Re: [squid-users] NTLM not working

From: Wladner Klimach <wladner_at_gmail.com>
Date: Wed, 11 Apr 2012 15:52:29 -0300

Here is what I got from wbinfo:

wbinfo -t
checking the trust secret via RPC calls succeeded

And I can list all the groups with wbinfo -g.

Here is ntlm_auth run:

/usr/bin/ntlm_auth --username=P_7501
password:
NT_STATUS_OK: Success (0x0)

Look what I've got from cache.log with degub_options 29,9 actived:

2012/04/11 15:46:49.629| authenticateValidateUser: Validating
Auth_user request '0'.
2012/04/11 15:46:49.629| authenticateValidateUser: Auth_user_request was NULL!
2012/04/11 15:46:49.629| authenticateAuthenticate: broken auth or no
proxy_auth header. Requesting auth header.
2012/04/11 15:46:49.629| authenticateFixHeader: headertype:38 authuser:0
2012/04/11 15:46:49.629| basic/auth_basic.cc(217) fixHeader: Sending
type:38 header: 'Basic realm="Squid proxy-caching web server"'
2012/04/11 15:46:49.629| authenticateFixHeader: Configured scheme ntlm
not Active

Looks like ntlm is not an option to squid. Could it be the lack of the
compilation option --with-winbind-auth-challenge??

2012/4/11 Harry Mills <harry_at_mad-cat.co.uk>:
> On 11/04/2012 17:56, Wladner Klimach wrote:
>>
>> Hi people,
>>
>> I'm having some problem to implement NTLM at my squid box. I've
>> followed the documentation guides but for some unknown reason isn't
>> still working. Here is my squid.conf ( authentication portion only):
>>
>>
>> auth_param negotiate program
>> /squid-3.2.0.16/helpers/negotiate_auth/wrapper/negotiate_wrapper_auth
>> -d --ntlm /usr/bin/ntlm_auth  --helper-protocol=squid-2.5-ntlmssp
>> --kerberos
>> /usr/src/redhat/BUILD/squid-3.1.18/helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth
>>  -s HTTP/grazina2.redecamara.camara.gov.br
>> auth_param negotiate children 30 startup=10 idle=10
>> auth_param negotiate keep_alive on
>>
>>
>> As you can see I'm using the wrapper helper offered by squid-3.2, but
>> my squid box is the squid-3.1. The Kerberos scheme works just fine. So
>> how can I debug it? I really need NTLM too in order to authenticate
>> users that access some old sites that don't handle kerberos. I really
>> hope you guys can help me overtaking this issue.
>>
>> Regards,
>>
>> Wladner
>
>
> Hi Wladner,
>
> It may be useful to get the plain ntlm auth helper working on its own first.
> Once that is working, you can then re-enable the negotiate wrapper.
>
> I am not sure how much of the NTLM auth tests you have done. Have you tested
> that winbind is running and communicating with the domain? You can test that
> the basics are in place with wbinfo -t to check the shared secret, or wbinfo
> -u which should return a list of all your domain users.
>
> What happens if you run ntlm auth directly:
>
> ntlm_auth  --username=<your username>
>
> Is there anything in your debug log which might give a little more
> information about what isn't working?
>
> Regards,
>
> Harry
Received on Wed Apr 11 2012 - 18:52:38 MDT

This archive was generated by hypermail 2.2.0 : Thu Apr 12 2012 - 12:00:02 MDT