FullAccess TimeBasedSites

acl NoAuthNeeded dstdomain .avg.com backup.avg.cz .dropbox.com
.google.com .openoffice.org
http_access allow all NoAuthNeeded

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers

# And finally deny all other access to this proxy
http_access deny all
http_reply_access allow all

cache_mgr sys_at_mydomain.lan
logfile_rotate 10
error_directory /etc/squid3/error
coredump_dir /var/spool/squid3

--
Ricardo Nuno