On Mon, 2005-11-07 at 23:21 +0200, Ian Barnes wrote: > Hi, > > We are having problems setting up a squid cache server to use NTLMv2 > authentication to authenticate users against AD. > > We have narrowed the problems down to being a problem between samba and > squid when using NTLMv2. It constantly moans about the password being wrong > when using squid, but doing a direct samba auth works fine. We have > (believedly) narrowed it down to this: the domain requires client ntlmv2 = > yes in samba to work - however it seems ntlm_auth does not support this!
It is meant to work. Have you enabled the options in the squid.conf? > Our squid.conf looks like this: > auth_param ntlm program /usr/local/libexec/squid/ntlm_auth > --helper-protocol=squid-2.5-ntlmssp -d9 > auth_param ntlm max_challenge_reuses 0 > auth_param ntlm max_challenge_lifetime 2 minutes auth_param ntlm children 2 > auth_param basic program /usr/local/libexec/squid/ntlm_auth > --helper-protocol=squid-2.5-basic -d9 > auth_param basic children 2 > auth_param basic realm Cache NTLM Authentication auth_param basic > credentialsttl 2 hours > > Anyone have any idea as to why that would happen when only using squid? Is > there an option that we need to set to make the authenticator use ntlmv2 > only or something like we had to do for samba? Does ntlm_auth not understand > the v2 protocol properly? ntlm_auth understands it, however it requires that: use_ntlm_negotiate on be set in the squid.conf. > > Onto another question, when I join the domain for the first time, I get this > error when trying to do anything besides a wbinfo -u or wbinfo -g. Here are > a few examples: > > [EMAIL PROTECTED] ~ # wbinfo -t > checking the trust secret via RPC calls > failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > Could not check secret > > And this from the squid log if we try and auth a user: > [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:winbind_pw_check(427) > Login for user [EMAIL PROTECTED] failed due to [Access denied] > [2005/10/31 11:43:36, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(600) > NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > The strange thing is these errors stop happening from anywhere between 5 and > 15 minutes after joining the domain. Any ideas as to why they are occurring > in the first place? Basically: We are able to list users, and groups - but > wbinfo -t doesn't work until we've been logged on for 5-15 minutes > (randomly)? This is really odd. It is as if the join wasn't propagated to all the DCs in good time. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
