Hello squid users,
I can't seem to get the ntlm to work on the following setup:
Debian 4.0 etch
Squid Cache: Version 2.6.STABLE5
Microsoft Windows Server 2003 SP2
Kerberos environment OK: wbinfo -t, -u and -g work fine
Using ntlm_auth from Samba Winbind 3.0.24-6etch9
squid.conf looks like this:
http_port localhost:3128
icp_port 0
htcp_port 0
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache
override-expire ignore-private
quick_abort_min -1 KB
maximum_object_size 1 GB
acl youtube dstdomain .youtube.com
cache allow youtube
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
debug_options ALL,9
hosts_file /etc/hosts
auth_param ntlm program /usr/bin/ntlm_auth -d 10
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
auth_param ntlm children 30
auth_param ntlm keep_alive on
external_acl_type nt_group ttl=0 children=5 %LOGIN
/usr/lib/squid/wbinfo_group.pl
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 # https
[...]
acl Safe_ports port 901 # SWAT
acl purge method PURGE
acl CONNECT method CONNECT
acl InternetInterdit external nt_group internet_interdit
acl FTPUsers external nt_group ftp_users_ext
acl AuthenticatedUsers proxy_auth REQUIRED
acl FTP proto FTP
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny FTP !FTPUsers
http_access deny InternetInterdit
http_access allow all AuthenticatedUsers
http_access allow localhost
http_access deny all
http_reply_access allow all
icp_access allow all
cache_effective_group proxy
-coredump_dir /var/spool/squid
The authentication works fine with the --helper-protocol=squid-2.5-basic
but with the ntlm protocol the following appears in the log files. Can
someone shed some light on this ? I don't know what to investigate
further as there is no explicit error message. It seems as if the NTLM
protocol starts fine but then stops because one of the parties does not
send what it's supposed to. I've tried using the ntlmauth bundled with
Squid but that doesn't solve the problem.
[2008/03/07 10:56:35, 10] utils/ntlm_auth.c:manage_squid_request(1615)
Got 'YR TlRMTVNTUAABAAAAB7...RzEzNzBJTlRSQS1UUEc=' from squid (length:
79).
[2008/03/07 10:56:35, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(590)
got NTLMSSP packet:
[2008/03/07 10:56:35, 10] lib/util.c:dump_data(2222)
[000] 4E 54 4C 4D 53 53 50 00 01 00 00 00 07 B2 08 A2 NTLMSSP. ........
[010] 09 00 09 00 2F 00 00 00 07 00 07 00 28 00 00 00 ..../... ....(...
[020] 05 01 28 0A 00 00 00 0F 54 50 XX XX XX XX XX XX ..(..... XXXXXXXX
[030] XX XX XX XX XX XX XX XX XXXXXXX
[2008/03/07 10:56:35, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
Got NTLMSSP neg_flags=0xa208b207
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_DOMAIN_SUPPLIED
NTLMSSP_NEGOTIATE_WORKSTATION_SUPPLIED
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_56
[2008/03/07 10:56:35, 10]
utils/ntlm_auth.c:manage_squid_ntlmssp_request(600)
NTLMSSP challenge
Isn't the NTLM negotiation supposed to be longer ?
I think this is the same problem as in
http://www.squid-cache.org/mail-archive/squid-dev/200708/0167.html but
the answer to that question does not give a solution. Has someone solved
this ?
Thanks,
Jerome Steunenberg