Trying to get NTLM/seamless authentication working with IE in domain/AD
environment. Have browser setup to use proxy.
Basic authentication from a non-M$ machine/browser works fine to the
domain.
Basic authentication from a M$ machine with Netscape works fine to the
domain.
Any authentication from a M$ machine with a M$ browser fails.
It appears that the NTLM between the client IE and Squid takes place due
to seeing the username appearing in the logs (cache.log) as soon as IE is
launched, but that authentication is never sent to the Domain Controllers
(verified via tcpdump).
TESTWKSN
- WinXP
- IE 6
- Netscape 7.0
Non M$ Workstation
- Solaris 9
- Netscape 7.0
Proxy Server
- FreeBSD 4.9
- Samba 3.0.0,1 from ports
- Squid 2.5_4 from ports
-----------------------------------------------------------------------------------
output of 'squid -v'
Squid Cache: Version 2.5.STABLE3
configure options: --bindir=/usr/local/sbin
--sysconfdir=/usr/local/etc/squid --datadir=/usr/local/etc/squid
--localstatedir=/usr/local/squid '--enable-storeio=ufs diskd null'
'--enable-removal-policies=lru heap' --enable-auth=ntlm,basic
'--enable-basic-auth-helpers=NCSA winbind'
--enable-ntlm-auth-helpers=winbind
'--enable-external-acl-helpers=wbinfo_group winbind_group' --enable-snmp
--enable-delay-pools --enable-useragent-log --enable-referer-log
--disable-ident-lookups --enable-underscores --prefix=/usr/local
i386-portbld-freebsd4.9
-----------------------------------------------------------------------------------
CACHE.LOG
Jan 9 16:10:05 cache02 [2004/01/09 16:10:05, 3]
libsmb/ntlmssp.c:ntlmssp_server_auth(286)
Jan 9 16:10:05 cache02 user=[TESTUSER1] domain=[TESTDOMAIN]
workstation=[TESTWKSN] len1=24 len2=24
-----------------------------------------------------------------------------------
SQUID.CONF
auth_param ntlm program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 20 minutes
auth_param basic program /usr/local/bin/ntlm_auth
--helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl AuthorizedUsers proxy_auth REQUIRED
http_access allow AuthorizedUsers
-----------------------------------------------------------------------------------
SMB.CONF
security = ads
password server = TESTADC0 TESTADC1
encrypt passwords = yes
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind separator = "
realm = TEST.COM
winbind use default domain = yes
workgroup = TESTDOMAIN
domain master = no
Received on Mon Jan 12 2004 - 08:17:12 MST
This archive was generated by hypermail pre-2.1.9 : Sun Feb 01 2004 - 12:00:05 MST