On 11/04/2012 19:52, Wladner Klimach wrote:
Here is what I got from wbinfo:
wbinfo -t
checking the trust secret via RPC calls succeeded
And I can list all the groups with wbinfo -g.
Here is ntlm_auth run:
/usr/bin/ntlm_auth --username=P_7501
password:
NT_STATUS_OK: Success (0x0)
That looks like you have all the winbind-related bits working!
Look what I've got from cache.log with degub_options 29,9 actived:
2012/04/11 15:46:49.629| authenticateValidateUser: Validating
Auth_user request '0'.
2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was NULL!
2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0
2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending
type:38 header: 'Basic realm="Squid proxy-caching web server"'
2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm
not Active
Looks like ntlm is not an option to squid. Could it be the lack of the
compilation option --with-winbind-auth-challenge??
That does look like squid may not have the right compile-time options. I
am afraid that isn't an area I am overly-familiar with, but I think
there are quite a few options you need to configure. The options we use
(which I think are relevant) are:
--enable-auth="basic,digest,ntlm,negotiate"
--enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth"
--enable-ntlm-auth-helpers="smb_lm,no_check,fakeauth"
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group"
As I say, it's not really my area, but it would be worth checking that
you have similar options. --with-winbind-auth-challenge isn't used in my
setup.
Harry
2012/4/11 Harry Mills<harry@xxxxxxxxxxxxx>:
On 11/04/2012 17:56, Wladner Klimach wrote:
Hi people,
I'm having some problem to implement NTLM at my squid box. I've
followed the documentation guides but for some unknown reason isn't
still working. Here is my squid.conf ( authentication portion only):
auth_param negotiate program
/squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth
-d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
--kerberos
/usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
-s HTTP/grazina2.redecamara.camara.gov.br
auth_param negotiate children 30 startup=10 idle=10
auth_param negotiate keep_alive on
As you can see I'm using the wrapper helper offered by squid-3.2, but
my squid box is the squid-3.1. The Kerberos scheme works just fine. So
how can I debug it? I really need NTLM too in order to authenticate
users that access some old sites that don't handle kerberos. I really
hope you guys can help me overtaking this issue.
Regards,
Wladner
Hi Wladner,
It may be useful to get the plain ntlm auth helper working on its own first.
Once that is working, you can then re-enable the negotiate wrapper.
I am not sure how much of the NTLM auth tests you have done. Have you tested
that winbind is running and communicating with the domain? You can test that
the basics are in place with wbinfo -t to check the shared secret, or wbinfo
-u which should return a list of all your domain users.
What happens if you run ntlm auth directly:
ntlm_auth --username=<your username>
Is there anything in your debug log which might give a little more
information about what isn't working?
Regards,
Harry
