Search squid archive

NTLM authentication failing silently

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm having a problem trying to set up NTLM authentication following
the steps on the wiki and a few tutorials elsewhere.   I think I have
the computer joined to the domain correctly, and all of the command
line tests work.   Basic authentication works against AD accounts.
However, when I turn on NTLM, two 407 denieds are written to the
access.log and the client is never authenticated.  It does not fail
back to basic authentication.

access.log:
1207755884.688      3 172.16.1.70 TCP_DENIED/407 1747 GET
http://go.microsoft.com/fwlink/? - NONE/- text/html
1207755884.694      0 172.16.1.70 TCP_DENIED/407 1817 GET
http://go.microsoft.com/fwlink/? - NONE/- text/html

squid.conf relevant section:
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
 #auth_param ntlm use_ntlm_negotiate off
#auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
#auth_param basic children 5
#auth_param basic realm Proxy Server
#auth_param basic credentialsttl 2 hours
 #auth_param basic casesensitive off

acl NTLMusers proxy_auth REQUIRED
http_access allow NTLMusers


samus:/var/log/squid # wbinfo -t
checking the trust secret via RPC calls succeeded

wbinfo -a ad\\gooduser%goodpassword
 plaintext password authentication succeeded
challenge/response password authentication succeeded

This is a SLES 10, so the winbindd_privileged directory is under
/var/lib/samba.  Is there a path I need to set somewhere?  I'm
guessing it's working since basic authentication works.


squid -v results:
 Squid Cache: Version 2.5.STABLE12
configure options: '--prefix=/usr' '--sysconfdir=/etc/squid'
'--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var'
'--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' '--with-dl'
'--enable-snmp' '--enable-carp' '--enable-useragent-log'
'--enable-auth=basic digest ntlm' '--enable-basic-auth-helpers=LDAP
MSNT NCSA PAM SMB YP getpwnam multi-domain-NTLM'
'--enable-ntlm-auth-helpers=SMB no_check'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user ldap_group unix_group
wbinfo_group' '--enable-ntlm-fail-open' '--enable-referer-log'
'--enable-arp-acl' '--enable-htcp' '--enable-underscores'
'--enable-stacktraces' '--enable-delay-pools' '--enable-ssl'
'--enable-cache-digests' '--enable-storeio=aufs,ufs,diskd,null'
'--enable-linux-netfilter' '--enable-removal-policies=heap,lru'
'--with-samba-sources=/usr/include/samba'
'--enable-x-accelerator-vary' 'CFLAGS=-O2 -fmessage-length=0 -Wall
-D_FORTIFY_SOURCE=2 -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing'
'LDFLAGS=-pie'



Any pointers would be much appreciated.  I'm starting to think I'm on
the wrong track entirely and might have my ACLs written wrong, but the
only ACLs defined are from the default configuration.  Basic
authentication also does work if I uncomment it, so I'm pretty
confused...

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux