NTLMSSP doesn't really use username/password like basic authentication, so you can't really confirm it from the command line. The best you can do is: # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp KK and that should give you back a 'TT Tl...AA' type response. What versions of Squid and Samba are you running? Is the winbind authenticator running? Is it logging any useful messages (normally in daemonlog)? David. __ David Gameau ISTS - Systems Infrastructure Group University of South Australia email: David.Gameau@xxxxxxxxxxxx phone: +61 8 302 3533 fax: +61 8 302 5800 Disclaimer: "His brain sometimes stops working." - Chiyo, Azumanga Daioh > -----Original Message----- > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, 22 September 2005 3:12 PM > To: David Gameau > Subject: RE: NTLM without username/password prompt > > I've stop, started, applied, restart squid about 300 times > over the past 3 > days, I've been working on this none stop and I can't seam to > get anything. > > But here is something that I don't think looks right, if I do > the basic > authentication via command line it works. > > [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic > username password > OK > > [root@mail /]# ./usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > Username password > [2005/09/22 15:39:43, 1] > utils/ntlm_auth.c:manage_squid_ntlmssp_request(576) > BH > > > -----Original Message----- > From: David Gameau [mailto:David.Gameau@xxxxxxxxxxxx] > Sent: Thursday, 22 September 2005 3:32 > To: paul.matthews@xxxxxxxxxxxxxxxxxxxx > Subject: RE: NTLM without username/password prompt > > Paul, > > Did you restart, or stop and start Squid? > I've noticed with the authenticators that a restart > doesn't seem to reset everything correctly. > > David. > __ > > David Gameau > ISTS - Systems Infrastructure Group > University of South Australia > > email: David.Gameau@xxxxxxxxxxxx > phone: +61 8 302 3533 > fax: +61 8 302 5800 > > Disclaimer: "His brain sometimes stops working." - Chiyo, > Azumanga Daioh > > > > -----Original Message----- > > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > > Sent: Thursday, 22 September 2005 2:41 PM > > To: David Gameau > > Subject: RE: NTLM without username/password prompt > > > > I tried to put the ntlm authentication on top of the basic > > and restart the > > squid service, but the same result. > > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 30 > > auth_param ntlm max_challenge_reuses 0 > > auth_param ntlm max_challenge_lifetime 2 minutes > > > > auth_param basic program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-basic > > auth_param basic children 5 > > auth_param basic realm Squid proxy-caching web server > > auth_param basic credentialsttl 2 hours > > > > -----Original Message----- > > From: David Gameau [mailto:David.Gameau@xxxxxxxxxxxx] > > Sent: Thursday, 22 September 2005 2:53 > > To: Paul Matthews; squid-users@xxxxxxxxxxxxxxx > > Subject: RE: NTLM without username/password prompt > > > > > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > > > Subject: NTLM without username/password prompt > > > > > > I've setup NTLM authentication on my fedora box a few times > > before and > > > it all went off without a problem, seamless authentication, it was > > > great. But now I'm trying to get it done on a RHEL 4 box > > and it's not > > > going so well, I've got samba authenticating against my > > > Active directory > > > > > > [root@rhel4 /]# wbinfo -t > > > checking the trust secret via RPC calls succeeded > > > > > > but when I use my MSIE browser when I'm logged into the > > domain I get a > > > username/password prompt. I want it to be able to do it on the > > > background, any suggestions? > > > > > > I've read just about everything there is to read on the net. > > > > > > Here is my what I have added to my squid.conf > > > > > > auth_param basic children 5 > > > auth_param basic realm Squid proxy-caching web server > > > auth_param basic credentialsttl 2 hour > > > auth_param basic casesensitive off > > > auth_param basic program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-basic > > > auth_param ntlm program /usr/bin/ntlm_auth > > --helper-protocol=squid-2.5-ntlmssp > > > auth_param ntlm children 30 > > > auth_param ntlm max_challenge_reuses 0 > > > auth_param ntlm max_challenge_lifetime 2 hour > > > > > > > > > acl ntlm proxy_auth REQUIRED > > > > > > http_access allow ntlm > > > > > > I don't have one http_access rule and that's to allow the > ntlm users > > > through. > > > Any suggestions? > > > > > Paul, > > > > Try reversing the order your auth_param basic and > > ntlm declarations. While browsers are supposed to > > pick the strongest authentication method, most seem > > to latch onto the first one supplied. > > > > Regards, > > David. > > __ > > > > David Gameau > > ISTS - Systems Infrastructure Group > > University of South Australia > > > > email: David.Gameau@xxxxxxxxxxxx > > phone: +61 8 302 3533 > > fax: +61 8 302 5800 > > > > Disclaimer: "His brain sometimes stops working." - Chiyo, > > Azumanga Daioh > > > > > > > > > > > > > >
