[squid-users] Squid NTLM/ADS problem

From: Ben Kelley <bkelley@dont-contact.us>
Date: Mon, 12 Jan 2004 09:01:28 -0600 (CST)

Trying to get NTLM/seamless authentication working with IE in domain/AD
environment. Have browser setup to use proxy.

Basic authentication from a non-M$ machine/browser works fine to the
domain.
Basic authentication from a M$ machine with Netscape works fine to the
domain.
Any authentication from a M$ machine with a M$ browser fails.

It appears that the NTLM between the client IE and Squid takes place due
to seeing the username appearing in the logs (cache.log) as soon as IE is
launched, but that authentication is never sent to the Domain Controllers
(verified via tcpdump).

TESTWKSN
 - WinXP
 - IE 6
 - Netscape 7.0

Non M$ Workstation
 - Solaris 9
 - Netscape 7.0

Proxy Server
 - FreeBSD 4.9
 - Samba 3.0.0,1 from ports
 - Squid 2.5_4 from ports

-----------------------------------------------------------------------------------
output of 'squid -v'

Squid Cache: Version 2.5.STABLE3
configure options: --bindir=/usr/local/sbin
--sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid
--localstatedir=/usr/local/squid '--enable-storeio=ufs diskd null'
'--enable-removal-policies=lru heap' --enable-auth=ntlm,basic
'--enable-basic-auth-helpers=NCSA winbind'
--enable-ntlm-auth-helpers=winbind
'--enable-external-acl-helpers=wbinfo_group winbind_group' --enable-snmp
--enable-delay-pools --enable-useragent-log --enable-referer-log
--disable-ident-lookups --enable-underscores --prefix=/usr/local
i386-portbld-freebsd4.9

-----------------------------------------------------------------------------------
CACHE.LOG

Jan 9 16:10:05 cache02 [2004/01/09 16:10:05, 3]
libsmb/ntlmssp.c:ntlmssp_server_auth(286)
Jan 9 16:10:05 cache02 user=[TESTUSER1] domain=[TESTDOMAIN]
workstation=[TESTWKSN] len1=24 len2=24

-----------------------------------------------------------------------------------
SQUID.CONF

auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes

auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl AuthorizedUsers proxy_auth REQUIRED

http_access allow AuthorizedUsers

-----------------------------------------------------------------------------------
SMB.CONF

security = ads
password server = TESTADC0 TESTADC1
encrypt passwords = yes

idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes

winbind separator = "
realm = TEST.COM
winbind use default domain = yes
workgroup = TESTDOMAIN

domain master = no
Received on Mon Jan 12 2004 - 08:17:12 MST

This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:05 MST