Hi Guido, Thanks for the help, I feel kinda daft for not looking in the file first. Anyway, this hasn't resolved the problem. We upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. What does the "auth_param use_ntlm_negotiate on|off" actually do? Is it reliant on a certain helper? Because that didn't make any difference to the outcome. We where told to put this option into our smb.conf to enable NTLMv2: " client ntlmv2 auth = yes", would this have any effect on whats happening? Adding that option makes all the difference with out setup - with it wbinfo -a works perfectly, without it we see the same error squid is getting. Here is a copy of the error message again: [2005/11/08 15:16:36, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[IANB] domain=[MASTERMIND] workstation=[IANB] len1=24 len2=24 [2005/11/08 15:16:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [MASTERMIND]\[IANB]@[IANB] failed due to [Wrong Password] If we however turn off the option in AD (i.e let it allow all authentication types), this doesn't happen, but I am assuming that is because it isn't using NTLMv2 then and only NTLM? Thanks, Ian -----Original Message----- From: Serassio Guido [mailto:guido.serassio@xxxxxxxxxxxxxxxxx] Sent: 07 November 2005 11:45 PM To: Ian Barnes; squid-users@xxxxxxxxxxxxxxx Subject: Re: Urgent Samba / Squid NTLM Auth Problems Hi, At 22.22 07/11/2005, Ian Barnes wrote: >Our squid.conf looks like this: >auth_param ntlm program /usr/local/libexec/squid/ntlm_auth >--helper-protocol=squid-2.5-ntlmssp -d9 >auth_param ntlm max_challenge_reuses 0 >auth_param ntlm max_challenge_lifetime 2 minutes >auth_param ntlm children 2 Wonder, even you have done a very detailed report, you don't have read squid.conf comments before .... :-) From 2.5 STABLE12 squid.conf: # "use_ntlm_negotiate" on|off # Enables support for NTLM NEGOTIATE packet exchanges with the helper. # The configured ntlm authenticator must be able to handle NTLM # NEGOTIATE packet. See the authenticator programs documentation if # unsure. ntlm_auth from Samba-3.0.2 or later supports the use of this # option. # The NEGOTIATE packet is required to support NTLMv2 and a # number of other negotiable NTLMSSP options, and also makes it # more likely the negotiation is successful. So in squid.conf you need: auth_param ntlm use_ntlm_negotiate on Please note: auth_param ntlm children 2 It is a very too low value, on a loaded proxy you must set this value to a more higher value as 20, 30 or more. You must monitor the helpers usage to find the correct value. Regards Guido - ======================================================== Guido Serassio Acme Consulting S.r.l. - Microsoft Certified Partner Via Lucia Savarino, 1 10098 - Rivoli (TO) - ITALY Tel. : +39.011.9530135 Fax. : +39.011.9781115 Email: guido.serassio@xxxxxxxxxxxxxxxxx WWW: http://www.acmeconsulting.it/
