> What protocol did you tell ntlm_auth to use? I.e. what does your
> auth_param lines look like?
Here is my entire setup:
Here is my squid compile parameters:
CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer"
\
./configure \
--prefix=/usr \
--datadir=/usr/share \
--localstatedir=/var \
--sysconfdir=/etc/squid \
--infodir=/usr/share/info \
--mandir=/usr/share/man \
--enable-useragent_log \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind" \
--enable-ntlm-auth-helpers="fakeauth,no_check,SMB,winbind" \
--enable-external-acl-helpers="ip_user,ldap_group,unix_group,wbinfo_group,winbind_group"
(I am sure that some of these are NOT needed but I would rather compile
everything, find out what works and then recompile with just what is
needed)
My squid.conf auth settings:
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp (yes this is the samba 3 version)
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 3
auth_param ntlm max_challenge_lifetime 2 minutes
# these are used by every other browser
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 minutes
My wbinfo output as requested:
root@caleb ~> wbinfo -t
checking the trust secret via RPC calls succeeded
root@caleb ~> wbinfo -u
Administrator
Guest
SUPPORT_388945a0
krbtgt
testuser
surfer
samba
root@caleb ~> wbinfo -g
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
AuthorizedUsers
IntranetUsers
StaffUsers
root@caleb ~> wbinfo -a surfer%surfer2003
plaintext password authentication succeeded
challenge/response password authentication succeeded
root@caleb ~> squid -v
Squid Cache: Version 2.5.STABLE4
configure options: --prefix=/usr --datadir=/usr/share
--localstatedir=/var --sysconfdir=/etc/squid --infodir=/usr/share/info
--mandir=/usr/share/man --enable-useragent_log --enable-auth=ntlm,basic
--enable-basic-auth-helpers=winbind
--enable-ntlm-auth-helpers=fakeauth,no_check,SMB,winbind
--enable-external-acl-helpers=ip_user,ldap_group,unix_group,wbinfo_group,winbind_group
root@caleb ~> su - squid
[squid@caleb squid]$ /usr/local/bin/ntlm_auth --username=surfer
password:
NT_STATUS_OK: Success (0x0)
Turning mime_headers on reveals the following in the squid access log:
1069265718.735 119 172.16.215.30 TCP_DENIED/407 1645 GET
http://www.google.com/ - NONE/- text/html [Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language:
en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0)\r\nHost:
www.google.com\r\nProxy-Connection: Keep-Alive\r\nCookie:
PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM\r\n\r]
1069265718.947 107 172.16.215.30 TCP_DENIED/407 1715 GET
http://www.google.com/ - NONE/- text/html [Accept: image/gif,
image/x-xbitmap, image/jpeg, image/pjpeg, */*\r\nAccept-Language:
en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.0)\r\nHost:
www.google.com\r\nProxy-Connection: Keep-Alive\r\nProxy-Authorization:
NTLM
TlRMTVNTUAABAAAAB7IAoAQABAAoAAAACAAIACAAAABLQ001MDI5OEJVR1M=\r\nCookie:
PREF=ID=56c8b0c142718d37:TM=1065216586:LM=1065560328:TB=2:S=FbXQxkoNGt1g8HVm\r\n] [HTTP/1.0 407 Proxy Authentication Required\r\nServer: squid/2.5.STABLE4\r\nMime-Version: 1.0\r\nDate: Wed, 19 Nov 2003 18:15:18 GMT\r\nContent-Type: text/html\r\nContent-Length: 1302\r\nExpires: Wed, 19 Nov 2003 18:15:18 GMT\r\nX-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\nProxy-Authenticate: NTLM TlRMTVNTUAACAAAAAAAAADAAAAACAgAg9nDlwSM9D0wAAAAAAAAAAAAAAAAwAAAA\r\n\r]
This is where it breaks- It appears to me that squid is NOT logging the
user/domain information in the log file
AND
when I run squid with the following (squid -XN -d 1) and then try to
access the web page , squid says:
FATAL: authenticateNTLMHandleReply: called with no result string
Aborted
So Samba's NTLM doesn't appear to give the answer in the form that Squid
wants.
Also, here is my samba compile settings and configuration file:
CFLAGS="-O3 -march=i686 -mcpu=i686 -funroll-loops -fomit-frame-pointer"
\
./configure \
--sysconfdir=/etc/samba \
--prefix=/usr/local/samba \
--localstatedir=/var \
--with-configdir=/etc/samba \
--with-privatedir=/etc/samba \
--enable-auth="ntlm,basic" \
--enable-basic-auth-helpers="winbind" \
--enable-ntlm-auth-helpers="winbind" \
--enable-external-acl-helpers=winbind_group \
--with-fhs \
--with-quotas \
--with-msdfs \
--with-smbmount \
--with-ads \
--with-pam \
--with-pam_smbpass \
--with-syslog \
--with-utmp \
--with-sambabook=/usr/share/swat/using_samba \
--with-swatdir=/usr/share/swat \
--with-libsmbclient \
AND
/etc/samba/smb.conf
[global]
workgroup = BUGS
netbios name = BUGS00001
realm = BUGS.EXAMPLE.COM
security = ads
encrypt passwords = yes
password server = W2003.BUGS.EXAMPLE.COM
winbind separator = /
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
interfaces = 172.16.215.20 127.0.0.1
bind interfaces only = yes
winbind use default domain = yes
log file = /var/log/samba/log.%m
log level = 3
client signing = Yes
server signing = Yes
client use spnego = Yes
template shell = /bin/bash
template homedir = /home/%D/%U
finally, just for grins, my /etc/krb5.conf (krb5-1.3.1 compiled from
source) contents:
[libdefaults]
default_realm = BUGS.EXAMPLE.COM
default_tgs_enctypes = des-cbc-crc des-cbc-md5
default_tkt_enctypes = des-cbc-crc des-cbc-md5
#default_etypes = arcfour-hmac-md5
#default_etypes_des = arcfour-hmac-md5
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
BUGS.EXAMPLE.COM = {
admin_server = W2003.BUGS.EXAMPLE.COM
default_domain = BUGS.EXAMPLE.COM
kdc = W2003.BUGS.EXAMPLE.COM
}
[domain_realm]
.bugs.kcm.org = BUGS.EXAMPLE.COM
bugs.kcm.org = BUGS.EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
Thanks for your time on this problem,
Dave Augustus
Received on Thu Nov 20 2003 - 07:25:00 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:25 MST