Re: [squid-users] NTLM Authentication

From: Mike Diggins <diggins@dont-contact.us>
Date: Fri, 5 Aug 2005 22:48:23 -0400 (Eastern Daylight Time)

On Fri, 5 Aug 2005, Henrik Nordstrom wrote:

> On Wed, 3 Aug 2005, Mike Diggins wrote:
>
>> So far, IE users that are logged into the domain authenticate without an
>> authentication prompt (good). Non IE users or users of other web clients
>> are prompted for authentication, which is expected, except now they must
>> type in the domain/username and password (i.e. ap1/myname) instead of just
>> their username. That's a bigger change in behaviour than we would like. Is
>> there a way to make this work or is this normal behaviour?
>
> What Samba version?

It's an older one, 2.2.8 I believe. So if I upgrade to Samba 3.x this
should work better? Is this process documented anywhere?

>
>> My authentication related configuration:
>>
>> #Recommended minimum configuration:
>> auth_param ntlm program /usr/local/squid/libexec/ntlm_auth ap1/as7 ap1/as6
>
> Looks like you are using Samba-2.X. You should be using Samba-3.x and their
> ntlm_auth helper, not the Samba-2.x helper from Squid.
>
>> auth_param ntlm children 5
>> auth_param ntlm max_challenge_reuses 0
>> auth_param ntlm max_challenge_lifetime 2 minutes
>> auth_param ntlm use_ntlm_negotiate off
>> auth_param basic program /usr/local/squid/sbin/mac_auth
>
> What helper is this mac_auth helper?
>
> It's this one who deals with basic authentication from no-IE browsers, and
> it's up to this helper to determine what makes a valid username or not.

Right, I should have mentioned that mac_auth is a little perl wrapper I
got from you a couple of years ago. It lets me use smb_auth with two
different Windows Servers.

Thanks,

-Mike
Received on Fri Aug 05 2005 - 20:48:32 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Sep 01 2005 - 12:00:01 MDT