Search squid archive

Ntlm auth problem continued

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 
I've googled the hell out of this problem I'm having with a
debian(sarge) server and squid.  I'm using Samba 3.0.2 squid 2.5stable9
with Winbind 3.0.14a.  These are all stock .deb packages.  I'm trying to
get NTLM authentication set up on my squid cache.  It's working, but not
the way it should - IE clients aren't automatically logging in, and
passwords get sent in plaintext mode.  Relevant configurations and debug
info below.. anything you could suggest that may help me would be
greatly appreciated.
 
[squid.conf]
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp -d 3
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 5
auth_param ntlm max_challenge_lifetime 2 hours
auth_param ntlm use_ntlm_negotiate off
#auth_param basic program /usr/lib/squid/smb_auth -W mydomain
#auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm Internet Access Cache
#auth_param basic credentialsttl 2 hours
#auth_param basic casesensitive off

smb.conf global:
[global]
        workgroup = mydomain
        server string = %h server (Samba %v)
        security = domain
        password server = 192.168.0.5
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        dns proxy = No
        panic action = /usr/share/samba/panic-action %d
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        template shell = /bin/bash
 
[squid -v]
Squid Cache: Version 2.5.STABLE9
configure options:  --prefix=/usr --exec_prefix=/usr --bindir=/usr/sbin
--sbindir=/usr/sbin --libexecdir=/usr/lib/squid --sysconfdir=/etc/squid
--localstatedir=/var/spool/squid --datadir=/usr/share/squid
--enable-async-io --with-pthreads --enable-storeio=ufs,aufs,diskd,null
--enable-linux-netfilter --enable-arp-acl
--enable-removal-policies=lru,heap --enable-snmp --enable-delay-pools
--enable-htcp --enable-poll --enable-cache-digests --enable-underscores
--enable-referer-log --enable-useragent-log
--enable-auth=basic,digest,ntlm --enable-carp --with-large-files
i386-debian-linux

 
 
sdproxy:/etc/samba# wbinfo -t
checking the trust secret via RPC calls succeeded
sdproxy:/etc/samba# wbinfo -a mydomain\\joe.tester%11QQaaZZ
plaintext password authentication succeeded
challenge/response password authentication succeeded
sdproxy:/etc/samba# 


So it looks like samba is ready to handle ntlm auth, and so is squid.
Every time I open an IE window, I get prompted for a username and
password.  If I enter a correct combination, I can browse.  It is my
understanding that with ntlm this is not supposed to happen, that the
username/pass from my domain logon will automagically go to the server.
Running winbindd in debug mode I get the following log output:
[2005/08/26 15:46:04, 3]
nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(477)
  [20149]: pam auth crap domain: SILPADA user: joe.tester
[2005/08/26 15:46:49, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
  [20026]: pam auth joe.tester

 
If I fail the login, I get this output:
[2005/08/26 15:47:24, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth(179)
  [20026]: pam auth joe.tester
[2005/08/26 15:47:24, 2] nsswitch/winbindd_pam.c:winbindd_pam_auth(361)
  Plain-text authentication for user joe.tester returned
NT_STATUS_WRONG_PASSWORD (PAM: 7)


I guess the plaintex authentication could be a last resort after an
attempt at challenge/response.. 
 
So, anyway, all I'm trying to do is get this auto-login working.  Thanks
for any ideas you might pass my way.
 
Zach
 



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux