> -----Original Message----- > From: Mike Diggins [mailto:diggins@xxxxxxxxxxx] > Sent: Tuesday, 9 August 2005 12:10 AM > To: Plant, Dean > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: RE: NTLM Authentication > > > On Fri, 5 Aug 2005, Plant, Dean wrote: > > > Mike Diggins wrote: > >> We're running Squid V2.5Stable10 on a Solaris 8 platform and are > >> attempting to get the NTLM authentication working along with basic > >> authentication for non-IE browsers. > >> > >> So far, IE users that are logged into the domain authenticate without > >> an authentication prompt (good). Non IE users or users of other web > >> clients are prompted for authentication, which is expected, except > >> now they must type in the domain/username and password (i.e. > >> ap1/myname) instead of just their username. That's a bigger change in > >> behaviour than we would like. Is there a way to make this work or is > >> this normal behaviour? > >> > > I think you need to set "winbind use default domain = yes" in your > > smb.conf > > Okay, I've changed my configuration following the instructions in the > Squid FAQ - http://www.squid-cache.org/Doc/FAQ/FAQ-23.html - > How do I use the Winbind authenticators > > Things are working better. Non IE browsers not logged into the domain > prompt for password (good). IE and Firefox, when logged into > the domain, do not ask for a password (also good). > > A problem remains with IE when I'm not logged into the > domain. It prompts for usernmame and password as it should, but it also insists > that I enter a domain (ap1\diggins) before it will authentication. All > non-IE browsers don't require this. Is there anyway to make IE behave better? > > Squid Version: 2.5Stable10 > Samba: 3.0.14a (nmbd, smbd and windbind all running). > > Samba Config: > > [global] > > workgroup = AP1 > realm = AP1 > winbind uid = 10000-20000 > winbind gid = 10000-20000 > encrypt passwords = yes > security=domain > password server = as7.ad.McMaster.CA, as6.ad.mcmaster.ca > winbind separator = / > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > preferred master = False > local master = No > domain master = False > log file = /var/log/samba.log > > ; end > > Squid authentication configuration: > > # > auth_param ntlm program /usr/local/squid/sbin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > auth_param ntlm children 10 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes > # > auth_param basic program /usr/local/squid/sbin/ntlm_auth > --helper-protocol=squid-2.5-basic > auth_param basic children 5 > auth_param basic realm Squid proxy-caching web server > auth_param basic credentialsttl 2 hours > > > -Mike > > Mike, I've run into the same problem in our testing of Squid + Samba + NTLM. From what I can see, Internet Explorer attempts to be 'helpful' by filling in the Domain field when returning authentication details. The problem is that if the machine isn't logged into your normal Domain it returns it returns the local machine name (or possibly the Workgroup) instead. Since a Domain has been supplied, the default domain (as defined in your smb.conf) is not used. Firefox (at it's ilk) return nothing for the Domain, and so the 'winbind use default domain = yes' kicks in. One workaround I found was to munge the Samba code. In samba/source/nsswitch/winbindd_pam.c the bit of code that decides what domain to use is: enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) { [...] if (*state->request.data.auth_crap.domain) { name_domain = state->request.data.auth_crap.domain; } else if (lp_winbind_use_default_domain()) { name_domain = lp_workgroup(); } else { DEBUG(5,("no domain specified with username (%s) - failing auth\n", name_user)); result = NT_STATUS_NO_SUCH_USER; goto done; } [...] } Replacing that chunk of code with just name_domain = lp_workgroup(); will force Samba to use whatever domain is defined in your smb.conf. (This will, of course, break things if you ever want to authenticate versus another domain.) I haven't found any other way of making Internet Explorer play nicely. Regards, David. __ David Gameau ISTS - Systems Infrastructure Group University of South Australia email: David.Gameau@xxxxxxxxxxxx phone: +61 8 302 3533 fax: +61 8 302 5800 Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh
