Hi, We are having problems setting up a squid cache server to use NTLMv2 authentication to authenticate users against AD. We have narrowed the problems down to being a problem between samba and squid when using NTLMv2. It constantly moans about the password being wrong when using squid, but doing a direct samba auth works fine. We have (believedly) narrowed it down to this: the domain requires client ntlmv2 = yes in samba to work - however it seems ntlm_auth does not support this! Our process was as follows: On the domain controller, we set the "Network Security: LAN Manager authentication level properties" option to be "Send Send NTLM response only". We then set smb.conf to look something like this: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes #realm = S058DS1001001.DOMAIN.COM #client ntlmv2 auth = yes log file = /var/log/log.%m That works, when joining the domain we can see the users, groups etc. Some of the commands we ran: [root@cont] ~ # wbinfo -a Proxy2%Password_1 plaintext password authentication succeeded challenge/response password authentication succeeded [root@cont] ~ # wbinfo -t checking the trust secret via RPC calls succeeded All worked fine, and squid could auth the user as could a wbinfo -a. We then switched the option in AD to "Send NTLMv2 response only\refuse LM & NTLM" and the smb.conf to the following: [global] winbind separator = + winbind cache time = 10 workgroup = DOMAIN security = ads winbind uid = 10000-20000 winbind gid = 10000-20000 winbind use default domain = yes realm = S058DS1001001.DOMAIN.COM client ntlmv2 auth = yes log file = /var/log/log.%m When we join the domain, it joins fine, we run winbindd and nmbd and we can then lookup the users and groups. We can do a net ads testjoin which works fine aswell" [root@cont] ~ # net ads testjoin Join is OK Note that client ntlmv2 is on now. The problem comes in when trying to use squid to do the authentication. We get the following error in the squid log file if we set the authenticators debugging to level 9: [2005/11/07 13:36:35, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[Proxy4] domain=[DOMAIN] workstation=[ianb] len1=24 len2=24 [2005/11/07 13:36:35, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [DOMAIN]\[Proxy4]@[ianb] failed due to [Wrong Password] If we type in a username that doesn't exist, it complains that the username is invalid, so we know that it has todo with the password. We also know that the password is correct as we tried this numerous times and we also tried copy pasting the password into the required field. Our squid.conf looks like this: auth_param ntlm program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-ntlmssp -d9 auth_param ntlm max_challenge_reuses 0 auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 auth_param basic program /usr/local/libexec/squid/ntlm_auth --helper-protocol=squid-2.5-basic -d9 auth_param basic children 2 auth_param basic realm Cache NTLM Authentication auth_param basic credentialsttl 2 hours Anyone have any idea as to why that would happen when only using squid? Is there an option that we need to set to make the authenticator use ntlmv2 only or something like we had to do for samba? Does ntlm_auth not understand the v2 protocol properly? Onto another question, when I join the domain for the first time, I get this error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are a few examples: [root@cont] ~ # wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) Could not check secret And this from the squid log if we try and auth a user: [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [Domain]\[Proxy2]@[ianb] failed due to [Access denied] [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) NTLMSSP BH: NT_STATUS_ACCESS_DENIED The strange thing is these errors stop happening from anywhere between 5 and 15 minutes after joining the domain. Any ideas as to why they are occurring in the first place? Basically: We are able to list users, and groups - but wbinfo -t doesn't work until we've been logged on for 5-15 minutes (randomly)? Thanks in advance, Ian
