On Wed, 5 Nov 2003, Lombardo Federico wrote:
> 1) ntlm-ssp protocol seems to be not used from IE, testing with win2003,
> latest IIS if leaving only this in squid.conf:
Where does ISS come into the picture?
> auth_param ntlm program
> /usr/squid/libexec/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
> auth_param ntlm children 10
> auth_param ntlm max_challenge_reuses 0
> auth_param ntlm max_challenge_lifetime 2 minutes
Looks good to me.
> Will make cache.log say when I connect with my IE:
>
> 2003/11/05 10:28:15| authenticateDecodeAuth: Unsupported or unconfigured
> proxy-auth scheme, 'Basic ZmxvbWJhcmRvOmVnb19wZmU='
Hmm.. confused browser.
What does "log_mime_hdrs on" give in the initial 407 response headers from
the proxy?
> 2) using ntlm_auth with this squid.conf' configuration:
>
> Into the log this time I can see that user is recognized, but without the
> domain.
The user name logged in basic authentication is the username entered in
the browser. This may be with or without the NT domain when using a NT
domain backend.
> Ah, note that using only basic auth, without external acl, all work
> correctly, so the ntlm_auth helper, in this configuration work correctly, or
> "seems" to work correctly
Ok. So wbinfo_group.pl either does not like the username or the group
name. Your testing suggest that it does not like the domainless login
name.
Solution a): Enter the login using domain name in the browser.
Solution b): Teach wbinfo_group.pl how to handle "accuounts in the default
domain" where no domain name is specified in the login name.
Regards
Henrik
Received on Wed Nov 05 2003 - 03:43:54 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:21:06 MST