Okay I have an update with more progress - it seems the problem is only to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [MASTERMIND]\[ianb]@[LUCY] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. For anyone who hasn't read the rest of this thread please note: this only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Dave
