I've googled the hell out of this problem I'm having with a
debian(sarge) server and squid. I'm using Samba 3.0.2 squid 2.5stable9
with Winbind 3.0.14a. These are all stock .deb packages. I'm trying to
get NTLM authentication set up on my squid cache. It's working, but not
the way it should - IE clients aren't automatically logging in, and
passwords get sent in plaintext mode. Relevant configurations and debug
info below.. anything you could suggest that may help me would be
greatly appreciated.
[squid.conf]
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d 3
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 5
auth_param ntlm max_challenge_lifetime 2 hours
auth_param ntlm use_ntlm_negotiate off
#auth_param basic program /usr/lib/squid/smb_auth -W mydomain
#auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm Internet Access Cache
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off
smb.conf global:
[global]
workgroup = mydomain
server string = %h server (Samba %v)
security = domain
password server = 192.168.0.5
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
panic action = /usr/share/samba/panic-action %d
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
template shell = /bin/bash
[squid -v]
Squid Cache: Version 2.5.STABLE9
configure options: --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm --enable-carp --with-large-files
i386-debian-linux
sdproxy:/etc/samba# wbinfo -t
checking the trust secret via RPC calls succeeded
sdproxy:/etc/samba# wbinfo -a mydomain\\joe.tester%11QQaaZZ
plaintext password authentication succeeded
challenge/response password authentication succeeded
sdproxy:/etc/samba#
So it looks like samba is ready to handle ntlm auth, and so is squid.
Every time I open an IE window, I get prompted for a username and
password. If I enter a correct combination, I can browse. It is my
understanding that with ntlm this is not supposed to happen, that the
username/pass from my domain logon will automagically go to the server.
Running winbindd in debug mode I get the following log output:
[2005/08/26 15:46:04, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(477)
[20149]: pam auth crap domain: SILPADA user: joe.tester
[2005/08/26 15:46:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
[20026]: pam auth joe.tester
If I fail the login, I get this output:
[2005/08/26 15:47:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
[20026]: pam auth joe.tester
[2005/08/26 15:47:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
Plain-text authentication for user joe.tester returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)
I guess the plaintex authentication could be a last resort after an
attempt at challenge/response..
So, anyway, all I'm trying to do is get this auto-login working. Thanks
for any ideas you might pass my way.
Zach
