Hi, We asked the squid guys the following, but no response and we thought you guys might understand better.
We are trying todo NTLMv2 authentication using samba and squid. We tried and nothing worked so we upgraded our squid (to 2.5Stable12), and samba to 3.0.20b. Once we upgraded squid, the ntlm_auth program was different so we used the samba ntlm_auth instead. We then had the problem that we kept on getting invalid password when using squid to handle the authentication and have narrowed down the problem to do with ntlmssp. If I only have a basic authenticator - which looks like the following, it works perfectly: auth_param basic program /usr/optec/ntlm_auth.sh basic auth_param basic children 10 auth_param basic realm server.opteqint.net Cache NTLM Authentication auth_param basic credentialsttl 2 hours (ntlm_auth.sh runs the ntlm_auth squid-2.5-basic helper) I see the following debug messages: [2005/11/09 13:20:43, 3] utils/ntlm_auth.c:check_plaintext_auth(292) NT_STATUS_OK: Success (0x0) However, when I use ntlmssp in the squid config, shown below, it does not work: auth_param ntlm program /usr/optec/ntlm_auth.sh ntlmssp auth_param ntlm children 10 auth_param ntlm use_ntlm_negotiate yes I see the following debug messages: [2005/11/09 13:22:37, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(606) Got user=[ianb] domain=[MASTERMIND] workstation=[LUCY] len1=24 len2=24 [2005/11/09 13:22:37, 3] utils/ntlm_auth.c:winbind_pw_check(427) Login for user [EMAIL PROTECTED] failed due to [Wrong Password] If I type ian instead of ianb, I see an error saying the user does not exist. This must mean that somehow the wrong password is being passed in the wrong way - even though it is typed right. This only happens with the security option on the AD server set to ONLY allow NTLMv2/LMv2 and not anything else. If we turn that off it works perfectly... As I understand it the password doesn't come to squid in plaintext when its using ntlmssp, and I believe that there is some kind of handling problem with that now? If I type in the password on the command line with the ntlm_auth program, it is able to validate it just fine using NTLMv2 - enforcing my belief that something is wrong here... Any suggestions AT ALL would be appreciated... Thanks Ian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
