On 11/04/2012 21:15, Wladner Klimach wrote: > > That's the options I pointed for authetincation: > > '--enable-auth=basic,digest,ntlm,negotiate' > '--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth' > '--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth' > '--enable-digest-auth-helpers=password,ldap,eDirectory' > '--enable-negotiate-auth-helpers=squid_kerb_auth' > '--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group' > > What am I missing? >From a compilation perspective you don't appear to be missing anything, but as I said I am not really familiar with that area - perhaps someone else with more knowledge can confirm? I presume the squid process has permissions to read from winbindd_privileged (in /var/lib/samba/ on my setup). I would expect to see other errors in your logs if there was a permission problem though. Have you tried just a plain ntlm_auth authenticator to see if that works?: auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 3 auth_param ntlm keep_alive on Can you post your entire squid.conf? Harry > 2012/4/11 Harry Mills<harry@xxxxxxxxxxxxx>: >> >> On 11/04/2012 19:52, Wladner Klimach wrote: >>> >>> >>> Here is what I got from wbinfo: >>> >>> wbinfo -t >>> checking the trust secret via RPC calls succeeded >>> >>> And I can list all the groups with wbinfo -g. >>> >>> Here is ntlm_auth run: >>> >>> /usr/bin/ntlm_auth --username=P_7501 >>> password: >>> NT_STATUS_OK: Success (0x0) >> >> >> >> That looks like you have all the winbind-related bits working! >> >> >>> Look what I've got from cache.log with degub_options 29,9 actived: >>> >>> 2012/04/11 15:46:49.629| authenticateValidateUser: Validating >>> Auth_user request '0'. >>> 2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was >>> NULL! >>> 2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no >>> proxy_auth header. Requesting auth header. >>> 2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0 >>> 2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending >>> type:38 header: 'Basic realm="Squid proxy-caching web server"' >>> 2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm >>> not Active >>> >>> Looks like ntlm is not an option to squid. Could it be the lack of the >>> compilation option --with-winbind-auth-challenge?? >> >> >> >> That does look like squid may not have the right compile-time options. I am >> afraid that isn't an area I am overly-familiar with, but I think there are >> quite a few options you need to configure. The options we use (which I think >> are relevant) are: >> >> --enable-auth="basic,digest,ntlm,negotiate" >> >> --enable-basic-auth-helpers="LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth" >> >> --enable-ntlm-auth-helpers="smb_lm,no_check,fakeauth" >> >> --enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" >> >> As I say, it's not really my area, but it would be worth checking that you >> have similar options. --with-winbind-auth-challenge isn't used in my setup. >> >> >> Harry >> >> >>> 2012/4/11 Harry Mills<harry@xxxxxxxxxxxxx>: >>>> >>>> >>>> On 11/04/2012 17:56, Wladner Klimach wrote: >>>>> >>>>> >>>>> >>>>> Hi people, >>>>> >>>>> I'm having some problem to implement NTLM at my squid box. I've >>>>> followed the documentation guides but for some unknown reason isn't >>>>> still working. Here is my squid.conf ( authentication portion only): >>>>> >>>>> >>>>> auth_param negotiate program >>>>> /squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth >>>>> -d --ntlm /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp >>>>> --kerberos >>>>> >>>>> /usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth >>>>> -s HTTP/grazina2.redecamara.camara.gov.br >>>>> auth_param negotiate children 30 startup=10 idle=10 >>>>> auth_param negotiate keep_alive on >>>>> >>>>> >>>>> As you can see I'm using the wrapper helper offered by squid-3.2, but >>>>> my squid box is the squid-3.1. The Kerberos scheme works just fine. So >>>>> how can I debug it? I really need NTLM too in order to authenticate >>>>> users that access some old sites that don't handle kerberos. I really >>>>> hope you guys can help me overtaking this issue. >>>>> >>>>> Regards, >>>>> >>>>> Wladner >>>> >>>> >>>> >>>> >>>> Hi Wladner, >>>> >>>> It may be useful to get the plain ntlm auth helper working on its own >>>> first. >>>> Once that is working, you can then re-enable the negotiate wrapper. >>>> >>>> I am not sure how much of the NTLM auth tests you have done. Have you >>>> tested >>>> that winbind is running and communicating with the domain? You can test >>>> that >>>> the basics are in place with wbinfo -t to check the shared secret, or >>>> wbinfo >>>> -u which should return a list of all your domain users. >>>> >>>> What happens if you run ntlm auth directly: >>>> >>>> ntlm_auth --username=<your username> >>>> >>>> Is there anything in your debug log which might give a little more >>>> information about what isn't working? >>>> >>>> Regards, >>>> >>>> Harry >> >> >>
