>There is BIG differences when it comes to how browsers deal >with NTLM authentication and its by design incompability with >HTTP proxies.. (if browser is configured to use a proxy it won't >use NTLM, as it knows it won't work). >Regards >Henrik
The above is a quote from the archive by Henrik on Mon Jan 6 2003: http://www.squid-cache.org/mail-archive/squid-users/200301/0221.html This confuses me, because I have a Red Hat 8.0 box running Squid-2.5.STABLE1 with winbind helper, and samba 2.2.7 . The Red Hat box is joined to my windows 2000 domain, and squid is authenticating users successfully using the NTLM helper winbind (that is what that does, right?). I'm not doing any port forwarding (which I gather is what would be called transparent proxying), and the browser( IE 6.0.2800.1106, SP1) is configured to proxy to the address of the squid machine. Everything tells me that this is setup is working and ready to go into our production environment: -a machine joined to our win2k domain with an authenticated domain user can successfully browse (no popup box) -a machine not joined to our win2k domain is presented with a login box; after entering valid 2k domain user/pass, can browse Can someone tell me if this is actually working correctly in a standard kind of way, or if this setup is not quite as I believe it to be. Henrik's comment above leads me to believe that I'm doing something fundamentally wrong, even though it appears to be working. cache.log snippet: ------------------ (wb_ntlmauth)[17256](wb_ntlm_auth.c:66): sending 'AF buhler\jamie' to squid (wb_ntlmauth)[17256](wb_ntlm_auth.c:292): Got 'YR' from squid. (wb_ntlmauth)[17256](wb_ntlm_auth.c:72): sending 'TT TlRMTVNTUAACAAAAGQAZACgAAACCgkEAK96cSucBGu4AAAAAAAAXXXXXXXXXXExFUi5DT00=' to squid (wb_ntlmauth)[17256](wb_ntlm_auth.c:292): Got 'KK TlRMTVNTUAADAAAAGAAYAFYAAAAYABgAbgAAAAYABgBAAAAABQAFAEYAAAALAXXXXXXXXAAAABoIAAEJVSEXXXXXBTUlFRlJJU0hBQ0tJSUl74KFAeKk0y/nCkmbEDzqbv3VRCKCq4Qw6MS3D6v+B6eeiPs3JICU8aSqzXeS1EuI=' from squid. (wb_ntlmauth)[17256](wb_ntlm_auth.c:240): Checking user 'BUHLER\JAMIE' lmhash len =24, have_nthash=0, nthash len=24 (wb_ntlmauth)[17256](wb_ntlm_auth.c:246): winbindd result: 1 (wb_ntlmauth)[17256](wb_ntlm_auth.c:66): sending 'AF buhler\jamie' to squid access.log snippet: ------------------- 1043957349.117 2 frishackiii.buhler.com TCP_DENIED/407 1673 GET http://www.google.com/ - NONE/- text/html 1043957349.137 3 frishackiii.buhler.com TCP_DENIED/407 1767 GET http://www.google.com/ - NONE/- text/html 1043957350.444 1306 frishackiii.buhler.com TCP_MISS/200 4072 GET http://www.google.com/ buhler\jamie DIRECT/216.239.39.101 text/html 1043957351.128 684 frishackiii.buhler.com TCP_REFRESH_HIT/200 8833 GET http://www.google.com/images/logo.gif buhler\jamie DIRECT/216.239.39.101 text/html winbind stuff: -------------- [root@Intranix logs]# wbinfo -t Secret is good [root@Intranix logs]# wbinfo -a BUHLER/jamie%password plaintext password authentication succeeded challenge/response password authentication succeeded Would appreciate your opinions on this. -jamie-
