On Fri, 5 Aug 2005, Henrik Nordstrom wrote:
On Wed, 3 Aug 2005, Mike Diggins wrote:
So far, IE users that are logged into the domain authenticate without an
authentication prompt (good). Non IE users or users of other web clients
are prompted for authentication, which is expected, except now they must
type in the domain/username and password (i.e. ap1/myname) instead of just
their username. That's a bigger change in behaviour than we would like. Is
there a way to make this work or is this normal behaviour?
What Samba version?
It's an older one, 2.2.8 I believe. So if I upgrade to Samba 3.x this
should work better? Is this process documented anywhere?
My authentication related configuration:
#Recommended minimum configuration:
auth_param ntlm program /usr/local/squid/libexec/ntlm_auth ap1/as7 ap1/as6
Looks like you are using Samba-2.X. You should be using Samba-3.x and their
ntlm_auth helper, not the Samba-2.x helper from Squid.
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
auth_param basic program /usr/local/squid/sbin/mac_auth
What helper is this mac_auth helper?
It's this one who deals with basic authentication from no-IE browsers, and
it's up to this helper to determine what makes a valid username or not.
Right, I should have mentioned that mac_auth is a little perl wrapper I
got from you a couple of years ago. It lets me use smb_auth with two
different Windows Servers.
Thanks,
-Mike