Hello folks,
I am implementing on a RH Fedora Core Linux machine NTLM authentication through samba 3.0.2 for my squid server (Squid-2.5STABLE5-2). Our customer's environment is Mixed Mode Windows 2000.
To make a long story short:
(1) I have successfully upgraded kerberos from 1.2.7 to 1.3.3 (I was successful because I also upgraded the libraries that kerberos 1.3.3 requires
(2) I have successfully implemented kerberos 1.3.3 as shown by the output of the klist, klist -e and kinit commands
(3) I have implemented the /etc/pam.d/samba and /etc/pam.d/squid files
(4) I have successfully joined the RH Linux machine to the Windows domain by using the "net ads join -U administrator" command
(5) I have successfully upgraded samba from samba-3.00 to samba-3.0.2 (I was successful because I also upgraded the libraries that samba-3.0.2 requires)
(6) I have properly configured the /etc/samba/smb.conf file, and I have shown it by successfully running commands such as wbinfo -u, wbinfo -g, wbinfo -p, wbinfo -t, wbinfo -m, wbinfo --sequence, wbinfo -a user%password, wbingo -get-auth user, and of course getent passwd
(7) I have successfully upgraded squid from squid-2.5STABLE3 to squid-2.5STABLE5 and I have run squid -v to make sure that squid supports winbind authenticaion
Issue: Doing a QA on squid by pointing an IE 6.0 browser to squid shows that the combination squid/samba does not work with NTLM authentication (auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp) - although squid DOES work with basic authentication (auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic) - A check of the /var/log/squid/cache.log file shows that an NTLM authentication is attempted but not brought to a successful conclusion
I am using the RH rpm's rather than recompile any of the software from source code.
Running smbd -b gets me the following results:
(1) --with Options: WITH_ADS WITH_AUTOMOUNT WITH_PAM WITH_QUOTAS WITH_SENDFILE WITH_SMBMOUNT WITH_SYSLOG WITH_UTMP WITH_WINBIND
(2) Builtin modules: pdb_ldap pdb_smbpasswd pdb_tdbsam pdb_guest rpc_lsa rpc_reg rpc_lsa_ds rpc_wks rpc_net rpc_dfs rpc_srv rpc_spoolss rpc_samr idmap_ldap idmap_tdb auth_rhosts auth_sam auth_unix auth_winbind auth_server auth_domain auth_builtin
I acknowledge that the option --with-winbind-auth-challenge looks like it's missing, but all of the wbinfo commands work like clock work.
The message that I get from the /var/log/samba/winbindd.log file is "krb5_get_credentials failed for monday$@ANGLERLABS.COM (Ticket expired)" where monday$ is the contact DC and ANGLERLABS.COM is a single domain (no dependents, no trust relationships baggage)
What gives? Where does the fault lie (squid, samba, both, neither)?
Vietnhi Phuvan
