Pleanty of users use ntlm. A guess is that your client does not trust the proxy server with automatic NTLM authentication. If I am not mistaken the best results is seen when it's configured with a shortname to the proxy (servername without domain). On sön, 2008-06-22 at 18:42 +0100, Markus Moeller wrote: > Does nobody use ntlm_auth ? > > Markus > > "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx> wrote in message > news:g317rp$9v7$1@xxxxxxxxxxxxxxxx > >I am trying to authenticate users with ntlm_auth but fail and don't find > >the reason. I see the initial NTLM challenge, but then the Browser doesn't > >continue the next NTLM step ( at least that is what I think happens) > > > > Any idea what I did wrong ? > > > > Thank you > > Markus > > > > uname -a > > Linux Opensuse 2.6.22.17-0.1-default #1 SMP 2008/02/10 20:01:04 UTC i686 > > i686 i386 GNU/Linux > > Opensuse:~ # cat /etc/SuSE-release > > openSUSE 10.3 (i586) > > VERSION = 10.3 > > > > squid -v > > Squid Cache: Version 2.6.STABLE14 > > configure options: '--prefix=/usr' '--sysconfdir=/etc/squid' > > '--bindir=/usr/sbin' '--sbindir=/usr/sbin' '--localstatedir=/var' > > '--libexecdir=/usr/sbin' '--datadir=/usr/share/squid' > > '--mandir=/usr/share/man' '--with-dl' '--with-maxfd=4096' > > '--with-valgrind-debug' '--enable-snmp' '--enable-carp' > > '--enable-auth=basic digest negotiate ntlm' > > '--enable-basic-auth-helpers=LDAP MSNT NCSA PAM SMB YP getpwnam > > multi-domain-NTLM' '--enable-ntlm-auth-helpers=SMB fakeauth no_check' > > '--enable-digest-auth-helpers=ldap password' > > '--enable-external-acl-helpers=ip_user ldap_group session unix_group > > wbinfo_group' '--enable-ntlm-fail-open' '--enable-arp-acl' '--enable-htcp' > > '--enable-underscores' '--enable-stacktraces' '--enable-delay-pools' > > '--enable-useragent-log' '--enable-referer-log' '--enable-forward-log' > > '--enable-multicast-miss' '--enable-ssl' '--enable-cache-digests' > > '--enable-auth-on-acceleration' > > '--enable-storeio=aufs,coss,diskd,null,ufs' '--enable-linux-netfilter' > > '--enable-removal-policies=heap,lru' '--enable-icmp' > > '--with-samba-sources=/usr/include/samba' '--enable-large-cache-files' > > '--enable-x-accelerator-vary' '--enable-follow-x-forwarded-for' > > 'CFLAGS=-O2 -march=i586 -mtune=i686 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 > > -fstack-protector -g -fPIE -DLDAP_DEPRECATED -fno-strict-aliasing' > > 'LDFLAGS=-pie' > > > > > > squid.conf: > > > > http_port 3128 > > hierarchy_stoplist cgi-bin ? > > acl QUERY urlpath_regex cgi-bin \? > > cache deny QUERY > > acl apache rep_header Server ^Apache > > broken_vary_encoding allow apache > > access_log /var/log/squid/access.log squid > > auth_param ntlm program /usr/sbin/ntlm_auth -d WIN2003R2\\w2k3r2 > > auth_param ntlm children 5 > > auth_param ntlm keep_alive on > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern . 0 20% 4320 > > acl all src 0.0.0.0/0.0.0.0 > > acl manager proto cache_object > > acl localhost src 127.0.0.1/255.255.255.255 > > acl to_localhost dst 127.0.0.0/8 > > acl SSL_ports port 443 8333 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > acl authenticated proxy_auth REQUIRED > > http_access allow manager localhost > > http_access deny manager > > http_access deny !Safe_ports > > http_access deny CONNECT !SSL_ports > > http_access allow localhost > > http_access allow authenticated > > http_access deny all > > icp_access allow all > > coredump_dir /var/cache/squid > > > > cache.log > > > > ntlm_auth[8452](ntlm_auth.c:284): managing request > > ntlm_auth[8452](ntlm_auth.c:290): ntlm authenticator. Got 'YR > > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy' > > from Squid > > ntlm_auth[8452](ntlm_auth.c:239): obtain_challenge: selecting > > WIN2003R2\W2K3R2 (attempt #1) > > ntlm_auth[8452](ntlm_auth.c:251): attempting challenge retrieval > > ntlm_auth[8452](libntlmssp.c:119): Connecting to server W2K3R2 domain > > WIN2003R2 > > ntlm_auth[8452](ntlm_auth.c:253): make_challenge retuned 0x8000ef60 > > ntlm_auth[8452](ntlm_auth.c:255): Got it > > ntlm_auth[8452](ntlm_auth.c:437): sending 'TT > > TlRMTVNTUAACAAAACQAJACgAAACCgkEAyigxBxKJUqQAAAAAAAAAAFdJTjIwMDNSMg==' to > > squid > > > > > > Wireshark capture: > > > > GET http://www.bbc.co.uk/ HTTP/1.1 > > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, > > application/x-shockwave-flash, */* > > Accept-Language: en-us > > UA-CPU: x86 > > Accept-Encoding: gzip, deflate > > User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR > > 2.0.50727) > > Proxy-Authorization: NTLM > > TlRMTVNTUAABAAAAB7IIogkACQAtAAAABQAFACgAAAAFASgKAAAAD1dJTlhQV0lOMjAwM1Iy > > Proxy-Connection: Keep-Alive > > Host: www.bbc.co.uk > > > > HTTP/1.0 407 Proxy Authentication Required > > Server: squid/2.6.STABLE14 > > Date: Sat, 14 Jun 2008 18:55:14 GMT > > Content-Type: text/html > > Content-Length: 1310 > > Expires: Sat, 14 Jun 2008 18:55:14 GMT > > X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0 > > Proxy-Authenticate: NTLM > > TlRMTVNTUAACAAAACQAJACgAAACCgkEAiqcyv4MUME0AAAAAAAAAAFdJTjIwMDNSMg== > > X-Cache: MISS from opensuse.suse.home > > X-Cache-Lookup: NONE from opensuse.suse.home:3128 > > Via: 1.0 opensuse.suse.home:3128 (squid/2.6.STABLE14) > > Proxy-Connection: keep-alive > > > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" > > "http://www.w3.org/TR/html4/loose.dtd";> > > <HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; > > charset=iso-8859-1"> > > <TITLE>ERROR: Cache Access Denied</TITLE> > > <STYLE > > type="text/css"><!--BODY{background-color:#ffffff;font-family:verdana,sans-serif}PRE{font-family:sans-serif}--></STYLE> > > </HEAD> > > <BODY> > > <H1>ERROR</H1> > > <H2>Cache Access Denied</H2> > > <HR noshade size="1px"> > > <P> > > While trying to retrieve the URL: > > <A HREF="http://www.bbc.co.uk/";>http://www.bbc.co.uk/</A> > > <P> > > The following error was encountered: > > <UL> > > <LI> > > <STRONG> > > Cache Access Denied. > > </STRONG> > > </UL> > > </P> > > > > <P>Sorry, you are not currently allowed to request: > > <PRE> http://www.bbc.co.uk/</PRE> > > from this cache until you have authenticated yourself. > > </P> > > > > <P> > > You need to use Netscape version 2.0 or greater, or Microsoft Internet > > Explorer 3.0, or an HTTP/1.1 compliant browser for this to work. Please > > contact the <A HREF="mailto:webmaster";>cache administrator</a> if you have > > difficulties authenticating yourself or > > <A HREF="http://opensuse.suse.home/cgi-bin/chpasswd.cgi";>change</a> your > > default password. > > </P> > > > > <BR clear="all"> > > <HR noshade size="1px"> > > <ADDRESS> > > Generated Sat, 14 Jun 2008 18:55:14 GMT by opensuse.suse.home > > (squid/2.6.STABLE14) > > </ADDRESS> > > > > squid server is part of domain (e.g. wbinfo -g works fine) > > > > wbinfo -g > > WIN2003R2\iis_wpg > > WIN2003R2\session directory computers > > WIN2003R2\domain computers > > WIN2003R2\domain controllers > > WIN2003R2\schema admins > > WIN2003R2\enterprise admins > > WIN2003R2\cert publishers > > WIN2003R2\domain admins > > WIN2003R2\domain users > > WIN2003R2\domain guests > > WIN2003R2\group policy creator owners > > WIN2003R2\ras and ias servers > > WIN2003R2\dnsadmins > > WIN2003R2\dnsupdateproxy > > WIN2003R2\certsvc_dcom_access > > WIN2003R2\win2003r2users > > WIN2003R2\sqlserver2005sqlbrowseruser$w2k3r2 > > WIN2003R2\sqlserver2005mssqlserveradhelperuser$w2k3r2 > > WIN2003R2\sqlserver2005mssqluser$w2k3r2$sqlexpress > > WIN2003R2\solarisgroup > > WIN2003R2\susegroup > > WIN2003R2\squid_allow > > > > > > > > >
