RE: [squid-users] Squid with auth NTLM

From: Nick Duda <nduda@dont-contact.us>
Date: Tue, 18 Dec 2007 07:02:10 -0500

Whats your "squid -v"

________________________________

From: Leandro Ferrrari [mailto:talsoft@gmail.com]
Sent: Tue 12/18/2007 5:43 AM
To: Nick Duda
Cc: Amos Jeffries; squid-users@squid-cache.org
Subject: Re: [squid-users] Squid with auth NTLM

Hi, yes the command wbinfo -g and -u working perfectly. My configuration is:

krb5.conf:
...
[libdefaults]
 default_realm = NEXTIT.LOCAL
 dns_lookup_realm = yes
 dns_lookup_kdc = yes

[realms]
 NEXTIT.LOCAL = {
  kdc = vm-ws2003.nextit.local:88
  admin_server = vm-ws2003.nextit.local:749
  default_domain = NEXTIT
 }

[domain_realm]
 .nextit.local = NEXTIT.LOCAL
 nextit.local = NEXTIT.LOCAL
...

SMB.conf:

[global]
workgroup = NEXTIT
server string = Samba Server
password server = NameOfServer
encrypt passwords = yes
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
 realm = NEXTIT.LOCAL
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   template shell = /bin/false
   winbind enum users = yes
   winbind enum groups = yes
   winbind use default domain = yes
   client ntlmv2 auth = yes

Server Windows Active Directory is Windows 2003 Server
Client Windows is Windows XP

Sincerely
Leandro Ferrari

2007/12/17, Nick Duda <nduda@vistaprint.com>:
> Have you joined your box to the domain? What is your krb5.conf file? What is your smb.conf file? What is the status of something like wbinfo -g or -u ?
>
> I would troubleshoot your domain connectivity before you worry about squid.
>
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> Sent: Mon 12/17/2007 7:33 PM
> To: Leandro Ferrrari
> Cc: squid-users@squid-cache.org
> Subject: Re: [squid-users] Squid with auth NTLM
>
> > I have configured squid 3.0 with NTLM, and this configuration in
> > squid.conf is:
> >
> > auth_param ntlm program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-ntlmssp
> > auth_param ntlm children 30
> > auth_param ntlm max_challenge_lifetime 2 minutes
> >
> > auth_param basic program /usr/local/bin/ntlm_auth
> > --helper-protocol=squid-2.5-basic
> > auth_param basic children 5
> > auth_param basic realm Squid proxy-caching web server
> > auth_param basic credentialsttl 2 hours
> >
> > When a test the ntlm auth, in the Explorer client with a user
> > authenticate in Domain Controller Windows 2003, the explorer or
> > firefox show popup of the basic auth.
> > How to use the ntlm auth with an user of the domain group without auth
> > basic?
>
> Remove the basic configuration to not use it.
> You NTLM is broken by the sound of it if its always falling back on basic.
> Although the login box does not necessarily mean basic is being used. It
> could just be that the browser has no working credentials for the user to
> login NTLM with.
>
>
> Amos
>
>
>
Received on Tue Dec 18 2007 - 05:02:34 MST

This archive was generated by hypermail pre-2.1.9 : Tue Jan 01 2008 - 12:00:02 MST