Here is what I got from wbinfo: wbinfo -t checking the trust secret via RPC calls succeeded And I can list all the groups with wbinfo -g. Here is ntlm_auth run: /usr/bin/ntlm_auth --username=P_7501 password: NT_STATUS_OK: Success (0x0) Look what I've got from cache.log with degub_options 29,9 actived: 2012/04/11 15:46:49.629| authenticateValidateUser: Validating Auth_user request '0'. 2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was NULL! 2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header. 2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0 2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending type:38 header: 'Basic realm="Squid proxy-caching web server"' 2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm not Active Looks like ntlm is not an option to squid. Could it be the lack of the compilation option --with-winbind-auth-challenge?? 2012/4/11 Harry Mills <harry@xxxxxxxxxxxxx>: > On 11/04/2012 17:56, Wladner Klimach wrote: >> >> Hi people, >> >> I'm having some problem to implement NTLM at my squid box. I've >> followed the documentation guides but for some unknown reason isn't >> still working. Here is my squid.conf ( authentication portion only): >> >> >> auth_param negotiate program >> /squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth >> -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >> --kerberos >> /usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth >> -s HTTP/grazina2.redecamara.camara.gov.br >> auth_param negotiate children 30 startup=10 idle=10 >> auth_param negotiate keep_alive on >> >> >> As you can see I'm using the wrapper helper offered by squid-3.2, but >> my squid box is the squid-3.1. The Kerberos scheme works just fine. So >> how can I debug it? I really need NTLM too in order to authenticate >> users that access some old sites that don't handle kerberos. I really >> hope you guys can help me overtaking this issue. >> >> Regards, >> >> Wladner > > > Hi Wladner, > > It may be useful to get the plain ntlm auth helper working on its own first. > Once that is working, you can then re-enable the negotiate wrapper. > > I am not sure how much of the NTLM auth tests you have done. Have you tested > that winbind is running and communicating with the domain? You can test that > the basics are in place with wbinfo -t to check the shared secret, or wbinfo > -u which should return a list of all your domain users. > > What happens if you run ntlm auth directly: > > ntlm_auth --username=<your username> > > Is there anything in your debug log which might give a little more > information about what isn't working? > > Regards, > > Harry
