RE: [squid-users] IE improperly prompts for credentials; ntlm_auth with Samba 3.0.13, Squid 2.5.STABLE7, RedHat Linux 9.0, SmartFilter 4.01

From: Jay Turner <jturner@dont-contact.us>
Date: Mon, 4 Apr 2005 16:34:53 +0800

> RedHat Linux 9.0,
> MIT Kerberos 1.4 built from source,
> Samba 3.0.13 built from source,
> Squid 2.5.STABLE7 built from source
> SmartFilter 4.01.
> Active Directory with Windows 2003
>
> Why not use RPMs? Well - ADS support for Windows 2003 needs Kerberos
> 1.3 or newer. But RedHat 9.0 has Kerberos 1.2.7 and zillions of RedHat
> packages depend on it. So I need krb5 1.4 in another tree and
> everything pretty much flows from that.

For what it is worth, I have this working fine against a Windows 2003 ADS
with RedHat 7.3 with krb5-*-1.2.4-11.i386.rpm
and on Fedora Core 3 with krb5-*-1.3.4-7.i386.rpm - however I am using Samba
3.0.2a to get around the kerberos issue.

I used the information from the Squid FAQ's regarding winbind and kerberos
to get mine to work
(http://www.squid-cache.org/Doc/FAQ/FAQ.html#toc23.5)

Looking at your squid.conf, you have stated:

acl AuthorizedUsers proxy_auth REQUIRED
http_access allow all AuthorizedUsers

Won't 'all' get processed before AuthorizedUsers so everyone will be
allowed?

My http_access is just
http_access allow AuthorizedUsers
http_access deny all

Don't know if it's what is causing your problem, but it might cause you a
problem in the future?

Another thing I noticed you didn't do that I did that might be causing a
problem is you didn't
chmod winbindd_privileged, you chgrp'd it, but not chmod it...

chmod 750 /var/lib/samba/winbindd_privileged/

Failing that, I don't know why it doesn't work.

Jay
Received on Mon Apr 04 2005 - 02:35:24 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:03 MDT