Yes, the wbinfo -u displays all users on the domain and wbinfo -g displays all groups on the domain. I was thinking that maybe there was an error with RHEL because like I said, I've set it up on fedora core 3 before with no problems. -----Original Message----- From: Paul Freeman [mailto:Paul.Freeman@xxxxxxxxxx] Sent: Thursday, 22 September 2005 4:27 To: paul.matthews@xxxxxxxxxxxxxxxxxxxx Subject: RE: NTLM without username/password prompt Paul This may seem a silly suggestion but have you tried wbinfo -u and wbinfo -g to see if winbindd can get the users and groups from the authorization database? Regards Paul Freeman +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ EML Consulting Services Pty Ltd Telephone: +61 3 9836 1999 417-431 Canterbury Road Facsimile: +61 3 9836 0517 SURREY HILLS, VICTORIA 3127 Email: Paul.Freeman@xxxxxxxxxx +++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++---+++ > -----Original Message----- > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, 22 September 2005 4:02 PM > To: 'David Gameau' > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: RE: NTLM without username/password prompt > > > > I'm running > RHEL 4 > squid-2.5.STABLE3-6.3E.14 > samba-3.0.9-1.3E.3 > > yes, my winbind authenticator is running > > [root@mail /]# wbinfo -t > checking the trust secret via RPC calls succeeded > > [root@mail /]# ./etc/init.d/winbind restart > > Shutting down Winbind services: [ OK ] > Starting Winbind services: [ OK ] > > [root@mail /]# ./etc/init.d/winbind status > winbindd (pid 31246 31245) is running... > > when I try the command > > [root@mail /]# /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > > It just hangs there ... doing nothing ... > > We use winbind to authenticate our mail users so most of the > winbind logs are filled with that information over and over > and over again > > [2005/09/21 09:58:39, 1] > nsswitch/winbindd_user.c:winbindd_getpwnam(161) > user 'fiona.gould' does not exist > [2005/09/21 09:58:39, 1] > nsswitch/winbindd_group.c:winbindd_getgroups(1032) > user 'postfix' does not exist > [2005/09/21 09:58:39, 1] > nsswitch/winbindd_user.c:winbindd_getpwnam(161) > user 'fiona.gould' does not exist > [2005/09/21 09:58:39, 1] > nsswitch/winbindd_user.c:winbindd_getpwnam(161) > user 'fiona.gould' does not exist > > > -----Original Message----- > From: David Gameau [mailto:David.Gameau@xxxxxxxxxxxx] > Sent: Thursday, 22 September 2005 3:56 > To: paul.matthews@xxxxxxxxxxxxxxxxxxxx > Cc: squid-users@xxxxxxxxxxxxxxx > Subject: RE: NTLM without username/password prompt > > NTLMSSP doesn't really use username/password like > basic authentication, so you can't really confirm > it from the command line. > > The best you can do is: > # /usr/local/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp > KK > > and that should give you back a 'TT Tl...AA' type response. > > What versions of Squid and Samba are you running? > Is the winbind authenticator running? > Is it logging any useful messages (normally in daemonlog)? > > David. > __ > > David Gameau > ISTS - Systems Infrastructure Group > University of South Australia > > email: David.Gameau@xxxxxxxxxxxx > phone: +61 8 302 3533 > fax: +61 8 302 5800 > > Disclaimer: "His brain sometimes stops working." - Chiyo, > Azumanga Daioh > > > > -----Original Message----- > > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > > Sent: Thursday, 22 September 2005 3:12 PM > > To: David Gameau > > Subject: RE: NTLM without username/password prompt > > > > I've stop, started, applied, restart squid about 300 times > > over the past 3 > > days, I've been working on this none stop and I can't seam to > > get anything. > > > > But here is something that I don't think looks right, if I do > > the basic > > authentication via command line it works. > > > > [root@mail /]# ./usr/bin/ntlm_auth > --helper-protocol=squid-2.5-basic > > username password OK > > > > [root@mail /]# ./usr/bin/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp > > Username password > > [2005/09/22 15:39:43, 1] > > utils/ntlm_auth.c:manage_squid_ntlmssp_request(576) > > BH > > > > > > -----Original Message----- > > From: David Gameau [mailto:David.Gameau@xxxxxxxxxxxx] > > Sent: Thursday, 22 September 2005 3:32 > > To: paul.matthews@xxxxxxxxxxxxxxxxxxxx > > Subject: RE: NTLM without username/password prompt > > > > Paul, > > > > Did you restart, or stop and start Squid? > > I've noticed with the authenticators that a restart > > doesn't seem to reset everything correctly. > > > > David. > > __ > > > > David Gameau > > ISTS - Systems Infrastructure Group > > University of South Australia > > > > email: David.Gameau@xxxxxxxxxxxx > > phone: +61 8 302 3533 > > fax: +61 8 302 5800 > > > > Disclaimer: "His brain sometimes stops working." - Chiyo, > > Azumanga Daioh > > > > > > > -----Original Message----- > > > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > > > Sent: Thursday, 22 September 2005 2:41 PM > > > To: David Gameau > > > Subject: RE: NTLM without username/password prompt > > > > > > I tried to put the ntlm authentication on top of the basic > > > and restart the > > > squid service, but the same result. > > > > > > auth_param ntlm program /usr/bin/ntlm_auth > > > --helper-protocol=squid-2.5-ntlmssp > > > auth_param ntlm children 30 > > > auth_param ntlm max_challenge_reuses 0 > > > auth_param ntlm max_challenge_lifetime 2 minutes > > > > > > auth_param basic program /usr/bin/ntlm_auth > > > --helper-protocol=squid-2.5-basic auth_param basic children 5 > > > auth_param basic realm Squid proxy-caching web server > > > auth_param basic credentialsttl 2 hours > > > > > > -----Original Message----- > > > From: David Gameau [mailto:David.Gameau@xxxxxxxxxxxx] > > > Sent: Thursday, 22 September 2005 2:53 > > > To: Paul Matthews; squid-users@xxxxxxxxxxxxxxx > > > Subject: RE: NTLM without username/password prompt > > > > > > > From: Paul Matthews [mailto:paul.matthews@xxxxxxxxxxxxxxxxxxxx] > > > > Subject: NTLM without username/password prompt > > > > > > > > I've setup NTLM authentication on my fedora box a few times > > > before and > > > > it all went off without a problem, seamless > authentication, it was > > > > great. But now I'm trying to get it done on a RHEL 4 box > > > and it's not > > > > going so well, I've got samba authenticating against my > > > > Active directory > > > > > > > > [root@rhel4 /]# wbinfo -t > > > > checking the trust secret via RPC calls succeeded > > > > > > > > but when I use my MSIE browser when I'm logged into the > > > domain I get a > > > > username/password prompt. I want it to be able to do it on the > > > > background, any suggestions? > > > > > > > > I've read just about everything there is to read on the net. > > > > > > > > Here is my what I have added to my squid.conf > > > > > > > > auth_param basic children 5 > > > > auth_param basic realm Squid proxy-caching web server > auth_param > > > > basic credentialsttl 2 hour auth_param basic casesensitive off > > > > auth_param basic program /usr/bin/ntlm_auth > > > --helper-protocol=squid-2.5-basic > > > > auth_param ntlm program /usr/bin/ntlm_auth > > > --helper-protocol=squid-2.5-ntlmssp > > > > auth_param ntlm children 30 > > > > auth_param ntlm max_challenge_reuses 0 > > > > auth_param ntlm max_challenge_lifetime 2 hour > > > > > > > > > > > > acl ntlm proxy_auth REQUIRED > > > > > > > > http_access allow ntlm > > > > > > > > I don't have one http_access rule and that's to allow the > > ntlm users > > > > through. > > > > Any suggestions? > > > > > > > Paul, > > > > > > Try reversing the order your auth_param basic and > > > ntlm declarations. While browsers are supposed to > > > pick the strongest authentication method, most seem > > > to latch onto the first one supplied. > > > > > > Regards, > > > David. > > > __ > > > > > > David Gameau > > > ISTS - Systems Infrastructure Group > > > University of South Australia > > > > > > email: David.Gameau@xxxxxxxxxxxx > > > phone: +61 8 302 3533 > > > fax: +61 8 302 5800 > > > > > > Disclaimer: "His brain sometimes stops working." - Chiyo, > > > Azumanga Daioh > > > > > > > > > > > > > > > > > > > > > > > > >
