So my question has two parts, the first part is that I asked about this
in a recent post and it couldn't be done, but for some reason its doing
it!! Which I like, but in the long run I'd like to fix this and don't
know what I'm missing.
I've compared this new squid deployment to another (that's working
properly) and can't find the problem (except this deployment is
2.5stable13 and the working one is 2.6)
I have 2.5stable13 setup with samba and winbind for NT auth with active
directory. When I am logged into the domain as a valid user and attempt
to browse I get a popup asking for login credentials. When I supply my
username/password (I'm already logged into the domain) it lets me use
squid/authenticate me. Somehow, squid isn't looking at the logged in
user and passing the credentials throught to AD (while my other proxy
does). As far as my other post, this is what I wanted because I want to
have a generic user log into a computer on the domain and always get
prompted for NT auth when browsing....well its doing it, but how can I
fix it?
Here is some snippets of config:
smb.conf
-------------------------
[global]
workgroup = mydomain
realm = mydomain.net
preferred master = no
netbios name = proxy
password server = x.x.x.x (ip of local AD server)
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
winbind separator = +
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind use default domain = yes
-------------------------
Krb5.com
-------------------------
[libdefaults]
ticket_lifetime = 24000
default_realm = mydomain.NET
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
VISTAPRINT.NET = {
kdc = x.x.x.x:88 (ip of local AD server)
admin_server = x.x.x.x:749 (ip of local AD server)
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = mydomain.net
-------------------------
Nsswitch.conf
-------------------------
passwd: files ldap winbind
group: files ldap winbind
hosts: files dns ldap winbind
-------------------------
Squid.conf
-------------------------
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param basic program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthUsers proxy_auth REQUIRED
http_access allow all AuthUsers
http_access deny all
-------------------------
Squid Cache: Version 2.5.STABLE13
configure options: --enable-auth=ntlm,basic
--enable-basic-auth-helpers=winbind --enable-ntlm-auth-helpers=winbind
--enable-delay-pools --enable-snmp
Also running latest samaba 3.0.23d
# wbinfo -t
checking the trust secret via RPC calls succeeded
wbinfo -g
BUILTIN+administrators
BUILTIN+users
domain users
domain guests
...etc
(its getting the groups from the domain)
# wbinfo -u
jsmith
jdoh
...etc
(its getting the names from the domain)
